Managing AI Agents Is Not Just a Visibility Issue
Even as AI agents proliferate, there is a disconnect within organizations about their perceived level of visibility into those agents and their actual ability to see them.
It comes as no surprise that AI agents in the enterprise are already operating at scale, yet disturbingly most organizations (82%) have found previously unknown agents over the last year, even as many (68%) claim their confidence runs high, they have visibility into AI agents on their networks, according to a pair of studies from the Cloud Security Alliance (CSA).
Nearly 43% of those surveyed in the recent Enterprise AI Security Starts with AI Agents report that more than half of their employees use AI agents regularly. Still, almost all organizations don’t centralize adoption—just 5% do.
Early into adoption, enterprises start to struggle with unsanctioned AI agents; a little more than half (54%) report 1–100 unsanctioned AI agents, mostly regardless of the overall agent count. Scope violations are the rule rather than the exception, with 53% saying AI agents exceed intended permissions either occasionally or sometimes. Not surprisingly, nearly half (47%) have seen an AI agent-involved security incident.
Governance of AI agents is largely determined by existing regulatory frameworks, but just 13% express any kind of optimism that they are highly ready for the upcoming regulations for AI.
“Like many security programs, AI Agent risk requires layered controls and architectural discipline,” says Randolph Barr, CISo at Cequence Security. “Frameworks such as the NIST AI Risk Management Framework and the OWASP Top 10 for Agentic Applications provide strong starting points for thinking through AI-specific exposure.”
As organizations “increasingly embed AI tools and agentic systems into their workflows, they must develop governance structures that can keep pace with the complexity and continued innovation of these technologies,” says Nicole Carignan, senior vice president, security and AI strategy, and field CISO at Darktrace.
Noting there is no one-size-fits-all approach, Carignan says, “Each organization must tailor its AI policies based on its unique risk profile, use cases, and regulatory requirements,” making “executive leadership for AI governance is essential, whether the organization is building AI internally or adopting external solutions.”
Another CSA report found that agent-related incidents are commonplace; just about two-thirds claimed at least one during the year prior with business impacts including data exposure (61%) and operational disruption (43%).
But organizations are trying to get a grip by boosting front-end lifecycle practices. Even though just a smallish number have a formal decommissioning process and are confident that they decommission agents (about one-fifth each), 59% are clearly documenting the purposes of agents and even more (68%) are reviewing permissions.
“Moving forward, AI will be embedded in all aspects of our businesses, and every security professional needs a working understanding of AI and agent risk,” says Diana Kelley, CISO at Noma Security. “That includes how models are trained, where data exposure can happen, how outputs can be manipulated, agentic blast radius, and how AI integrates into business workflows.”
In the real world, she says, “those risks show up inside existing domains like productivity tools, data loss prevention, access control, application security, cloud security, and risk management. So it makes sense that the certification pathways reflect that.”
The primary signals for governing agent behavior are action risk (for 63%) and human authorization (53%). Just about four in five say that context-aware controls are at least important, while two-thirds say the same about guardrails that define agent boundaries.
“The CSA findings shouldn’t surprise anyone who has been watching enterprise AI adoption closely, but they should alarm every CISO. Eighty-two percent of organizations discovered agents they didn’t know existed,” says Roey Eliyahu, CEO and Co-founder at Salt Security.
“That is not a visibility problem. That is a governance crisis,” he says. Eliyahu points out that Salt’s own research “backs this up: 92% of the CISOs we surveyed noted that they lacked the advanced security maturity required to defend against AI environments.”
He believes the 20% decommissioning stat “should keep experts up at night,” noting that “Zombie agents exist; they have outlived their purpose but still hold credentials and permissions,” which is not an inactive risk but rather “a persistent, unmonitored entry point sitting inside your most sensitive systems. You cannot govern what you cannot see, and you cannot secure what you never decommissioned.”
Defenders are painfully aware that AI agents can be pressed into action on behalf of bad actors. “Agentic AI is being used by threat actors as an autonomous partner that can independently plan multi-step operations, manage the drudge work of infrastructure provisioning, and dynamically adapt its tactics in real-time when it encounters defensive blocks; Anthropic documented 90% automation in GTG-1002,” says Ram Varadarajan, CEO at Acalvio.
“Agentic AI is being used for machine-speed swarm attacks. Legacy defenses are built for human attackers, and are now unable to fight back in either speed or scale against the agentic attacker,” he says.
Kelley stresses that “AI can’t operate sustainably without strong security safeguards,” with that reality raising the stakes on cybersecurity work and changing the shape of the job.
Traditionally, she notes, “security teams focused on the protection of systems and data. Now we are helping to govern AI systems and agents that make recommendations and decisions, and in some cases take action on behalf of the business, while enabling the business to adopt AI quickly and safely.”
Pointing to his company’s State of AI in SOC Report, Prophet Security CEO Kamal Shah says, “security leaders anticipate AI will handle approximately 60% of SOC workloads within the next three years.”
As AI “enables them to move faster through noise, automate repetitive and tedious work, and spend more time on the parts that require human judgment,” it also “speeds up the work, teams chain skills, and incentives push toward scale,” says Shah.
Security teams, therefore, “should shorten time to answer with outcomes that clearly state scope, impact, affected assets, and next actions, backed by evidence the business can trust,” he says.
