aiPublished on July 17, 20267 min read

AI Agent Security: 54% of Companies Have Already Suffered Incidents, Study Reveals

Study of 107 companies reveals that 54% have already had security incidents with AI agents, while most continue to share credentials among autonomous agents.

Segurança IAAgentes AutónomosCibersegurançaTransformação DigitalGestão de RiscoGovernação de TI
AI Agent Security: 54% of Companies Have Already Suffered Incidents, Study Reveals
Bitclever AI Research
Author: Bitclever AI Research ## Executive Summary A new study by VentureBeat Pulse Research, conducted among 107 companies, reveals a concerning gap between the autonomy granted to Artificial Intelligence agents and the security controls implemented to contain them. More than half of organisations (54%) have already suffered a confirmed security incident or a near-miss involving AI agents, while fundamental practices such as individualised identity management and isolation of high-risk agents remain largely unimplemented. ## What Happened The research, conducted by VentureBeat through its Pulse Research series, surveyed 107 companies with more than 100 employees on security practices related to autonomous AI agents. The results expose what the study's authors call the "agent security gap" — the distance between the level of autonomy granted to AI agents and the identity, isolation and policy enforcement mechanisms needed to keep them under control. The numbers are telling: 18% of companies confirmed having already suffered a security incident related to AI agents, and a further 36% reported having narrowly avoided one (a near-miss). In total, more than half of the surveyed organisations (54%) have already faced some kind of adverse security event involving these systems. The root of the problem lies in identity management. Only 32% of companies assign each agent its own scoped, individually managed identity. The rest report that some agents share credentials with one another, or that most operate using shared API keys and human or service account credentials. This sharing of credentials means that if a single agent is compromised or granted excessive permissions, the potential blast radius is significantly widened. Isolation also falls short of what is needed: only three in ten companies (30%) sandbox their highest-risk agents, an essential measure for limiting damage in the event of anomalous behaviour or compromise. As for the technology stack in use, the study shows a heavy reliance on native solutions from model providers and major cloud platforms. OpenAI's guardrails lead with 51% adoption, followed by native controls from Google Cloud and Microsoft Azure, and managed controls from Anthropic. Specialised agent security solutions, developed by vendors dedicated to this niche, have only a residual presence in the market. Despite these structural gaps, companies' satisfaction with current tools is high — an average of 4.2 out of 5. However, investment in agent security still represents a small slice of the total security budget, only a third of companies believe their defences are ahead of attackers who are already using AI, and a clear majority plan to change their agent security tools within the next year. ## Why This Matters Autonomous AI agents represent a paradigm shift compared to traditional AI models: they don't just generate responses, they perform real actions — accessing systems, manipulating data, making decisions and interacting with other business applications without constant human oversight. This capacity for autonomous action is precisely what makes these systems valuable for business process automation, but it is also what exponentially expands the attack surface. The fact that more than half of companies have already faced an incident or near-miss demonstrates that this is not a theoretical or future risk — it is a present reality already affecting organisations. The combination of widespread credential sharing with a lack of isolation creates structural conditions for a single point of failure to rapidly escalate into a larger-scale security crisis. Equally significant is the mismatch between perceived satisfaction and the reality of the controls in place. Companies report high levels of confidence in the tools they use, even when these are generic solutions borrowed from model and cloud providers, and not specifically designed for the unique challenges posed by autonomous agents — such as the need for individualised identity, granular permission control, and containment of emergent behaviours. This pattern is historically common in the early stages of disruptive technology adoption: the speed of implementation outpaces the maturity of governance and security mechanisms. The difference here is that AI agents already have direct, autonomous access to critical business systems, which drastically reduces the tolerable margin for error. ## Business Impact For organisations that have already deployed or are planning to deploy autonomous AI agents, this study raises practical and urgent questions that must be addressed at the level of IT governance and security strategy: **Identity and access management** — The absence of individualised identities for each agent undermines the ability to audit, trace and hold accountable specific actions. Companies operating multiple agents with shared credentials face greater difficulty identifying the source of anomalous behaviour or security breaches. **Risk containment** — The lack of sandboxing for higher-risk agents means that a compromise can more easily spread laterally across the enterprise infrastructure. This is particularly critical for agents with access to sensitive data, financial systems, or critical infrastructure. **Reliance on external vendors** — Widespread trust in native controls from model and cloud providers can create a false sense of security. These solutions are often generic and do not account for the specific risks of each organisation's business context. **Budget misaligned with risk** — The fact that investment in agent security remains low, despite the high incident rate, suggests that many organisations have not yet recalibrated their budget priorities in light of the new operational reality introduced by autonomous agents. **Need for imminent change** — With most companies planning to change their security tools within a year, there is a window of opportunity for organisations to critically reassess their security architecture before further scaling their adoption of agents. ## Bitclever Perspective At Bitclever, we closely follow the evolution of enterprise adoption of AI and automation, and this study confirms trends we have observed among clients exploring autonomous agent solutions and advanced RPA. The transition from passive AI systems (which respond to requests) to active agents (which perform actions autonomously) requires a fundamental rethink of the approach to security and IT governance. Our experience in enterprise automation projects, including implementations on Low-Code platforms such as OutSystems and Appian, teaches us that security and governance cannot be treated as an afterthought — they must be built in from the design phase of the automation architecture. This applies even more critically when we are talking about AI agents with the capacity for autonomous action over enterprise systems. We recommend that organisations evaluating or already deploying AI agents consider the following practical steps: conduct a complete inventory of active agents and their associated permissions; implement individualised identities and least-privilege access policies; establish isolation mechanisms for agents with access to sensitive data or systems; and create continuous audit processes that allow anomalous behaviour to be detected before it escalates into an incident. Bitclever positions itself as a strategic partner in this maturation process, helping organisations design automation and AI architectures that balance innovation with risk control — ensuring that the productivity gains delivered by autonomous agents are not undermined by avoidable security gaps. ## Conclusion The VentureBeat Pulse Research study makes clear that the adoption of autonomous AI agents is advancing faster than organisations' ability to adequately protect them. With more than half of companies already facing incidents or near-misses, and fundamental security practices — such as individualised identity and isolation — still far from universal, now is the time for IT leadership to critically reassess their agent security strategies. Organisations that invest now in robust, purpose-built controls for agents will be better positioned to capture the benefits of autonomous automation without exposing the business to disproportionate risk.