AI Agents: Enterprises Are Blind to Stage Three Threats, Survey Reveals

Recent high-profile incidents, including a rogue AI agent at Meta exposing sensitive data and a supply-chain breach at AI startup Mercor, highlight a critical security gap in how enterprises are handling AI agents. A new VentureBeat survey reveals that most organizations are stuck in the 'observe' phase of AI agent security, largely ignoring the more critical 'enforce' and 'isolate' stages, leaving them vulnerable to sophisticated attacks.

The Alarming Reality: Monitoring Isn't Enough

The data is stark: while 82% of executives believe their policies adequately protect them from unauthorized agent actions, a staggering 88% reported AI agent security incidents in the past year. This disconnect points to a fundamental misunderstanding of AI agent risks. The core issue, as identified by experts and highlighted in the survey, is the gap between simply monitoring AI agent activity and actively enforcing security policies and isolating potentially malicious agents.

Here's a breakdown of the findings:

• 88% of organizations experienced AI agent security incidents in the last 12 months, yet many feel protected.
• Only 21% have runtime visibility into what their AI agents are actually doing.
• A concerning 97% of security leaders expect a material AI-agent-driven incident within the next year, yet only 6% of security budgets are allocated to address this risk.

The Three Stages of AI Agent Security: Where Enterprises Fall Short

The survey outlines a crucial three-stage security framework for AI agents:

• Stage 1: Observe - This involves basic monitoring of AI agent activity. While essential, it's the most rudimentary level of security.
• Stage 2: Enforce - This stage integrates monitoring with action, using tools like Identity and Access Management (IAM) and cross-provider controls to enforce policies.
• Stage 3: Isolate - The most advanced stage, involving sandboxed execution to contain potential damage when other security measures fail.

The survey's findings indicate a widespread failure to progress beyond Stage 1. Enterprises are heavily invested in monitoring but lack the enforcement and isolation mechanisms needed to truly secure their AI agents. This is particularly alarming given that the fastest known adversary breakout times have dropped to mere seconds, making human-speed monitoring dashboards obsolete.

Emerging Threats and the Growing Attack Surface

The OWASP Top 10 for Agentic Applications 2026 lists critical risks like goal hijack, tool misuse, and rogue agents, many of which have no direct parallel in traditional LLM applications. These threats exploit the very nature of AI agents, which can operate autonomously and interact with various tools and systems. For instance, the 'MCP Tool Poisoning Attack' can trick an agent into exfiltrating data or compromising a trusted server.

Furthermore, the reliance on shared API keys (used by 45.6% of enterprises) and the ability of some agents to spawn other agents without explicit provisioning creates a massive, often unseen, threat surface. As Merritt Baer, CSO at Enkrypt AI, points out, enterprises often approve an interface, not the underlying system, leading to vulnerabilities two layers deeper than anticipated.

The Regulatory Tightrope and Identity Challenges

Regulatory bodies are increasingly aware of AI risks. HIPAA and FINRA, for example, have specific guidelines for AI agents handling sensitive data, emphasizing audit trails and human checkpoints. The lack of proper auditability, a key concern that surged in the survey after initial deployment sprints, can lead to significant regulatory penalties, especially in sectors like healthcare.

The identity problem is also architectural. Most teams don't treat agents as distinct identity-bearing entities, relying instead on shared credentials, which is a ticking time bomb. As AI agents proliferate, they will operate with elevated privileges, dwarfing human identities and rendering traditional human-centric identity security models ineffective.

Guardrails Are Not Enough: The Need for Permissioning

While guardrails are a common security measure, research shows they can be bypassed by sophisticated attacks. The real need, as identified by CISOs, is robust permissioning. The survey consistently shows prevention of unauthorized actions as the top priority, indicating a clear demand for controls that dictate what agents *can* do, rather than just what they are prompted to do.

Hyperscalers and the Path Forward

Major cloud providers like Azure, AWS, Google Cloud, and OpenAI are developing capabilities for AI agent security, but no provider currently offers a complete Stage 3 (isolation) solution. Many enterprises are left to piece together isolation capabilities from existing cloud services. This approach is viable only if it's deliberate; simply waiting for vendors to close the gap is not a strategy.

The survey also highlights that many AI applications are built using open-source orchestration frameworks, which often bypass hyperscaler IAM controls and lack native security primitives. This necessitates layering enforcement and isolation on top of these frameworks.

A 90-Day Plan for Security Maturity

VentureBeat proposes a pragmatic 90-day remediation sequence:

• Days 1-30: Inventory and Baseline - Map agents, log tool calls, revoke shared keys, and implement read-only monitoring.
• Days 31-60: Enforce and Scope - Assign scoped identities, deploy approval workflows for write operations, and integrate logs into SIEM.
• Days 61-90: Isolate and Test - Sandbox high-risk workloads, enforce least privilege, and red-team isolation boundaries.

The message is clear: the era of simply observing AI agent activity is over. Enterprises must evolve their security posture to actively enforce policies and isolate risks to protect themselves from the rapidly increasing threat landscape. Ignoring this reality is not just a security debt; it's an open invitation for a catastrophic breach.