Only 14.4% of surveyed organizations had full security or IT approval for their entire agent fleet, according to Gravitee's State of AI Agent Security 2026.

The report found that 82% of executives believed their policies provided adequate protection. It also recorded confirmed incidents at 59% and suspected incidents at 29%, for a combined 88% of respondents reporting one category or the other (VentureBeat).

On average, respondents said 47.1% of their agents were actively monitored or secured. Separately, 24.4% reported full visibility into agent-to-agent communication (full report).

A basic audit can start with five questions.

CheckRed flag
Did security sign off before prod?"Product owned it."
Can you see every tool call at runtime?Logs, sampled, read after the fact.
Do you know which agents can touch PII or payments?"We'd have to check."
Who kills an agent's credentials at 2am?Silence.
Does policy enforcement run inline, or in a slide deck?Deck.

These checks are operational prompts. The survey did not establish that a particular number of red flags predicts an incident.

The findings point to a gap between policy confidence and runtime monitoring. Gravitee surveyed 919 executives and practitioners, and the incident figures rely on respondents' own reports.


The Signal is the public edge of a private practice. Sherpa points the same intelligence engine at one owner's business — competitors, suppliers, regulators, watched daily, graded and sourced. Work with a Sherpa →