The Execution Layer: Where AI Agent Security Falls Apart
82% of enterprises run unknown AI agents. Security teams lock down models but leave the execution layer — where agents actually do damage — completely ungoverned.
By SpringVanta
Security teams have spent the last two years locking down which AI models employees can use, what data those models can access, and which vendors pass procurement review. That work matters. But across the enterprise, the place where AI agents actually do damage — the execution layer, is running without controls.
The execution layer is where an AI agent translates a reasoning step into an action. It calls an API, writes to a database, triggers a workflow, sends an email. Most enterprises have no governance at this layer. Tool invocations are trusted by default. There is no risk scoring before execution, no policy enforcement at the connector level, and no audit trail connecting agent actions to specific identities.
Three surveys released in the first half of 2026 paint a consistent picture:
82% of enterprises have unknown AI agents running in their IT infrastructure, according to a Cloud Security Alliance survey of 418 IT and security professionals. The same survey found that 65% experienced AI agent-related incidents in the past 12 months, resulting in data exposure (61%), operational ion (43%), and financial losses (35%).
88% of organizations reported confirmed or suspected AI agent security incidents in the last year, per Gravitee's State of AI Agent Security report. In healthcare, that figure reaches 92.7%.
82% of executives say they are confident that existing policies protect against unauthorized agent actions, yet only 14.4% send agents to production with full security or IT approval.
The gap between confidence and controls is the defining problem of enterprise AI security in 2026. Policy documentation and runtime enforcement are not the same thing.
When security teams evaluate AI tools, they focus on the model: what it can generate, what data it was trained on, whether it leaks sensitive information. This is the right instinct for chatbots and copilots.
But autonomous agents are different. They do not just generate text , they take actions through tool invocations. A prompt injection attack does not need to breach your perimeter. It only needs to manipulate an agent into using a tool it already has access to. An attacker embeds instructions in a document, an email, or an API response. The agent reads the content, interprets the embedded instruction as a legitimate task, and acts on it using real credentials through a real access path. No malware binary, no exploit code, just text.
Stanford's Trustworthy AI Research Lab found that model-level guardrails alone are insufficient: fine-tuning attacks bypassed Claude Haiku in 72% of test cases and GPT-4o in 57%. Securing what the model says does not secure what the agent does.
Many agents operating inside enterprise environments were deployed by individual teams without security review. They connect to tools, MCP servers, and external APIs that the security team has never mapped or approved.
Gravitee found that only 24.4% of organizations have full visibility into which AI agents are communicating with each other. More than half of all agents run without security oversight or logging. The average organization now manages 37 deployed agents, and that number grows every quarter.
CSA's survey flagged agent decommissioning as a particular risk: only 21% of organizations have formal decommissioning processes. Decommissioned agents retain permissions and credentials long after their intended use, creating what CSA calls "retirement debt" , a structural exposure that accumulates quietly until something breaks.
Most organizations treat AI agents as extensions of human users, assigning them to shared service accounts or existing credentials. 45.6% of technical teams rely on shared API keys for agent-to-agent authentication, according to Gravitee. When multiple agents share credentials, attribution becomes impossible.
Only 21.9% of teams treat AI agents as independent, identity-bearing entities with their own access scopes and audit trails. The organizations that do can attribute actions, scope blast radius, and isolate a compromised agent without taking down entire workflows.
Microsoft's Agent 365 May 2026 update is the most visible vendor attempt to close this gap. The platform now includes a centralized registry for all AI agents (Microsoft-built, internal, and third-party), a real-time dashboard for monitoring agent activity, shadow AI detection that integrates with Defender and Intune, admin approval workflows, automated governance rules, conditional access policies for agents, and MCP server management.
Cisco's AI Defense solution expanded in February 2026 to add runtime protections against tool abuse and supply chain manipulation at the MCP layer. CrowdStrike has also moved to address execution-layer attacks specifically.
These tools are arriving faster than the frameworks meant to guide them. NIST's AI Agent Standards initiative is a multi-year effort with first deliverables expected in late 2026. The EU AI Act and ISO 42001 predate agentic AI entirely. CSA's own AI Controls Matrix is being updated, but the current version was not designed for autonomous agents that create and instruct other agents.
