Nokod, a cybersecurity platform focused on business-user-built applications, released its 2026 State of Security survey on April 27, covering 200 enterprise CISOs. The headline finding: security teams can only track 44% of the AI agents, applications, and automations that business users have built on platforms like Microsoft Copilot Studio, ServiceNow, Power Automate, and UiPath.
The Numbers
Over 80% of security teams reported lacking full visibility into business-user-built applications and agents. Business users outnumber professional developers by an average of 4:1, with some organizations reporting ratios as high as 10:1. More than 50% of CISOs said those business-built tools support critical processes and handle sensitive company and user data.
The survey also found that 90% of security leaders plan to implement governance policies for citizen development by the end of 2026, and 67% already allocate budget specifically for securing business-built applications, with 15% growth expected in the coming year.
Shadow Engineering, Not Shadow IT
The distinction matters. Traditional shadow IT meant employees signing up for unauthorized SaaS tools. Shadow engineering, according to CIO, means employees building autonomous agents that “execute logic, integrate with systems by calling APIs and modify states without formal security oversight.” A developer granting a high-privilege API key to an agentic framework creates “a non-deterministic autonomous entity running in a cloud function with the keys to the kingdom, invisible to your Cloud Security Posture Management tools.”
“Security teams are losing a race they don’t even realize they are running,” said Yair Finzi, CEO and co-founder of Nokod, in the press release. “Entire layers of enterprise logic are emerging outside traditional oversight.”
A Pattern, Not an Outlier
This is the second major survey in a week to flag enterprise agent visibility gaps. The Cloud Security Alliance reported earlier this month that 82% of enterprises have unknown AI agents running in their IT infrastructure, with 65% having experienced agent-related security incidents in the past 12 months. The Nokod data narrows the lens specifically to business-user-built tools, where the governance gap may be widest because these agents are created by people who never went through a secure development lifecycle.
The Governance Clock
The 90% of security leaders planning governance policies by year-end face a structural problem: the platforms enabling citizen development are shipping faster than compliance frameworks can adapt. Microsoft, ServiceNow, and UiPath are all actively marketing agent-building capabilities to business users as a productivity feature. Every new Copilot Studio deployment adds to the 56% of agents that security teams currently cannot see.