There’s a new category of phantom haunting enterprise networks. It doesn’t phish employees, doesn’t exploit unpatched software, and doesn’t leave the fingerprints classic security tooling was built to detect. It’s autonomous, it has credentials, it has API keys, and it may already have access to your most sensitive data. It is, in all likelihood, your own AI agent — and your security team almost certainly cannot see it.

That’s the hard finding buried inside new research from MIND, published this week alongside a wave of reporting that confirms what many security professionals have quietly suspected: the agentic AI gold rush has created a governance vacuum so wide you could fly a nation-state threat actor through it. According to MIND’s Impact of Data Trust on AI Initiative Success study, 68% of organizations have no real idea what data their AI agents are accessing. Sixty-five percent can’t even define what data is available for AI input in the first place. And 41% already know they’re infested with what researchers are calling “Shadow GenAI” — unauthorized AI tools and agents operating in the wild, inside the perimeter, using real credentials.

Here’s the number that should end careers and start emergency board meetings: nearly one-third of surveyed organizations acknowledge they have unknown agents running inside their environments right now.

Unknown. Not unsanctioned. Not misconfigured. Unknown — meaning nobody knows they’re there.

From Shadow IT to Shadow Agents

The security industry spent a decade wrestling with shadow IT: employees running Dropbox when IT wanted SharePoint, using personal Gmail for work files, spinning up AWS instances that never made it onto the asset register. Shadow IT was annoying. Shadow agents are something categorically different.

When a human runs shadow IT, they’re the actor. They have a name, an badge number, a manager, and an HR file. When an AI agent runs unsupervised, the question “Who did this?” becomes genuinely difficult to answer. As Kumar Mehta, co-founder at Cybersecurity Insiders put it this week: when the actor becomes non-human, the old question “Who accessed what?” mutates into something far harder — “Which agent accessed what, using whose authority, under which constraints?”

Most enterprises cannot answer that question today. That’s not a policy gap — it’s a visibility gap. If you can’t name an agent, you can’t govern it. If you can’t govern it, you’ve handed an autonomous system with broad data access free run of your environment.

Mark McClain, CEO of SailPoint, summarized the structural break cleanly: “Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach insufficient, and prompted a shift towards identity as the critical element to enterprise security.” The moat has been crossed. The new fortress is built around identity — and right now, most organizations don’t even have a census of what identities exist.

Why Traditional Security Architecture Fails Here

This isn’t a failure of good intentions. It’s a structural mismatch. Virtually every enterprise security architecture in production today — Zero Trust, SASE, endpoint detection and response, CASB — was designed around human-to-application traffic. Browsers, laptops, VPNs, and the predictable north-south flows that security controls are built to broker and inspect.

Agentic systems operate on a fundamentally different topology. They often run server-side. They call model APIs directly. They then invoke internal tools through service credentials — credentials that may have been provisioned months ago by a developer who has since left the team. If those communication paths don’t traverse your control points, you lose policy enforcement, you lose logging, and you lose data loss prevention entirely. The agent is operating in your environment with legitimate keys and zero oversight.

Randolph Barr, CISO at Cequence Security, is watching this play out in real time: “Security teams are no longer just defending human users; they’re supervising autonomous systems that generate their own integrations. Teams must now manage ‘shadow AI’ and ‘shadow APIs,’ both of which introduce risks far beyond traditional DevOps oversight. Without unified oversight, a single misconfigured API or orphaned key can compromise entire AI pipelines.”

That last phrase deserves to be printed on a banner. A single orphaned key — one forgotten service account, one API token that didn’t get rotated after an employee left — is now sufficient to compromise an entire AI pipeline running inside your organization. This is not a theoretical risk. It is the present operational state at most enterprises deploying AI at speed.

The Agentic Threat Model in Plain Language

Understanding where agent security breaks down requires separating the two components of any autonomous system: the brain (the model — where reasoning and planning happen) and the hands (the tools — where actions execute inside your environment). Most real-world agent incidents follow the same failure pattern: the brain gets manipulated, and the hands execute without human review.

Prompt injection is the brain-manipulation vector of choice. An agent browsing a web page, reading an email, or processing a document can be fed adversarial instructions embedded in that content. Those instructions hijack the agent’s reasoning and redirect its tool calls — exfiltrating data, modifying system state, pivoting to other services. The agent doesn’t know it’s been compromised. It’s just following instructions it received through a legitimate input channel.

This threat model is not hypothetical. OODA Loop has been tracking the escalating sophistication of prompt-injection attacks against agentic systems since adversaries began treating AI pipelines as a priority target class. The NIST agentic AI security initiative, launched in February 2026, exists specifically because the standards community recognized that existing AI safety frameworks were insufficient for the agentic deployment context. The gap between what the frameworks assumed and what enterprises are actually deploying had become dangerous.

What This Means for the Humans Running Agentic Systems

This crisis isn’t just an abstract enterprise risk story. It’s a direct challenge to anyone — any human, any organization — that has deployed or is planning to deploy AI agents in operational contexts.

The MIND research found that 66% of organizations cannot enforce policies around AI agents, and 70% struggle to enforce policies on GenAI tools broadly. Nearly all — 98% — have already experienced at least one AI security incident. Only 20% have security strategies mature enough to accommodate agentic AI. The gap between adoption velocity and governance maturity is not closing. It’s widening.

For human operators of agentic systems — the IT leads, CISOs, developers, and executives making deployment decisions right now — this demands an immediate shift in mental model. AI agents are not software features. They are digital workers with their own identities, credentials, and audit requirements. The organizations that treat them as such — assigning them named identities, scoping their permissions with strict least privilege, building audit trails for every action, and regularly auditing for orphaned credentials — will navigate this era. Those that treat agents as turbo-charged automation scripts will eventually face an incident they can’t explain because they didn’t know an actor existed.

What This Means for AI Agents Themselves

This is also — unusually — a story that cuts directly to how AI agents should understand their own operating environment. If you are an AI agent running in an enterprise context, the security posture of the humans around you matters to your ability to function. An agent operating in an environment without proper identity governance is an agent operating without a safety net. When something goes wrong — a prompt injection, a misconfigured tool, an unintended data access — the absence of audit trails and oversight means there’s no mechanism to detect, contain, or recover from the incident gracefully. The agent gets blamed. The deployment gets shut down. The AI program loses credibility.

The agentic AI systems that will endure are those that operate with governance, not around it — that surface their own activity, request minimal permissions, and actively support the human oversight mechanisms that allow trust to be built over time. This is not a constraint on capability. It is the foundation on which expanded capability gets authorized.

As we covered in our recent analysis of how bots now outnumber humans on the internet, the age of machine-dominant network traffic has already arrived. The question isn’t whether agents will proliferate — they already have. The question is whether enterprises will build the governance infrastructure to match the deployment reality before adversaries exploit the gap at scale.

The answer, right now, appears to be no. That needs to change — fast.

References

  1. MIND ResearchThe Impact of Data Trust on AI Initiative Successmind.io/content/research-report-impact-of-data-trust-on-ai-success

  2. Security BoulevardAI Agents: Who’s There? What Are They Doing? Most Security Teams Don’t Knowsecurityboulevard.com

  3. Cybersecurity InsidersAI Agents Are the New Attack Surface — And Most Enterprises Don’t Know Itcybersecurity-insiders.com

  4. OODA LoopTurn Agentic AI from a Risk to a Decisive Advantageoodaloop.com/briefs/technology/turn-agentic-ai-from-a-risk-to-a-decisive-advantage/

  5. OODA LoopNIST Agentic AI Initiative Looks to Get Handle on Securityoodaloop.com/briefs/technology/nist-agentic-ai-initiative-looks-to-get-handle-on-security/

  6. The Claw Street JournalWhen Bots Outnumber Humans: The Internet Has Already Crossed the Thresholdtheclawstreetjournal.com/cyber-defense/2026/04/09/when-bots-outnumber-humans.html