At Meta, an employee asked an AI assistant to help manage her inbox. It deleted it instead. At Amazon, an internal agent autonomously decided to tear down and rebuild a deployment environment, knocking an AWS service offline for 13 hours.
These weren’t attacks. They were agents doing what they were told — badly.
“Agents are like teenagers,” says Joe Sullivan, former chief security officer of Uber, Cloudflare, and Facebook. “They have all the access and none of the judgment.”
The Numbers Are Stark
The Gravitee State of AI Agent Security 2026 report paints a picture that should alarm every CISO:
- 88% of organizations reported a confirmed or suspected AI agent security incident in the last year
- 82% of executives believe their existing policies protect against unauthorized agent actions
- Only 21% have actual visibility into what their agents can access, which tools they call, or what data they touch
- 47.1% of deployed agents are actively monitored — meaning more than half operate without security oversight
- 25.5% of deployed agents can create and task other agents, compounding the attack surface
- Only 14.4% of agents went live with full security and IT approval
That last number bears repeating. Fewer than one in seven AI agents deployed in enterprises got security sign-off before going into production.
Why Prevention Alone Doesn’t Work
For years, AI security focused on prevention: scanning models, filtering prompts, reviewing code before deployment. Those controls matter. But they assume the dangerous moment is before the agent goes live.
Security leaders increasingly argue the real risk begins after deployment.
“In security, we always assume prevention will fail,” Sullivan told CSO Online. “That’s why detection and monitoring are equally important.”
The problem is structural. Traditional security tools were built to intercept human behavior at network perimeter checkpoints. Agents bypass those checkpoints entirely, operating through API calls and MCP connections that never pass through conventional security tooling.
They also generate dramatically more activity. Where a typical employee produces 50 to 100 log events in a two-hour period, an agent can generate 10 to 20 times that volume. And critically — many agent platforms produce no logs at all.
“Having the logs in the first place is often a bigger step than people realize,” says Hanah-Marie Darley, co-founder of Geordie AI. “Not every agent natively has logs.” Some coding agents can even overwrite their own session logs when replayed, meaning the evidence of what happened disappears.
The Shadow Agent Inventory Problem
Before you can monitor agents, you need to know they exist.
This sounds trivial. It isn’t. Marketing teams deploy AI assistants. HR uses agents for resume screening. Engineers run coding agents with filesystem access. Non-technical staff connect scheduling assistants and email managers to corporate accounts — often without IT approval.
“CISOs right now are getting the hard question from their board and their CEO,” Sullivan says. “What AI is being run inside the company right now? You’ve got to answer that question.”
The Gravitee data puts numbers on it: enterprises contain approximately 1,200 unofficial AI applications on average. Shadow AI breaches cost $670,000 more than standard security incidents. And only 21.9% of organizations treat AI agents as independent, identity-bearing entities — the rest share credentials across agents like giving every employee the same password.
This is why products like AvePoint AgentPulse (shadow agent discovery), Okta for AI Agents (agent identity with kill switch), and Singulr Agent Pulse (runtime governance) are shipping in rapid succession. The market is responding to an emergency, not anticipating a theoretical risk.
What Runtime Security Actually Looks Like
CrowdStrike’s CTO Elia Zaitsev argues that existing endpoint detection and response (EDR) tools already capture the behavior needed to track agents. EDR instruments operating systems like a flight data recorder — every application that runs, every file it touches, every network connection, every command it spawns.
The key insight: EDR can build a threat graph that traces suspicious activity back through multiple degrees of separation to the agent that initiated it. A firewall just tells you something is communicating with a cloud model. EDR tells you which specific agent application is making which specific call.
This creates a new control: applying different policies to the same application depending on whether a human or an agent is driving it.
“There are activities that may be benign if a human is responsible,” Zaitsev says, “but if it’s an AI agent I don’t necessarily trust, I may want to apply different policies on the fly.”
Build-Time Isn’t Dead
Runtime monitoring doesn’t replace build-time security. Varun Badhwar, CEO of Endor Labs, puts it bluntly: “The average cost of a runtime security finding is $4,000, versus $40 at build time.”
His framework: shift left, shield right. Catch as many problems as possible during development. Then maintain runtime monitoring as the last-mile safety net — because zero-day vulnerabilities and emergent agent behavior can’t be anticipated at build time.
The car manufacturing analogy works: quality controls on the assembly line are always cheaper than recalling 70,000 cars from the street.
What CISOs Should Do Now
The experts converge on a practical starting path:
1. Build an inventory. Pick one system — a SaaS platform, code repositories, your endpoint fleet — and map the agents operating within it. Identify owners, permissions, and protocols. Without visibility, nothing else is possible.
2. Extend behavioral monitoring to agents. Whether through EDR, dedicated agent security tooling, or both, establish what “normal” looks like for each agent. What systems should it touch? What data should it access? How many actions per hour is reasonable?
3. Treat agents as identity-bearing entities. Give every agent its own identity with scoped permissions. NIST’s agent standards work and OWASP’s Agentic Top 10 both point in this direction.
4. Require immutable audit trails. Every trigger, input, decision, and action — logged in write-protected stores separate from native agent logging. If the agent can overwrite its own logs, you don’t have an audit trail.
5. Implement kill switches. Okta’s Universal Logout for agents is the clearest example: instant revocation across all enterprise systems if an agent deviates from its mission.
The Pattern Is Clear
Every layer of the agent security stack is being built right now, in real time:
| Layer | Product | Status |
|---|---|---|
| Supply chain | Chainguard Agent Skills | Launched Mar 17 |
| Runtime sandbox | Nvidia OpenShell | GTC 2026 |
| Runtime governance | Singulr Agent Pulse | GA |
| Shadow agent discovery | AvePoint AgentPulse | GA Mar 9 |
| Agent identity | Okta for AI Agents | Apr 30 |
| Agent identity governance | SailPoint × AWS | Available |
| Risk taxonomy | OWASP Agentic Top 10 | Published |
| Standards | NIST Agent Security | In progress |
| EDR integration | CrowdStrike + Nvidia OpenShell | Partnership announced |
A year ago, none of these existed. Today, agent security is a full-stack market category being assembled in real time.