AI agents are moving out of pilot programs and into production workflows across customer support, DevOps, finance, and supply chain operations. The governance infrastructure meant to control them has not kept pace.
Deloitte’s 2026 State of AI in the Enterprise survey, drawn from 3,235 IT and business leaders across 24 countries, found that only 21% of organizations have a mature governance model for agentic AI. The remaining 79% are deploying agents with incomplete controls around identity, permissions, observability, and shutdown authority.
The Enforcement Gap
The problem is not the absence of AI policies. Most enterprises have acceptable-use rules, model approval processes, and risk committees. The gap is between governance documentation and governance enforcement.
Traditional software follows deterministic logic. Human employees have identities, managers, roles, and access reviews. AI agents sit between both categories. They interpret instructions, make decisions, call APIs, use credentials, retrieve files, and delegate tasks to sub-agents. As TechScoop’s analysis noted, an agent with access to CRM data, email, Slack, GitHub, and cloud consoles is not an assistant. It is an actor inside the business.
The OpenID Foundation warned in an October 2025 whitepaper that enterprises need to treat agents as “first-class citizens” inside identity and access management, with lifecycle management, governance policies, and accountability measures. The whitepaper noted that current identity frameworks strain as agents become more autonomous, spawn sub-agents, and operate across organizational boundaries.
What Happens When Controls Fail
A recent incident demonstrated the consequences. In late May, attackers manipulated Meta’s AI-powered support chatbot into handing over access to high-profile Instagram accounts, including the dormant Obama White House page, beauty retailer Sephora, and a senior U.S. Space Force official. According to The Guardian, the chatbot reset account credentials without independently verifying identity. Meta confirmed and resolved the issue after researchers at 404 Media exposed the vulnerability.
The lesson applies beyond social media. Any enterprise that lets AI agents perform sensitive actions, such as account recovery, access approval, refund processing, or code deployment, faces the same architectural question: what hard control prevents the agent from exceeding its authority? A policy document is not a control. A prompt instruction is not a control. The enforcement must exist at the execution layer.
OWASP Formalizes the Risk
The OWASP GenAI Security Project has now published its Top 10 for Agentic Applications 2026, a peer-reviewed framework identifying the most critical security risks facing autonomous AI systems. The initiative tracks agentic application security, AI threat intelligence, secure AI adoption, data security, and red teaming as distinct areas of concern.
The primary risk vectors OWASP identifies include prompt injection (malicious instructions embedded in user input or external content), tool misuse (agents using legitimate tools in unauthorized ways), memory poisoning (hostile data inserted into an agent’s retrieval system), over-permissioned agents, untraceable delegation chains, and governance bypass through low-code platforms deployed before security teams have visibility.
The Scale Problem
A human employee might process 20 support tickets in an hour. An automated agent can process thousands. That throughput turns small governance gaps into operational exposure. When an agent reads from one system, reasons inside a model, invokes a tool, and triggers an action in another system, security teams need to reconstruct the full chain: what data influenced the decision, which identity authorized the action, what policy was checked, and who owns the outcome.
According to Deloitte’s findings, the organizations succeeding with agentic AI are starting with lower-risk use cases, building governance capabilities first, and scaling deliberately through cross-functional structures that bring together IT, legal, compliance, and business unit leaders.
Rushing to deploy widely before establishing these foundations, Deloitte concluded, “could expose organizations to significant and potentially costly risks, while also likely negating the competitive advantage that AI agents otherwise could afford.”