Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Trending Industry

44% of Enterprise AI Agents Are Invisible to Security Teams

New survey of 200 CISOs: security teams can see only 44% of AI agents employees build, while business users now outnumber developers 10 to 1.

Enterprise DNA | | via Nokod Security / PR Newswire
44% of Enterprise AI Agents Are Invisible to Security Teams

A new survey of 200 enterprise CISOs published today by security firm Nokod paints a striking picture of how fast employee-built AI has outpaced the people responsible for keeping it safe.

Security teams can see only 44% of the apps, agents, and automations their own business users have built. That means for every two AI tools running inside a company, one is completely invisible to the security function.

The report, titled “The Invisible Enterprise AI Jungle,” captures what happens when tools like Microsoft Copilot Studio, ServiceNow, Power Automate, and UiPath reach every corner of an organisation — not just the engineering team.

Shadow Engineering Is the New Shadow IT

A decade ago, the concern was employees using consumer cloud tools without IT approval. Today’s problem is an order of magnitude larger. Business users are no longer just storing files in Dropbox. They are building autonomous agents that query databases, process customer records, and trigger financial workflows — without a line of professional code written and without a security team aware it’s happening.

Nokod’s data shows business users now outnumber professional developers by as much as 10 to 1 in many enterprises. More than 50% of CISOs surveyed agreed that these citizen-built applications are running business-critical processes and have access to sensitive company and customer data.

That is a meaningful shift. The agents being built are not hobby projects — they are load-bearing infrastructure.

The Governance Paradox

What makes the findings particularly telling is the gap between intention and reality. 90% of enterprises say they are actively working to standardise AI tool security. But 80% of security teams admit they lack full visibility into the agents actually running their core business. You cannot govern what you cannot see.

The budget side tells a similar story. 67% of organisations already allocate specific budget to securing business-built applications and AI agents — and 15% budget growth in this area is expected over the coming year. Investment is tracking upward, but implementation is lagging.

90% of security leaders say they plan to have governance policies for citizen development in place by the end of 2026. That is encouraging, but the clock is ticking. In the meantime, AI agents are being deployed, learning, and making decisions.

Why This Matters Now

This is not a theoretical risk. Every AI agent built by a business user represents a potential data pathway, a permission set, an external API call, or a decision being made at scale — all outside the normal review and audit process that enterprise IT has spent years building.

The broader enterprise AI market is accelerating this problem. As AI tools become easier to use and more capable, the gap between what business users can build and what security teams can monitor will only widen. The tools are ahead of the governance, and the survey suggests most organisations know it.

What the Nokod data captures is not a technology problem. It is an organisational one: the people building AI agents and the people responsible for enterprise risk are operating in separate worlds.

What This Means for Business

If you run a business that has deployed productivity tools with AI capabilities — and at this point, most enterprise software includes them — there is a reasonable chance agents are running in your organisation that nobody has formally reviewed. Not because anyone was negligent, but because the tools make building so easy that the build happens faster than any governance process can track it.

Three things worth doing immediately:

Run a discovery audit. Most of the platforms flagged in the Nokod report — Copilot Studio, Power Automate, ServiceNow, UiPath — have audit logs and admin visibility tools. Pull them. Know what is running.

Establish a lightweight approval process for AI agents. This does not need to be a bureaucratic wall. A simple review checklist covering data access, external integrations, and use of sensitive records can catch the highest-risk deployments before they become problems.

Match your AI training investment with governance literacy. If you are upskilling employees to build with AI tools — which is the right call — pair that with clear guidelines on what they can connect those tools to and what needs a review before going live.

The productivity gains from citizen-built AI are real. The risk from ungoverned AI agents is equally real. The enterprises that figure out how to run both in parallel — enablement alongside oversight — will be the ones that scale AI without the security incidents that follow unmanaged growth.

At Enterprise DNA, this is exactly the type of challenge the Omni Advisory service exists to address. Helping business leaders build the right frameworks around AI deployment — not just the tools, but the governance, data literacy, and organisational readiness that makes AI trustworthy at scale.

Working With Claude field guide cover

Free Resource

Going deeper with Claude?

Get the free 32-page implementation guide for ANZ teams.

No spam. Unsubscribe any time.