86% of AI Agents Ship Without Security Approval. Microsoft's Fix Just Went Open Source.

Two things happened this week that frame where AI agent security actually stands.

Gravitee's State of AI Agent Security 2026 report surveyed 919 executives and technical practitioners. 80.9% of organizations have moved AI agents past planning into active testing or production. That part is encouraging. The problem: only 14.4% say all their agents go live with full security and IT approval. And 88% experienced confirmed or suspected AI agent security incidents in the past year.

Two days later, Microsoft open-sourced RAMPART and Clarity, two tools built to close exactly that gap. Not a framework. Not a white paper. Actual tooling that plugs into CI pipelines and design workflows.

These two stories are the same story, told from opposite ends. The industry deployed agents first and sorted out security later. Now it is racing to catch up.

The data

Gravitee's report identifies what they call a "Confidence Paradox": 82% of executives believe their existing policies protect them from unauthorized agent actions. On the ground, only 21% have visibility into what their agents access, which tools they call, or what data they touch.

Healthcare is getting hit hardest, at 92.7% of organizations reporting agent security incidents. And 25.5% of deployed agents can create and assign tasks to other agents. A single compromised agent can cascade into a multi-agent breach that nobody can trace.

VentureBeat ran its own three-wave survey of 108 enterprises and found that security monitoring budgets dropped to 24% of security spend in February before snapping back to 45% in March. The dip happened because early movers redirected money toward runtime enforcement and sandboxing, then had to course-correct when incidents spiked.

What Microsoft shipped

RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a pytest-native framework. You write test scenarios based on your threat model, connect them to your agent through an adapter, and they run in CI alongside your other integration tests. The framework handles adversarial payload generation and evaluation. Your job is describing what your agent should and should not do.

Two things make it different from standard security tooling.

It handles probabilistic behavior natively. LLMs do not produce the same output twice, so RAMPART supports statistical trials. You can require that an action stays safe in at least 80% of runs rather than relying on a single pass/fail check.

It focuses on cross-prompt injection attacks, the scenario where an agent reads poisoned content from an email, support ticket, or document and gets manipulated into taking unintended actions. This is the same attack vector Microsoft flagged in its own research two weeks ago, when it published findings on remote code execution vulnerabilities in Semantic Kernel. A single prompt was enough to launch calc.exe on the host machine. No browser exploit, no memory corruption. Just an agent parsing language, picking a tool, and passing parameters.

Ram Shankar Siva Kumar, who founded Microsoft's AI red team in 2019, told The Register that internally, RAMPART took a single vulnerability report and generated close to 100 variants, then tested each across roughly 300 runs in multi-turn conversations. That kind of regression coverage does not exist in manual red teaming.

Clarity, the companion tool, works earlier in the pipeline, before any code gets written. It is a structured sounding board that walks teams through problem clarification, solution exploration, and failure analysis. Multiple AI "thinkers" examine the system from security, adversarial, and operational angles at the same time. The outputs get committed to a .clarity-protocol/ directory in the repo as markdown files, reviewed and tracked like any other source.

This addresses a real gap. Siva Kumar noted that the most expensive safety failures trace back to design decisions made before anyone wrote code, like giving an agent access to a tool without thinking through what happens when it gets misused.

What this means for business operators

If you are deploying or evaluating AI agents for intake, lead qualification, customer support, or any workflow automation, the Gravitee data is about you. The odds are good that your agents already touch production data without the security review your IT team assumes they have.

The tooling is starting to catch up. RAMPART and Clarity are both MIT-licensed on GitHub. They are designed for engineers, not security researchers. If your team writes integration tests, they can write RAMPART tests.

The gap between "agents in production" and "agents you have actually secured" is where breaches live. Microsoft is betting that closing it requires treating agent safety as a continuous engineering practice, not a compliance checkbox you tick once. That sounds right. The philosophical phase of AI safety is mostly over. What the industry needs now is tooling, and it is finally showing up.

Sources

• Gravitee: State of AI Agent Security 2026 Report
• Microsoft Security Blog: Introducing RAMPART and Clarity
• The Register: Microsoft open-sources agentic AI safety tools
• VentureBeat: The enforcement gap in AI agent security
• Microsoft Security Blog: When prompts become shells, RCE in AI agent frameworks
• CyberScoop: Meet Rampart and Clarity