AI agents are growing faster than enterprise oversight

Jun 12, 2026

The average enterprise today has dozens of AI agents deployed across its environment. Most of them have never gone through a formal security review.

According to Gravitee's 2026 survey, only 24.4% of organizations have full visibility into which agents are interacting with each other. More than half of all agents operate without comprehensive logging or security oversight.

At the same time, 82% of executives believe their existing policies protect against unauthorized agent actions.

This is not a problem of malicious intent. It is a problem of speed. Product and engineering teams are deploying agents faster than security teams can inventory them. Each agent connects to tools, MCP servers, and external APIs that may never have gone through a centralized approval process. Agents operate at machine speed, have access to critical systems and data, and often receive a level of oversight that would be unacceptable for any human employee.

We are seeing this firsthand. Across the organizations we work with, engineering and product teams are shipping AI agents on timelines that simply do not leave room for a security review. In many cases, the agents already in production were configured by individuals who are no longer responsible for them, connected to systems that were never formally approved, and operating with permissions no one has revisited since day one. The inventory problem is not hypothetical — it is what we encounter every time we begin working with a new customer.

Consider a common scenario: a law firm deploys an agent to support due diligence. The agent processes documents, queries internal databases, and writes to shared storage. A month later, the firm discovers that the agent has been operating with the permissions of a senior partner simply because that person configured it, and no one restricted its access. No breach occurred. No alert was triggered. Nobody realized it was happening.

Many organizations acknowledge that their AI governance programs remain insufficient. Data boundaries are unclear, guardrails are inconsistent, and accountability is often poorly defined.

A major milestone for the EU AI Act arrives on August 2, 2026, when most of its requirements become applicable across the European Union. Meanwhile, SOC 2 and GDPR audits are already beginning to examine how AI agents access systems and data. Regulation is not waiting for organizations to sort out their agent inventory.

Centralized agent management is not about slowing down innovation. It is about understanding what is running in your environment, what permissions it has, and on whose behalf it is acting. At Trace, it is part of the agent governance platform: a unified control point for deployment, logging, and permission management across every AI agent in the organization.

The question is no longer whether to deploy AI agents. The question is whether you know what has already been deployed.