Half of Enterprises Have Already Suffered an AI Agent Security Incident — and Most Still Let Agents Share Credentials

Reading Time: 5 minutes

A June 2026 VentureBeat survey of 107 enterprises finds that 54% have already experienced a confirmed AI agent security incident or near-miss, while only 32% give every agent its own scoped identity and just 30% isolate high-risk agents in sandboxes. Despite these structural weaknesses, satisfaction with mostly borrowed, provider-native security controls averages 4.2 out of 5 — a false comfort the researchers warn is already driving real harm.

The Autonomy Enterprises Are Granting Their Agents Isn’t Matched by the Controls Meant to Contain Them

A striking new wave of research from VentureBeat should land on every enterprise security team’s desk this week. According to a June 2026 survey of 107 enterprises — published at venturebeat.com — more than half of organizations running AI agents in production have already experienced a confirmed security incident or a near-miss caught before causing real harm. Yet most of those same organizations let their agents share credentials, and fewer than one in three isolate their highest-risk agents in sandboxes. The researchers call this structural mismatch the agent security gap: autonomous agents proliferating faster than the identity, isolation, and enforcement controls needed to hold them in check.

The findings paint a picture that is both urgent and paradoxical. Enterprises are comfortable — satisfaction with their current agent security tooling averages 4.2 out of 5 — even as incidents accumulate and foundational controls remain absent. That comfort, the research suggests, may be false.

Finding 1: The Incidents Are Already Here

The headline number is unambiguous: 54% of surveyed enterprises have already had an agent security event. Of those, 18% report a confirmed incident and 36% report a near-miss caught before it caused harm. Only 42% say they have experienced nothing at all, with a small remainder either not running agents in production or not tracking such events.

The near-miss figure deserves particular attention. A near-miss means controls worked — but only barely. The gap between a near-miss and a confirmed breach is often a matter of timing, luck, or which specific agent happened to be over-permissioned on a given day. The research makes clear that the controls examined — identity, isolation, and enforcement — are what determine whether the next near-miss stays a near-miss or becomes a headline.

Exposure also scales with company size in a troubling way. The incident-or-near-miss rate rises from 49% among mid-market companies (101–1,000 employees) to 63% at larger enterprises (above 1,000 employees). At the same time, sandbox isolation of high-risk agents falls from 35% to 20% as organizations grow, and satisfaction with security tooling drops from 4.36 to 3.97. The organizations running the most agents across the most systems carry the most incidents — and deploy the least of the one control that limits an incident’s blast radius.

Finding 2: Credential Sharing Is the Structural Weakness

Beneath the incident numbers lies an identity problem. Only 32% of enterprises give every agent its own scoped, managed identity — the precondition for least-privilege access and clean post-incident attribution. Nearly half (48%) say some agents have scoped identities but many still share credentials, while another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. Because respondents could describe more than one pattern across their fleet, these numbers overlap, but the combined picture is clear: 69% of enterprises — 74 out of 107 — have credential sharing somewhere in their agent infrastructure.

The consequences are direct and serious. When agents share credentials, an over-permissioned or compromised agent can act with far greater reach than intended. Forensics after an incident cannot cleanly tell which agent did what. The ‘blast radius’ of any single failure expands dramatically.

The correlation with incidents is striking. Organizations with credential sharing anywhere in the fleet experienced an incident or near-miss in the past twelve months at a rate of 63.5% (47 of 74). Organizations where every agent carries its own scoped identity experienced the same at 40.9% (9 of 22). The fully-scoped group is small enough that the relationship is associative rather than proven causation, but a twenty-three percentage point difference within a single survey wave is difficult to dismiss. Solving the non-human identity problem — giving every agent its own governed identity — is the single largest unfinished piece of enterprise agent security.

Finding 3: Observation Yes, Containment No

When it comes to what enterprises actually do to secure their agents day-to-day, the research reveals an inversion of sound security practice. Roughly half of enterprises observe agent activity (47%) or enforce scoped permissions at runtime (49%). But only 30% isolate their highest-risk agents in sandboxes that bound the blast radius when other controls fail.

From a defense-in-depth standpoint, that ordering is backwards. Observation tells you what happened after the fact. Enforcement tries to prevent bad outcomes. But isolation is what limits the damage when prevention fails — and it is precisely the control that enterprises have adopted least. Combined with the identity gap, the picture is of agents that are watched and permissioned but rarely boxed in. That is the configuration in which a single failure propagates across an entire environment.

Finding 4: Security Runs on Borrowed, Provider-Native Controls

The tooling picture explains much of the structural fragility. OpenAI’s guardrails lead at 51% of surveyed enterprises, followed by Google’s and Microsoft’s cloud-native controls and Anthropic’s managed-agent controls. When asked to name their single primary security layer, 82% name one of these provider-native offerings.

The dedicated, purpose-built agent-security category — vendors such as Palo Alto’s Prisma AIRS, CrowdStrike, Cisco AI Defense, Zenity, HiddenLayer, Check Point’s Lakera, and non-human identity platforms — barely registers, each sitting in the low single digits. This pattern is consistent across both Q2 2026 survey waves the researchers conducted. In an April–May wave (n=110), OpenAI’s controls led at 26%, followed by Azure, AWS, and Google, with every dedicated agent-security specialist at 3% or below.

The structural explanation is straightforward: enterprises reach first for the guardrails their model provider ships with the platform. The independent security layer that would specifically address identity and isolation gaps has not yet been adopted at scale. Provider bundling is winning the default.

Finding 5: Comfort Out of Step With Reality

The most thought-provoking finding may be the satisfaction data. Despite the incident rates, the credential sharing, and the near-absence of sandbox isolation, enterprises report satisfaction with their agent security tooling at 4.2 out of 5, with value for money rated at 4.1. These are described by the researchers as among the most positive readings in the entire survey series.

The researchers’ interpretation is pointed: the comfort appears to rest on the convenience and low friction of provider-native controls rather than on demonstrated containment capability. Enterprises are satisfied with a stack that is mostly borrowed guardrails, even though more than half have already had an incident or near-miss. It is, as the report puts it, a false comfort in the making — the same enterprises expressing satisfaction are, in other parts of the survey, a clear majority planning to change their tooling within the year.

That planned tooling change is itself an implicit acknowledgment that something is missing.

What This Means for Enterprise Security Teams in India and Beyond

For Indian enterprises accelerating their AI agent deployments — across BFSI, healthcare, retail, and manufacturing — the VentureBeat findings carry a direct message. The security frameworks from hyperscalers and model providers are a reasonable starting point, but they were not designed to solve the non-human identity problem at agent scale. Shared credentials, which reduce administrative friction during deployment, become a liability the moment a single agent is compromised or misconfigured.

Three practical priorities emerge from the research:

  1. 1. Establish per-agent identity now. Every AI agent accessing production systems should carry its own scoped, managed identity. The 23-point gap in incident rates between organizations that do this and those that don’t is the clearest signal in the entire dataset.
  2. 2. Sandbox your highest-risk agents. Only 30% of surveyed enterprises do this. If an agent has access to financial systems, customer data, or internal APIs with broad permissions, isolation is not optional — it is the control that bounds how badly a failure propagates.
  3. 3. Treat provider guardrails as a floor, not a ceiling. OpenAI’s and Google’s native controls are valuable, but they were built to govern model behavior, not to manage agent identity, enforce least-privilege access at runtime, or provide clean forensic attribution after an incident.

The agent security gap is not a future risk. For 54% of surveyed enterprises, it is already a past incident. The question is whether the next event is contained or catastrophic — and that answer depends almost entirely on identity, isolation, and enforcement decisions made before deployment, not after.

The full research is available at VentureBeat and is worth reading carefully if your organization is moving AI agents from prototype into production environments this year.

Related stories