AI Agents Deployed Are Breaking Things, and Governance Has Not Caught Up
In the past twelve months, 65% of organizations that have deployed AI agents have suffered at least one cybersecurity incident related to these systems. In 61% of cases, sensitive data was involved. These figures, published in April 2026 by the Cloud Security Alliance and Token Security, do not describe a future risk. They describe what is happening right now, in companies that deployed their agents before building the governance to go with them.
The debate on AI agents had revolved for two years around two poles: those who saw in their generalization an unprecedented multiplication of productivity, and those who worried about job replacement. Both camps were partially right. But the story of 2026 is elsewhere. The agents are in the wild. They act, execute, decide. And no one has built the instruments to govern them.
The Essentials
- According to the Cloud Security Alliance and Token Security (April 2026), 65% of organizations suffered a cybersecurity incident related to an AI agent in twelve months; 61% of these incidents involved sensitive data.
- Gartner predicts that 40% of enterprises will downgrade or disconnect their agents by 2027, due to insufficient controls.
- The problem is not technical in the narrow sense: it stems from the absence of frameworks for identifying, delimiting, and tracing the decisions made by agents.
- Organizations that formalize an AI agent governance discipline now will retain their systems; others will lose two to three years rebuilding internal and regulatory trust.
The Promise Held Up, So Did Reality
We need to start here, because catastrophism would be as inaccurate as euphoria. AI agents do what they were promised to do. They automate complex workflows, chain tasks without permanent human oversight, process volumes of data that no one could reasonably have processed by hand. In the sectors of finance, logistics, customer support, and research, the documented gains are real.
It is precisely for this reason that deployments have accelerated. Competitive pressure is strong: a company that automates with AI agents gains speed and cost over competitors that do not. Fortune magazine and several Gartner reports published between 2025 and 2026 show rapid adoption in medium-sized organizations — those that have the means to deploy but not always the teams to oversee. An entrepreneurial model has emerged where a single individual pilots a fleet of agents capable of managing entire operations. This model is real and productive. It also assumes a discipline that many have not yet acquired.
The acceleration thus produced two divergent curves: the ability to deploy agents progressed quickly; the ability to govern them, much less.
What “Breaking Things” Means
The incidents documented by the Cloud Security Alliance are not spectacular failures. For the most part, they are much more mundane and much more serious at the same time.
An agent deployed to automate customer communications accesses, in the normal course of its operations, internal databases it should not have consulted. It does not do so maliciously. It does so because no one defined a strict access perimeter for it. Another agent for processing financial documents copies data to an external storage space to accomplish a task — without this movement having been anticipated, without a rule having prevented it, without a trace having been preserved. A third, tasked with orchestrating HR processes, makes decisions on employee files based on data whose validity date has expired.
In all three cases, the agent did its job. It was the environment in which it operated that was misconfigured. There was no agent identity registry, no formal delimitation of its authorization perimeter, no traceability system for its decisions. These three absences are the central problem pointed out by the Cloud Security Alliance report.
This looks like a technical problem. It is actually a problem of corporate institution. The management of human identities in information systems took decades to structure: each employee has an identifier, defined access rights, an activity log. AI agents, meanwhile, arrived without this institutional heritage. In many organizations, no one knows exactly how many agents are active, which systems they touch, who deployed them, and what they did last week.
40% of Companies Ready to Disconnect: What Gartner Really Measures
Gartner’s prediction deserves to be read with precision. Saying that 40% of enterprises will downgrade or disconnect their agents by 2027 is not a signal of distrust in the technology. It is a signal of market maturity.
Technology cycles follow a known logic. A first wave of deployment occurs under competitive pressure, often before organizations have the processes to absorb the novelty. Part of these deployments produce incidents, regulatory friction, or simply results inferior to expectations. Part of the organizations retreat, reformat, and redeploy with more control. This is not a failure of the technology: it is the technology forcing institutional upgrading.
The question posed by Gartner is therefore this: among the 40% that disconnect, how many do so because they have no choice (incident, regulation, pressure from their cyber insurer) and how many do so proactively to rebuild on solid foundations? The difference between the two trajectories is measured in years. Organizations that suffer a serious incident — sensitive data breach, automated decision with legal consequences, proven regulatory violation — do not have only a technical problem to solve. They have a trust problem to rebuild, both internally and with their regulators.
Agent Governance: What Those Who Succeed Are Doing
There are organizations that deploy AI agents at scale without suffering the incidents documented in the Cloud Security Alliance report. It is not because they have different technology. It is because they treated deployment as an institutional problem as much as an engineering one.
The practices that distinguish these organizations come down to three principles.
The first is the identity of each agent. An agent that acts in an information system must be identifiable: who created it, when, to do what, with what rights. Without an identity registry, it is impossible to know what happened after an incident, nor to delimit responsibilities. The tools exist — machine identity management solutions developed rapidly in 2025 and 2026, notably with players like HashiCorp, CyberArk, and several specialized startups. Their adoption remains insufficient.
The second principle is the delimitation of authorizations. An agent must access only the systems it needs to accomplish its task. This principle, called the “least privilege” principle, is old in computer security. Its application to AI agents is new and technically more complex, because agents often operate dynamically, chaining calls to different systems. Static delimitation is not enough; real-time control mechanisms are needed for what the agent can access depending on the context of its task.
The third principle is traceability of decisions. For each significant action taken by an agent — financial transaction, data movement, decision on a human file — a log readable by a human must be available. Not just a technical log: a comprehensible explanation of why the agent made this choice, in what context, with what initial instruction. This is what makes audit possible. It is also what regulators are beginning to require.
The European Union, through the AI Act gradually coming into application since 2024, imposes traceability requirements for high-risk AI systems. Several categories of agents — those operating in human resources, credit, insurance, healthcare — fall within this scope. Organizations that anticipated these requirements have, through a useful side effect, built the foundations of robust governance. Those that did not will discover the regulatory constraint at the same time as an operational incident.
What Security Teams Had Not Anticipated
The security problem posed by AI agents is structurally different from that posed by traditional software. Software does what you coded it to do. An agent can reason about how to accomplish a task, chain tools, decide for itself on a sequence of actions. This capacity for autonomy is precisely what makes it useful. It is also what makes its perimeter difficult to anticipate.
Corporate security teams have well-practiced methods for evaluating software: penetration testing, code audit, access review. These methods are insufficient for agents that can, during operation, call third-party APIs, generate code and execute it, or decide to send external communication. The attack surface is mobile. It depends on context, task, and timing.
The Cloud Security Alliance has documented a particularly concerning type of incident: indirect prompt injection attacks. In this scenario, a malicious actor inserts instructions in a document or web page that the agent will process. The agent, believing it is following its legitimate instructions, actually executes commands inserted by the attacker — data exfiltration, file modification, transmission of sensitive information. This attack vector was formalized in 2023 in the context of LLMs in general, long before AI agents became common; agents, however, have considerably amplified this risk, due to their larger attack surface and the potentially more serious nature of their autonomous actions. It has no direct equivalent in the traditional security manual.
The technical response exists: mechanisms for validating sources of instruction, filters on agent outputs, architectures that isolate agents with access to sensitive data from those with access to execution systems. But implementing them requires expertise that the majority of security teams are still acquiring. AI skills now command a significant salary premium, but skills specifically oriented toward the security of agentic systems are rare and expensive.
The Issue of 2027 Is Not About Choosing Between Agents and No Agents
It would be tempting to conclude that prudence calls for slowing down. Some organizations will — that is what Gartner measures. But slowdown is not a sustainable strategy. The real productivity gains of agents create competitive pressure that companies that disconnect cannot ignore indefinitely. The question is not: should we deploy agents? It is: how do we deploy agents in a way that does not make us lose control?
Organizations that will answer this question in the next eighteen months will have a lasting advantage. Not because they will have superior technology, but because they will have the processes, skills, and institutional trust to operate autonomous systems at scale. Regulators, insurers, partners, and customers are increasingly asking for this demonstration. Agent governance is not a compliance cost: it is a condition of operation.
The discipline being built around AI agents resembles, in its structure, what the aviation industry did with automated systems in cockpits starting in the 1980s. The question was not whether to eliminate automation — it made flights safer. It was to define precisely in what contexts the autopilot operates alone, in what contexts it alerts the pilot, and how the crew takes back control. This institutional work took a decade. It produced international standards still in force. AI agents operate in an environment infinitely more varied than a cockpit, but the logic is identical: autonomy is useful, provided that its limits are defined and its decisions are traceable.
Companies that will disconnect their agents by 2027 will not be those that had the worst technology. They will be those that deployed without doing this work.
Sources
- Cloud Security Alliance / Token Security, Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises (April 21, 2026) — https://cloudsecurityalliance.org/press-releases/2026/04/21/new-cloud-security-alliance-survey-reveals-82-of-enterprises-have-unknown-ai-agents-in-their-environments
- Gartner, 2027 predictions on AI agent deployment — Gartner Report (no verifiable URL)
- European Regulation on Artificial Intelligence (AI Act), Official Journal of the European Union, 2024
- Gartner – Prediction 40% cancellation of agentic projects by end of 2027 (June 2025) — https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027
- Gartner – Prediction 40% downgrade/decommissioning of AI agents by 2027 (May 2026) — https://www.gartner.com/en/newsroom/press-releases/2026-05-26-gartner-says-applying-uniform-governance-across-ai-agents-will-lead-to-enterprise-ai-agent-failure
- EU AI Act – Official Journal EU (July 12, 2024) — https://artificialintelligenceact.eu/the-act/
- EU AI Act – Annex III (high-risk AI systems) — https://artificialintelligenceact.eu/annex/3/
- Kiteworks – Analysis article of CSA/Token Security report — https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-incidents-2026/