The AI agent rollout is happening faster than most companies can govern it. A new report released yesterday by Cybersecurity Insiders, conducted in partnership with identity security firm Saviynt, puts a hard number on something many business leaders already suspect: 92% of organizations lack full visibility into the AI identities operating inside their own systems.
That’s not a slight gap. That’s a near-total blind spot across the enterprise.
What the Research Found
The report surveyed senior security and IT leaders and found a picture that should concern anyone deploying AI agents in their business right now:
- 92% of respondents lack full visibility into AI identities operating in their environments
- 95% doubt their ability to detect or contain misuse if it were to occur
- 71% of CISOs confirmed AI tools have direct access to core business systems like Salesforce and SAP
- Only 16% say that access is governed effectively
- 75% have already found unsanctioned AI tools running inside their organization
- 86% do not enforce formal access policies for AI identities at all
- Only 5% feel confident they could contain a compromised AI agent
These aren’t niche edge cases. This is the baseline state of AI governance in most mid-to-large enterprises right now.
The Shadow AI Problem Is Getting Worse
One of the most striking findings is how pervasive shadow AI has become. Three in four organizations have already discovered AI tools running that IT didn’t formally approve or track. This mirrors the shadow IT problem from a decade ago — employees bringing in their own software — but with a new dimension: these tools don’t just process data, they act on it autonomously.
An unsanctioned AI agent with access to a CRM or an internal knowledge base is a fundamentally different risk from a random SaaS tool that stores files. Agents can make decisions, send communications, and trigger workflows without a human in the loop. When you can’t see them, you can’t manage what they do.
Why Governance Lags Behind Adoption
The speed of AI adoption is the core tension here. Platforms like Microsoft 365 Copilot, Salesforce Agentforce, and dozens of vertical AI tools are being rolled out at the business unit level, often ahead of any formal security review. Each one introduces new machine identities into the environment — and those identities rarely get the same scrutiny as a new human employee.
The Saviynt and Cybersecurity Insiders research frames this as a non-human identity (NHI) problem. Traditional identity and access management (IAM) systems were built for humans with assigned roles and regular reviews. AI agents don’t fit that model. They’re created dynamically, they operate across multiple systems simultaneously, and their “blast radius” — how much damage a compromised agent could do — is often unclear.
Only 24% of the organizations surveyed had full visibility into which AI agents were communicating with each other. More than half of all agents were running without any security oversight or logging at all.
What This Means for Business
If you’re deploying AI agents in your business — even just a handful — this research should be a prompt to audit what you have running right now.
A few practical questions worth answering:
What agents are active? Not just the ones IT approved, but the ones employees set up through third-party platforms. You probably have more than you think.
What do they have access to? An agent that can read your email, query your CRM, and post to Slack has significant reach. That reach needs to be intentional and documented.
What happens if one goes wrong? A compromised agent, a misconfigured tool, or a prompt injection attack could trigger downstream actions that are hard to reverse. Do you have a containment plan?
Who owns governance? In most companies right now, the answer is no one has clear ownership. That’s the default — and it’s a risk position, not a strategy.
The businesses that come out ahead in the AI agent era won’t be the ones who moved fastest. They’ll be the ones who moved fast enough and built governance that scaled with their deployment. Right now, the gap between adoption and governance is wide open.
Getting professional guidance on how to deploy AI agents responsibly is no longer a nice-to-have. Based on these numbers, for most organizations, it’s the most urgent item on the list.
If you’re deciding where to start with agents, start here. The free Working With Claude field guide walks through the ecosystem, Claude Code, and a real rollout plan. Get your copy.
Free Resource
Going deeper with Claude?
Get the free 32-page implementation guide for ANZ teams.
Your guide is ready
Check your downloads folder. If it did not open automatically, use the button below.
Download the Guide