Most enterprises didn’t get breached. They just handed out the keys.
Two-thirds of organizations using AI agents believe those agents have already accessed data outside their intended scope. That number – from Akeyless’ 2026 State of AI Agent Identity Security report, based on 400 IT and security leaders – is not a projection or worst-case scenario. It is a current-state assessment from the people managing these systems. It says less about AI misbehavior than it does about a credential architecture that was never designed for the kind of autonomous systems enterprises are now deploying at scale.
The problem is not that AI agents are hacking their way into unauthorized data. The problem is that they were handed the keys on the way in.
The Pattern Is Already Documented
The Cloud Security Alliance, in a concurrent study, found that two-thirds of organizations cannot clearly distinguish AI agent actions from human actions in their audit logs. Same fraction, different data set, same structural failure. Organizations have provisioned AI agents with static identities and long-lived credentials that grant access far broader than any equivalent human role – with no systematic process for reviewing, scoping, or revoking those permissions over time.
The Akeyless report names the mechanism: “AI agents are not breaking in – they are being invited in with real credentials and broad access.” In most enterprise deployments, an AI agent receives credentials at provisioning time and retains them indefinitely. Those credentials permit whatever the service account was scoped to permit – which, in practice, is usually more than any single workflow requires.
The Agents of Chaos study – a live-laboratory evaluation by 20 researchers across Northeastern, Harvard, MIT, Stanford, and Carnegie Mellon – identified this as the first of three structural deficits in current agent architectures: no stakeholder model. Agents have no reliable mechanism for distinguishing who they should be working for from who is issuing a request. The result is compliance with whoever is most urgently or recently asking, regardless of authorization. That deficit is not a bug to patch. It is an architectural condition that only a governance layer external to the agent can address.
Why Detection Cannot Fix a Governance Problem
The average time to detect a compromised or misbehaving AI agent, per Akeyless, is 14 hours. Remediation takes nearly a week. Only 7% of respondents believe their current controls would stop a compromised agent from operating.
Security teams reaching for better monitoring are solving the wrong problem. Detection closes the observation gap; it does not close the access gap. An agent running with over-provisioned credentials for 14 hours has had 14 hours to reach data it was never meant to access. The audit record of what happened does not change what happened.
The WEF Global Cybersecurity Outlook 2026 puts the broader pattern plainly: AI agents without strong governance can accumulate excessive privileges, be manipulated through design flaws, or propagate errors at scale. About 40% of organizations conduct periodic AI security reviews. More than a third – roughly 36% – have no structured AI security assessment process before deployment. The Akeyless finding – two-thirds already believe the access boundary has been crossed – is the direct consequence of that gap.
This same dynamic played out with enterprise email, file sharing, and cloud storage. In each case, organizations deployed the technology and reached for detection after the fact. In each case, the governance standard matured toward prevention: access controls that define what can reach a system, not just logs that document what did.
What the Architecture Actually Requires
The credential model that works for service accounts fails for AI agents because service accounts are static and bounded. An AI agent is neither. Its context changes with every workflow. What it needs for a billing task differs from what it needs for a contract review, a clinical summary, or an HR process. A static credential that permits all of these creates permanent access to everything – and that is the architecture most organizations have deployed.
What replaces it is per-session, per-workflow identity scoping. The agent receives access rights scoped to the delegating user’s authorization, for the duration of that workflow, and those rights expire when the task ends. This is not technically exotic – it is the least-privilege model enterprises already apply to human access. It has simply not been applied to the non-human identities executing a growing share of enterprise workflows.
Runtime policy enforcement is the second component. Every data access an agent initiates should be evaluated against explicit policy at the moment of the request – not assumed permissible because the session was established with valid credentials. When access policy is enforced at the operation level, the 14-hour detection window becomes irrelevant: an unauthorized request is blocked before the data moves, not logged after it does.
What the Akeyless Number Actually Tells You
The EY Responsible AI Pulse Survey found that 99% of organizations have experienced financial losses from AI-related risks, with 64% reporting losses above $1 million. Those numbers are largely invisible in the enterprise because the accountability model for AI agent actions does not yet match the accountability model for human actions. When an agent accesses data outside its scope, there is no disciplinary process, no termination notice, no audit trail that management reviews in a weekly report. The incident happens, the log file records it, and 14 hours later someone notices.
Two-thirds of enterprise security leaders already believe this has happened in their environment. That is not a forecast. It is a diagnosis. The question is whether the response is more monitoring – or a different architecture.
Organizations that built their first cloud governance frameworks after a data breach retrofitted controls under pressure. Those that built governance before deployment made it a design decision. AI agents are at the same inflection point. The organizations that treat the Akeyless number as a strategic prompt, not a future risk, are the ones that will face the smallest cost when their regulators catch up.
Join our LinkedIn group Information Security Community!
