AI agents are no longer a lab curiosity. They’re in production, touching real systems, and—according to a new June 2026 Pulse Research survey of 107 enterprises—running into the same uncomfortable reality that has haunted every other “move fast” technology wave: the security controls arrive late, and when they do arrive, they’re often the wrong kind.
The headline number is stark: 54% of organizations report that they’ve already experienced an agent security incident (18% confirmed) or a near-miss caught before harm (36%). That’s not just a sign that something is going wrong; it’s evidence that the industry is already past the “we haven’t seen it yet” phase. The more revealing story, though, is what those incidents imply about how enterprises are architecting agent access today—and why the most important containment mechanisms are still missing or underused.
This is where the term “agent security gap” becomes more than a catchy phrase. In this research, the gap is essentially the distance between the autonomy enterprises are granting their agents and the controls needed to contain them when something fails. And the survey suggests that distance is widening, not shrinking.
What makes the situation especially concerning is the combination of three factors that rarely line up so badly at the same time: high exposure, incomplete identity governance, and a security stack that is largely borrowed from model providers and hyperscalers rather than purpose-built for autonomous agents.
Let’s unpack what the data says—and what it likely means in practice.
A near-miss is still a warning shot
Start with the incident landscape. More than half of enterprises (54%) report an agent security event: 18% confirmed incidents and 36% near-misses. Only 42% report nothing, and a small remainder either don’t run agents in production or don’t track events.
The near-miss share matters. If all the problems were confirmed breaches, the story would be grim but straightforward. Instead, a large portion of organizations are catching issues close to the edge—before harm occurs. That implies monitoring exists in many environments, but containment may not be strong enough to prevent escalation once something goes off the rails.
In other words: enterprises are seeing the smoke, but they’re not always building the firebreaks.
The survey also shows that exposure scales with company size. Incident-or-near-miss rates rise from 49% in the mid-market (101–1,000 employees) to 63% at larger enterprises (above 1,000 employees). Yet containment doesn’t scale in the same way. Sandbox isolation of highest-risk agents drops from 35% to 20% as organizations get larger. Satisfaction with security tooling also declines with size—from 4.36 to 3.97—suggesting that as complexity increases, confidence erodes.
That mismatch—more exposure, less isolation—is exactly the kind of structural risk pattern that turns “we caught it” into “we didn’t catch it next time.”
Identity is the fault line
If there’s one control area that stands out as the structural weakness, it’s identity.
Only about a third of enterprises (32%) give every agent its own scoped, managed identity. That’s the baseline requirement for least-privilege access and clean attribution. Without it, you can’t reliably answer basic forensic questions like: which agent performed which action, under what permissions, and with what credentials?
Instead, credential sharing is common. When the survey aggregates overlapping patterns across the agent fleet, 69% of enterprises report credential sharing somewhere in their agent operations. Nearly half (48%) say some agents have scoped identities but many still share credentials. Another 32% report that agents mostly run on shared API keys or borrowed human and service-account credentials.
These numbers overlap because respondents could describe multiple patterns across different parts of their agent portfolio. But the direction is consistent: fully governed per-agent identity is the exception, not the norm.
Why does this matter so much? Because credential sharing changes the blast radius of failure.
If multiple agents share the same credentials, then compromise or misbehavior by one agent can effectively become compromise by the credential set itself. Even if only one agent is “at fault,” the permissions attached to the shared identity can allow actions far beyond what any single agent was intended to do. And when something goes wrong, attribution becomes messy. Investigations can struggle to separate agent behavior from credential behavior, especially when logs and audit trails aren’t designed around non-human identities.
The survey also reports an association between credential sharing and incidents. Organizations with credential sharing anywhere in the fleet show an incident-or-near-miss rate of 63.5% (47 of 74). Organizations where every agent carries its own scoped identity show a lower rate of 40.9% (9 of 22). The report is careful not to claim causation—this is a directional, self-selected survey—but the gap is large enough to be meaningful. Within a single wave, a 23-point difference in incident rate is not a rounding error.
Even if identity isn’t the only factor, it’s clearly one of the factors that correlates with outcomes.
Observe and enforce—but rarely isolate
Identity governs who an agent is. Isolation governs what happens when things go wrong.
Here, the survey finds another troubling imbalance. Monitoring and enforcement are relatively common, but containment is rare. Roughly half of enterprises observe agent activity (47%) or enforce scoped permissions at runtime (49%). Yet only 30% isolate their highest-risk agents in sandboxes that bound the blast radius.
That ordering is backwards from a defense-in-depth perspective. Observation tells you what happened. Enforcement tries to prevent it. Isolation limits damage when prevention fails. If isolation is the least adopted control, then the system is optimized for detection rather than resilience.
And when you combine this with the identity gap, the picture becomes even clearer: enterprises are often watching and permissioning agents, but they’re not boxing them in. That configuration is precisely where a single failure propagates.
It’s also worth noting what “highest-risk agents” implies. Many organizations likely identify certain workflows—agents that can modify data, access sensitive systems, or perform high-impact actions—as the ones that should be isolated. Yet only three in ten actually sandbox them. That suggests either technical difficulty, operational overhead, or uncertainty about how to implement isolation without breaking agent functionality.
But the survey’s incident data suggests that the cost of not isolating is already being paid.
Provider-native guardrails dominate the stack
So what are enterprises using to secure agents?
The survey’s tooling findings point to a broader industry pattern: enterprises are defaulting to the security features bundled with the platforms they use—model provider guardrails and cloud-native controls—rather than adopting purpose-built agent security solutions.
OpenAI’s guardrails lead at 51%. Google and Microsoft cloud-native controls follow, along with Anthropic’s managed-agent controls. When asked to name a single primary security layer, 82% cite one of these provider-native offerings.
Meanwhile, dedicated agent-security specialists barely register. Purpose-built tools in the agent-security category—examples cited include Prisma AIRS, CrowdStrike, Cisco AI Defense, Zenity, HiddenLayer, Check Point’s Lakera, Okta for AI Agents, and non-human identity platforms—appear in low single digits each. Only 5% of enterprises report running no dedicated tooling at all.
This doesn’t mean provider-native controls are useless. It means they’re not designed around the full threat model of autonomous agents operating across enterprise systems with real credentials and real side effects. Provider guardrails are often focused on model behavior and prompt-level safety. Cloud controls can help with access management and logging, but they may not provide the agent-specific identity and isolation primitives that the survey indicates are missing.
The result is a security stack that may reduce some risks while leaving the most agent-specific risks—identity governance and blast-radius containment—under-addressed.
And the survey suggests enterprises are comfortable with this arrangement, which is part of the danger.
High satisfaction alongside high exposure
One of the most striking findings is satisfaction. Enterprises rate their agent security tooling at an average of 4.2 out of 5 overall, and 4.1 for value for money.
That’s unusually positive given the incident landscape. More than half have already had an incident or near-miss, and only a third give every agent scoped identity. Yet satisfaction remains high.
The report frames this as potential “false comfort.” The logic is straightforward: provider-native controls are convenient and low friction. They’re easy to adopt because they come with the platform. Convenience can create confidence, and confidence can delay investment in the harder controls that require deeper architectural changes.
The survey supports this interpretation indirectly through Finding 8: a clear majority plan to change tooling within a year. If enterprises were truly confident that their current stack was sufficient, fewer would be planning a reshuffle.
Budget signals lag behind risk
Spending provides another clue that the security posture may be more reactive than strategic.
Agent security budget allocation is modest. The most common allocation is 6–10% of the security budget (46%). A third of enterprises (34%) spend 5% or less. Only a quarter (24%) devote more than a tenth.
Given the incident rate and the identity/isolation gaps, the budget looks like a lagging indicator. Risk appears to have arrived faster than funding for the controls that would address it.
This is a familiar pattern in cybersecurity: the organization experiences a problem, then gradually funds the solution. But with agent security, the problem may be compounding quickly because agents can multiply across teams, workflows, and systems. That means the “time to fund” can be too slow relative to the speed of deployment.
Confidence in defense is split
Enterprises are also uncertain about whether they’re winning the broader contest against AI-enabled attackers.
Only 35% believe their AI-enabled defenses are ahead of AI-enabled attackers. Another 32% call it roughly even. 21% think attackers are ahead, and 21% say it’s too early to tell. Combined, 53%
