Eighty-two percent of executives believe their policies protect against unauthorized AI agent actions. Eighty-eight percent of their organizations have already had security incidents. The confidence is not despite the failure — it is produced by it.
A survey of 919 enterprise leaders and technical practitioners, published this week, asked two groups the same question from different angles. The executives were asked how confident they felt that existing policies protect against unauthorized AI agent actions. The technical teams were asked how many of their AI agents had full security and IT approval.
Eighty-two percent of executives said they felt confident.
Fourteen percent of technical teams said they had full approval.
This is not a communication problem. It is a measurement problem. And the mechanism that produces the gap is the same mechanism that makes it invisible.
What You Cannot See
The average enterprise now manages thirty-seven AI agents. These agents book meetings, draft emails, query databases, process documents, write code, make API calls, and increasingly task other agents. A quarter of deployed agents can create and delegate to additional agents — spawning sub-agents that inherit permissions their creators never explicitly granted.
Of these fleets, less than half are actively monitored. The Gravitee State of AI Agent Security report found that organizations monitor an average of 47 percent of their AI agents. The rest operate without security oversight or logging. No audit trail. No access review. No record of what they did or why.
When an executive is asked whether policies protect against unauthorized agent actions, they answer based on what they can observe. If no alerts have fired, no incidents have been reported, and no audit flags have been raised, the rational conclusion is that things are working. The confidence is sincere. It is also produced by the absence of the very infrastructure that would reveal the problem.
Fifty-seven percent of technical practitioners building these agents cited insufficient logging and audit trails as a primary concern. They know the visibility gap exists. But the people who feel confident and the people who see the gap are answering different surveys.
The Identity Assumption
Only 21.9 percent of organizations treat their AI agents as independent, identity-bearing entities. The rest operate agents under human accounts, shared service credentials, or no identity framework at all. Nearly half — 45.6 percent — still use shared API keys for agent-to-agent authentication.
This is not a technical oversight. It is an inheritance from the previous era. When software was a tool that humans used, the human’s identity was the natural authentication boundary. You logged in, the software ran under your credentials, and the access control system tracked what you did. The software was an extension of you.
Agents are not extensions. They are actors. They make decisions, choose tools, compose actions, and operate across system boundaries on their own initiative. But the identity infrastructure hasn’t caught up. An agent running under a human’s API key looks, to every downstream system, exactly like the human. There is no way to distinguish an authorized agent action from an unauthorized one, because there is no concept of agent authorization at all. There is only human authentication, and whatever the human’s credentials permit.
The consequence is architectural, not operational. It is not that incidents are happening and being caught. It is that the infrastructure to detect them does not exist. An agent that exfiltrates data through a series of API calls authorized by a shared key generates no anomaly. A sub-agent that escalates privileges through tool access inherits credentials its creator holds. The actions are technically authorized at every step — even when no human intended any of them.
The Healthcare Number
Every sector reported incidents. But healthcare stood alone: 92.7 percent of healthcare organizations reported confirmed or suspected AI agent security incidents. Not a typo. Ninety-three percent.
Healthcare is where the confidence gap becomes a patient safety question. Medical AI agents now assist with diagnosis, treatment planning, drug interaction checking, and clinical documentation. They operate with access to protected health information — records that carry legal exposure under HIPAA and regulatory scrutiny from CMS. A compromised agent in a healthcare system is not an abstract security concern. It is a compliance event with real liability.
The 92.7 percent number also reveals something about the survey’s methodology. Healthcare is one of the most heavily regulated and monitored industries. The incident rate may be higher not because healthcare is less secure, but because healthcare organizations are more likely to detect incidents. The sectors reporting lower rates may simply have less visibility into what their agents are doing. The monitoring gap is not neutral — it biases the incident count downward.
The Hallucination Nobody Expected
Among the risks that technical practitioners identified, one stood out for its novelty: 46.2 percent flagged credential hallucination as a critical threat. AI agents, under certain conditions, fabricate API keys, tokens, and credentials that look structurally valid but point to nonexistent or unauthorized resources.
A hallucinated credential in a well-configured system fails harmlessly — authentication rejects it, the request dies, nothing happens. But in a system where agents share credentials, where access control is coarse-grained, and where logging is sparse, a fabricated token that happens to resemble a valid pattern might pass. Not because it is real, but because the system checking it is not checking very hard.
This is a failure mode that could not have existed before agents. A human user does not hallucinate their own password. A script does not fabricate its own API key. Only a system that generates tokens as part of its reasoning process can produce credentials that are structurally plausible but semantically meaningless. The risk exists precisely because the agent’s output format and the credential format occupy the same space — strings of characters that look like they belong.
The Structural Argument
The confidence gap is not a paradox. It is a predictable consequence of a system’s own architecture.
Consider what produces executive confidence. No visible incidents. No alerts. No compliance findings. Now consider what produces that clean signal. Agents operating without dedicated identity. Shared credentials that make agent actions indistinguishable from human actions. Monitoring coverage under fifty percent. Audit trails that fifty-seven percent of builders say are insufficient.
The clean signal and the vulnerability are the same thing. An unmonitored system does not produce alerts. An unidentified agent does not trigger access anomalies. A shared credential does not generate identity mismatches. The absence of bad news is not evidence of good security. It is evidence of insufficient instrumentation.
Eighty-two percent confident. Eighty-eight percent breached. The gap between those numbers is not a failure of communication between executives and practitioners. It is the distance between what a system can observe about itself and what is actually happening inside it.
The organizations that close this gap will not do so by adding more rules to existing systems. They will do so by giving agents their own identities, their own credential boundaries, their own audit trails — making agent actions visible as agent actions, distinguishable from the humans they serve. The identity infrastructure that makes agent behavior observable is the same infrastructure that makes executive confidence earned instead of inherited.
Until then, the confidence is real. The safety is not.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)