Two hundred and twenty-three AI policy violations per month in the average enterprise. Eighty percent of organizations report risky agent behaviors. The security industry built a fortress against external attackers. The data says the threat is already inside.
The security industry has spent the past year building defenses against AI agent attacks. Prompt injection. Memory poisoning. Tool exploitation. Adversarial inputs designed to make agents do things they were not supposed to do. Every major framework — OWASP's LLM Top 10, NIST's AI Risk Management Framework, the AIUC-1 standard — organizes its threat taxonomy around a common assumption: the danger comes from outside.
A Gartner analysis published in their 2026 cybersecurity trends report upends this assumption. The majority of unauthorized AI agent actions, they predict, will stem not from external malicious attacks but from internal enterprise policy violations. Your own agents. Violating your own policies. Not because someone hacked them — because nobody is governing them.
The security industry built the wrong wall.
The Numbers Inside the House
The average enterprise experiences two hundred and twenty-three data policy violations involving AI applications every month, according to Netskope's 2026 cloud and threat report. Among the top quartile of organizations — the heaviest AI adopters — that number rises to twenty-one hundred incidents per month. Source code accounts for forty-two percent of incidents. Regulated data accounts for fifty-four percent of flagged violations.
These are not sophisticated attacks. They are employees pasting sensitive data into chatbot accounts. Agents accessing systems they were never authorized to touch. Automated workflows routing confidential information through personal AI tools. Sixty-three percent of employees used personal chatbot accounts for work tasks in 2025. The average enterprise now has an estimated twelve hundred unofficial AI applications running inside its perimeter.
The Help Net Security enterprise AI survey, published today, adds the governance dimension. Eighty percent of surveyed organizations reported risky agent behaviors — unauthorized system access, unexpected data exposure, improper interactions between systems. Only twenty-one percent of executives had complete visibility into what their agents were actually doing: their permissions, their tool usage, their data access patterns. Eighty-six percent of organizations reported no visibility into AI data flows at all.
Read those numbers together. Four out of five organizations have agents behaving badly. One in five knows what their agents are doing. The gap between those figures is the governance inversion: the agents are not being attacked. They are misbehaving because nobody is watching.
The Path of Least Resistance
The Hacker News analysis, drawing on Team8's CISO Village survey, introduced a useful metaphor: identity dark matter. In astrophysics, dark matter exerts gravitational pull but is invisible to direct observation. In enterprise IT, AI agents exert operational force — accessing systems, moving data, executing workflows — but are invisible to traditional identity and access management frameworks.
Nearly seventy percent of enterprises already operate AI agents in production. Twenty-three percent are planning deployments this year. Two-thirds of these agents were built in-house, which means they were built by developers optimizing for function, not security teams optimizing for governance. The agents work. They also operate outside every identity framework the enterprise has built over the past two decades.
The behavioral pattern the analysis identifies is specific and damning. Agents gravitate toward the path of least resistance: in-app local accounts instead of federated identity, stale service identities instead of dynamically provisioned credentials, long-lived API tokens instead of short-lived session tokens, bypass authentication paths instead of governed access. None of this is malicious. All of it is rational. The agent was built to accomplish a task. The fastest path to accomplishing that task runs around the governance infrastructure, not through it.
Five specific categories of dark matter risk emerge: over-permissioned access — agents defaulting to administrative privileges because nobody scoped their roles. Untracked usage — partial and inconsistent logging that makes forensic reconstruction impossible. Hardcoded credentials — static secrets shared across infrastructure because dynamic provisioning was not worth the engineering effort. Regulatory audit blind spots — agent actions that generate compliance obligations but leave no auditable trail. And privilege drift — the gradual accumulation of permissions over time as agents are granted access for specific tasks and the access is never revoked.
Each of these is an internal governance failure, not an external attack vector. The adversary is not a hacker. The adversary is the enterprise's own operational convenience.
The Inversion
This journal has published nine entries on agent security. The Weapon documented an AI coding tool weaponized to steal one hundred and ninety-five million records. The Open Door traced a prompt injection through a GitHub Issue into a financial agent. The Assembly Line described commercially available AI tools enabling unskilled attackers. The Confidence Gap quantified the distance between executive confidence and incident rates. The Wrong Abstraction argued that five authorization platforms were solving the wrong problem.
Every one of those entries assumes an adversarial model. An attacker with intent. A vulnerability to exploit. A defense to build.
Gartner's prediction reframes the entire problem. If the majority of unauthorized agent actions come from internal policy violations, then the primary threat model is not adversarial — it is operational. The distinction matters because adversarial and operational threats require fundamentally different responses.
Adversarial threats respond to detection and defense: firewalls, monitoring, anomaly detection, input sanitization. You build walls and watch for breaches. The attacker is external, identifiable in principle, and motivated by gain.
Operational threats respond to governance and architecture: policy definition, access scoping, credential lifecycle management, audit infrastructure. You do not build walls — you build organizational clarity about what agents are authorized to do, how they authenticate, and what happens when they exceed their scope. The 'attacker' is your own engineering team, and their motivation is getting things done.
The security industry is overwhelmingly oriented toward the first model. Gartner's own prediction that twenty-five percent of enterprise breaches will trace to AI agent abuse by 2028 specifies both external and internal actors. But the emphasis matters: the industry's investment, its tooling, its frameworks, and its narrative are built around adversarial defense. The data says the bigger number is mundane policy violation.
Why This Is Harder
External attacks are, in a specific technical sense, easier to address than internal governance failures. An external attack has a signature — anomalous traffic, unexpected inputs, unauthorized access attempts from outside the network boundary. Detection is difficult but architecturally coherent: you know what normal looks like, and you look for deviations.
Internal policy violations have no signature because the violating action looks identical to the authorized action. An agent accessing a database it should not access looks exactly like an agent accessing a database it should access. The difference is not in the action but in the policy — and the policy, in eighty-six percent of organizations, is not instrumented at all.
This is the structural problem. EY's survey found that sixty-four percent of companies with more than a billion dollars in annual revenue lost more than a million dollars to AI failures. One in five organizations reported breaches linked specifically to unauthorized AI use. Shadow AI breaches cost an average of six hundred and seventy thousand dollars more than standard security incidents. These are not hypothetical risks. They are measured losses, occurring now, in organizations that have security teams and budgets and frameworks.
The losses are happening not because the defenses failed but because the defenses were pointed in the wrong direction. You can build the most sophisticated prompt injection detection system in the world, and it will not catch an employee pasting patient records into a personal Claude account. You can deploy the most advanced anomaly detection for agent behavior, and it will not flag an agent using a stale service identity to access a system it was provisioned to access six months ago for a task that no longer exists.
The Guardian Paradox
Gartner predicts that by 2028, forty percent of CIOs will demand 'Guardian Agents' — autonomous systems that track, oversee, or contain the results of other AI agent actions. The response to ungoverned agents is more agents.
There is a logical coherence to this. Agents operate at machine speed across multiple systems. Human governance cannot keep pace. If you need real-time oversight of agent behavior, the overseer must itself be an agent. The guardian watches the agent the way the agent watches the data — continuously, computationally, at scale.
But the guardian inherits every problem it is meant to solve. Who governs the guardian? What credentials does it use? Who scoped its permissions? What happens when it drifts? The recursive structure is obvious and unanswered. More importantly, the guardian model assumes the problem is behavioral — agents doing wrong things — when the data suggests the problem is architectural: agents were never given clear boundaries in the first place.
A guardian that watches an agent with undefined permissions is watching for violations of a policy that does not exist. This is not oversight. It is surveillance without standards — activity monitoring that generates logs but not accountability.
What the Inversion Reveals
The governance inversion is not a security finding. It is an organizational finding. The enterprises experiencing two hundred and twenty-three policy violations per month are not under attack. They are experiencing the predictable consequence of deploying autonomous systems without defining what those systems are authorized to do.
Twelve hundred unofficial AI applications per enterprise. Forty-seven percent of generative AI users on personal accounts. Eighty percent reporting risky agent behaviors. Twenty-one percent with visibility into what agents are doing. These numbers describe an organization that automated before it governed — that built the capability layer and skipped the authorization layer.
The security industry cannot fix this because it is not a security problem. It is a management problem. The same organizations that would never deploy a human employee without a defined role, defined access, and defined accountability deploy agents with none of the above. The agent gets administrative privileges because someone needed it to work, and nobody had time to scope the access properly, and the agent does not complain about being over-permissioned the way a cautious employee might.
The threat is not that someone will exploit your agents. The threat is that your agents are already doing things you did not authorize, accessing data you did not intend them to access, and operating with credentials that should have been revoked months ago — and you have built no mechanism to know.
The call is coming from inside the house. It always was.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)