Roughly 80% of enterprises have deployed internal AI agents while two-thirds lack governance policies for those agents.

48% of organizations cite non-human identities (AI agents, APIs) as a top concern

It takes nearly a week to contain and remediate a compromised AI agent.

Organizations spent more than $1 million on average in the past year responding to AI agent identity and security issues.

Only 7% of organizations believe their controls would prevent a compromised agent from operating.

93% of organizations already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access.

67% of organizations using AI agents suspect those agents have already accessed data beyond their intended scope.

58% of cybersecurity leaders report that AI agents are already taking actions within organizational workflows.

91% believe they can rapidly contain compromised AI agents.

90% of respondents agree that AI agents should operate under least privilege principles, with bounded access and tighter controls.

On average, 40% of AI agents and 40% of machine identities already have access to organizational data.

99% of respondents say their organization already uses AI agents.

Fewer than half of organizations report full visibility into where AI agent credentials are stored.

It takes an average of 14 hours to detect a compromised AI agent.

61% of organizations have revoked or rotated AI agent credentials due to suspected exposure.

Over the next 12 months, organizations expect AI agents to increase by 85% and machine identities to increase by 77%, compared to the 56% growth in human identities.

Nearly half of IT and security leaders expect agentic systems to drive the majority of attacks in the coming year.

55.0% of consumers are not comfortable with AI agents making purchases on their behalf

8% of enterprises say AI agents never exceed their intended permissions.

34% of enterprises report ownership visibility for just 26–50% of their AI agents.