Only 14.4% of surveyed organizations had full security or IT approval for their entire agent fleet, according to Gravitee's State of AI Agent Security 2026.
The report found that 82% of executives believed their policies provided adequate protection. It also recorded confirmed incidents at 59% and suspected incidents at 29%, for a combined 88% of respondents reporting one category or the other (VentureBeat).
On average, respondents said 47.1% of their agents were actively monitored or secured. Separately, 24.4% reported full visibility into agent-to-agent communication (full report).
A basic audit can start with five questions.
| Check | Red flag |
|---|---|
| Did security sign off before prod? | "Product owned it." |
| Can you see every tool call at runtime? | Logs, sampled, read after the fact. |
| Do you know which agents can touch PII or payments? | "We'd have to check." |
| Who kills an agent's credentials at 2am? | Silence. |
| Does policy enforcement run inline, or in a slide deck? | Deck. |
These checks are operational prompts. The survey did not establish that a particular number of red flags predicts an incident.
The findings point to a gap between policy confidence and runtime monitoring. Gravitee surveyed 919 executives and practitioners, and the incident figures rely on respondents' own reports.
The Signal is the public edge of a private practice. Sherpa points the same intelligence engine at one owner's business — competitors, suppliers, regulators, watched daily, graded and sourced. Work with a Sherpa →
