80% of Organizations Report Risky AI Agent Behaviors — Only 21% Have Full Visibility

New research published by the Cloud Security Alliance in March 2026 paints a stark picture of enterprise AI agent deployments: 80% of organizations surveyed reported risky agent behaviors, including unauthorized system access and improper data exposure, while only 21% of executives report complete visibility into agent permissions, tool usage, or data access patterns.

The findings highlight the gap between how enterprises think their agents are behaving and what is actually happening at the tool-call level. Agents operating with administrative-level privileges — accessing databases, calling external APIs, executing code — are doing so largely unmonitored. When something goes wrong, most organizations have no audit trail to reconstruct what happened.

The rise of agentic AI has driven an explosion in machine-to-machine interactions that traditional security tools were never designed to monitor. Standard identity and access management systems track human logins; they have no mechanism for governing which tools an AI agent is allowed to call, under what conditions, and with what parameters.

Threat actors have noticed. Researchers documented espionage campaigns using AI coding agents to scan systems for weaknesses and generate exploit scripts — marking a shift from AI as a tool for defenders to AI as an active component of offensive operations.