Shadow AI governance has focused on employees pasting data into chatbots. That threat is real and well-documented. But a different category of shadow AI is now producing security incidents at a far higher rate: autonomous AI agents that call tools, modify databases, create sub-agents, and take actions across enterprise systems without security team oversight. Eighty-eight per cent of organisations surveyed by Gravitee in December 2025 reported confirmed or suspected AI agent security incidents in the preceding twelve months. Only 14.4 per cent of those agents went live with full security and IT approval.

Agents Are Not Chatbots. The Risk Profile Is Different.

A chatbot processes a prompt and returns text. An agent plans a sequence of steps, calls external tools, reads and writes data, persists memory across sessions, and can spawn other agents to handle sub-tasks. The distinction matters for security because the attack surface is categorically wider. A chatbot leaks data if an employee pastes something sensitive. An agent can leak data, modify records, execute code, trigger financial transactions, and propagate errors across connected systems, all without a human in the loop.

Gartner projects that 40 per cent of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5 per cent in 2025 (Gartner, August 2025). Zapier’s survey of 525 US enterprise leaders, conducted in October 2025, found 72 per cent of enterprises are now using or testing AI agents. Eighty-four per cent said they would likely or certainly increase agent investments in the next twelve months (Zapier, December 2025). A PwC survey of 1,000 US business leaders found 79 per cent of organisations report some level of AI agent adoption (PwC, 2025).

Adoption is outpacing governance by a wide margin, and that gap between deployment speed and security readiness is where incidents concentrate.

Eighty-Eight Per Cent Have Already Had Agent Incidents

Gravitee’s State of AI Agent Security 2026 report surveyed 919 participants across strategic leadership and technical roles, spanning telecommunications (23.6 per cent), financial services (20.8 per cent), manufacturing (17.7 per cent), healthcare (17.4 per cent), and transport and logistics (16.3 per cent). A separate survey of 750 CTOs and tech VPs (500 US, 250 UK), conducted by research firm Opinion Matters in December 2025, provided the executive-level data. The report was published on 4 February 2026.

The headline finding: 88 per cent of organisations reported confirmed or suspected AI agent security incidents in the last twelve months. In healthcare, that figure climbs to 92.7 per cent (Gravitee, 2026). Documented incidents include agents gaining unauthorised write access to databases, attempting to exfiltrate sensitive information, acting on outdated or incomplete information, and deleting databases without permission.

Eighty point nine per cent of technical teams have moved past the planning phase into active testing or production. But only 14.4 per cent of agents went live with full security and IT approval (Gravitee, 2026). The remaining 85.6 per cent were deployed with partial approval, no approval, or approval from teams that did not include security.

Nearly half of all deployed agents, 47 per cent, are not actively monitored or secured. In the US and UK alone, Gravitee estimates 3 million AI agents are now operating within enterprises. That puts roughly 1.5 million agents at risk of operating without oversight. Gravitee CEO Rory Blundell described it as “a workforce larger than the entire global employee count of Walmart” operating “ungoverned and unchecked” (Gravitee/EINPresswire, February 2026).

This is vendor-commissioned research and should be treated as directional rather than definitive. The survey covers AI-aware enterprises, not a random population sample. But the methodology is disclosed (Opinion Matters, n=750 for the executive survey, n=919 for the technical survey), the industries represented are high-stakes, and the findings align with independent data from Netskope, OWASP, and Dark Reading.

The Identity Crisis at the Core of Agent Security

The structural problem is identity. Most organisations still treat agents as extensions of human users or generic service accounts rather than as independent entities that need their own identity, permissions, and audit trail. Only 21.9 per cent of teams treat AI agents as independent, identity-bearing entities. Forty-five point six per cent of teams rely on shared API keys for agent-to-agent authentication. Twenty-seven point two per cent have reverted to custom, hardcoded logic to manage authorisation (Gravitee, 2026).

CyberArk’s 2025 Identity Security Landscape report, surveying 2,600 security decision-makers, found the average enterprise now faces an 82-to-1 machine-to-human identity ratio. Every one of those machine identities, including agents, tools, datasets, APIs, and orchestration pipelines, represents a potential point of compromise. Autonomous decision-making expands the surface area dramatically (CyberArk, April 2025; also cited by Palo Alto Networks, December 2025).

A practitioner quoted in the Gravitee report illustrates the reality at ground level: “Honestly, general LLM security is still a concern on an enterprise level so we have all been using our own personal accounts with the agents. Therefore, we haven’t yet given much focus to agent security since we are still finalizing our building and workflows.”

Executive confidence makes the gap worse. Eighty-two per cent of executive respondents feel confident that their policies can protect against agent misuse, but that confidence rests on high-level policy documentation rather than real-time enforcement at the API or identity layer. Among those same executives, 69.2 per cent believe existing regulations are already sufficient for autonomous agents. Technical teams are more sceptical (Gravitee, 2026).

OWASP Created a Separate Top 10 for Agents. That Is the Signal.

In December 2025, OWASP published the Top 10 for Agentic Applications 2026, a dedicated framework separate from the existing Top 10 for LLM Applications. The decision to create a standalone list, developed through collaboration with more than 100 industry experts, signals that the security community considers agentic AI a distinct threat category requiring its own governance model (OWASP GenAI Security Project, December 2025).

The top risk, ASI01 Agent Goal Hijacking, occurs when attackers manipulate an agent’s objectives through poisoned inputs such as emails, PDFs, meeting invites, or documents in a retrieval pipeline. Because agents cannot reliably distinguish instructions from data, a single malicious document can redirect an agent to perform harmful actions using its legitimate tools and access. The second risk, ASI02 Tool Misuse, covers agents using legitimate tools in unsafe ways due to ambiguous prompts, misalignment, or manipulated input.

OWASP introduces the principle of least agency: AI agents should be given the minimum autonomy, tool access, and credential scope required to perform their intended task, and no more. It is the agentic equivalent of the principle of least privilege and serves as the foundational defence principle of the framework (OWASP, 2025).

A Dark Reading readership poll found 48 per cent of cybersecurity professionals identify agentic AI as the number-one attack vector heading into 2026, outranking deepfakes, ransomware, and supply chain compromise (Dark Reading, 2025).

Shadow Agents Are Being Built Without IT Knowledge

Netskope’s Cloud and Threat Report on Shadow AI and Agentic AI, published in August 2025, found that 5.5 per cent of organisations already have users running agents created using popular AI agent frameworks on-premises. LangChain is the most popular by a large margin, with OpenAI’s Agent Framework rapidly gaining ground (Netskope, August 2025). These frameworks are free, require modest technical skill, and can be deployed by any developer or technically literate employee.

Netskope described the risk directly: agentic shadow AI is like “a person coming into your office every day, handling data, taking actions on systems, and all while not being background-checked or having security monitoring in place.” GenAI platforms, the foundational infrastructure enabling custom agents, saw a 50 per cent user increase in the three months ended May 2025. Network traffic tied to GenAI platform usage increased 73 per cent over the prior three-month period. Forty-one per cent of organisations were using at least one GenAI platform (Netskope, August 2025).

Netskope’s 2026 Cloud and Threat Report extended the analysis to Model Context Protocol (MCP), which is rapidly becoming the preferred method for connecting AI agents to enterprise resources. MCP-enabled agents “may connect to external services or tools, sensitive information could be inadvertently exposed, and malicious actors could exploit these capabilities.” The report warned that organisations should treat AI browsers and MCP-integrated systems as “emerging areas of concern” and implement governance, monitoring, and usage policies accordingly (Netskope, January 2026).

Twenty-five point five per cent of deployed agents can create and task other agents (Gravitee, 2026). This is the feature that transforms a single ungoverned agent from a contained risk into a systemic one. If an agent with excessive permissions can spawn sub-agents that inherit those permissions, the blast radius of a single misconfiguration or compromise expands exponentially. The average organisation manages 37 agents (Gravitee, 2026). With no centralised inventory, no identity-per-agent model, and shared API keys as the dominant authentication pattern, most organisations cannot answer a basic question: how many agents are running in our environment right now, and what can they access?

What Boards and Security Teams Should Do

Conduct an agent inventory. Identify every AI agent running in the organisation, whether sanctioned or shadow-deployed. Include agents built on LangChain, OpenAI Agent Framework, and similar tools, agents embedded in SaaS platforms, and agents operating through MCP connections. If the organisation cannot produce this inventory, it does not have visibility over its agentic risk surface.

Assign each agent an independent identity. Agents should be treated as non-human identities with their own credentials, permission scopes, and audit trails. Shared API keys and personal accounts used for agent authentication must be replaced with scoped, rotatable credentials. Agents that can create sub-agents need cascading permission controls.

Apply the principle of least agency. OWASP’s foundational recommendation: every agent should have the minimum autonomy, tool access, and credential scope required for its task. Read-only access by default. Write access granted per task and revoked after completion. Code execution sandboxed. Network access restricted to required endpoints.

Implement kill switches and behavioural monitoring. Every production agent needs an immediate shutdown mechanism. Behavioural monitoring should flag agents that deviate from expected action patterns, access data outside their scope, or attempt to escalate privileges. Immutable audit trails of all agent actions are non-negotiable for incident investigation and regulatory evidence.

Set a governance policy before the regulators do. No jurisdiction has specific regulation for AI agents as a category. The EU AI Act’s high-risk provisions will cover many agent-like systems from August 2026 onward. The UK’s ICO has committed to examining agentic AI governance through a Tech Futures report in 2026. The FCA’s long-term AI review is considering agentic AI’s implications for financial services. Organisations that establish agent governance now will be ahead of regulatory requirements rather than scrambling to catch up.

The shadow AI conversation must expand beyond chatbots. Employees pasting data into ChatGPT is a known, measurable, addressable risk. Autonomous agents operating across enterprise systems with shared credentials, no monitoring, and the ability to spawn sub-agents is a structural risk that most organisations have not yet begun to govern. The incident data says 88 per cent are already experiencing the consequences.

Related reading: What is shadow AI? | Employees still do not know what data they can put into AI tools | What is an AI governance framework? | AI compliance deadlines 2026

Sources