A study by Gravitee shows a development: Agents have evolved from tools to infrastructure. 81% of teams are beyond the planning phase and are deploying these systems. However, this introduction brings challenges.

The reality of agent adoption

The numbers: 88% of organizations report security incidents with agents in the past year. In healthcare, this rate is 92.7%. This development shows that these systems have become infrastructure.

The discrepancy between adoption and governance: While 37 agents per organization are in use, only 14.4% have received security clearance.

Four challenges

1. Shadow implementations are becoming the norm

   The majority of agents are deployed at the departmental level - often without the knowledge of security teams. Only 47.1% of agents are monitored, leading to lack of transparency.

2. Identity management fails for systems

   Only 21.9% of organizations treat agents as identities. Instead, 45.6% use API keys for agent-to-agent communication and 44.4% use tokens.

3. Authorization concepts

   27.2% of teams rely on hard-coded logic for agent interactions. 25.5% of agents can create and instruct other agents, while only 24.4% have visibility into agent-to-agent communication.

4. Monitoring

   While agents can execute hundreds of tasks per second, only 7.7% of organizations review their activities daily. 37.5% conduct only monthly reviews.

Solution approaches for organizations

These challenges require solutions that go beyond IT security approaches:

Local infrastructures enable organizations to process data within their boundaries. Installations provide control over data flows and meet compliance requirements.

Identity management treats agents as identities with permission controls. LDAP/OIDC integration enables connection to existing identity providers.

Agent orchestration prevents misinformation through structured data architectures and enforces authorization policies. Predefined processes create transparency.

Monitoring with real-time logging and compliance reports enables security control.

Industry-specific requirements

Healthcare: With an incident rate of 92.7% for agents with patient data, clinics need GDPR-compliant solutions with MDR compliance preparation.

Public sector: Citizen data and classified information require VS-NfD-compliant installations with isolated operation.

Financial sector: Strict regulation requires BaFin-compliant data processing with integrated risk control.

What CIOs should do now

Most companies face the same situation: They already have agents in use, but no control over them.

Three steps are necessary:

1. Create inventory: Identify all productive agents
2. Assess risks: Criticality according to data types and compliance requirements
3. Establish control: Migration to controlled, local infrastructures

1. Create inventory: Identify all productive agents
2. Assess risks: Criticality according to data types and compliance requirements
3. Establish control: Migration to controlled, local infrastructures

1. Create inventory: Identify all productive agents
2. Assess risks: Criticality according to data types and compliance requirements
3. Establish control: Migration to controlled, local infrastructures

1. Create inventory: Identify all productive agents
2. Assess risks: Criticality according to data types and compliance requirements
3. Establish control: Migration to controlled, local infrastructures

Experimentation is over - now it's about control

Many companies have tried various tools in recent months. This phase is over. Agents are now part of the productive infrastructure and must be managed accordingly.

For regulated organizations, the discrepancy between adoption and security is particularly problematic, as compliance violations can be existentially threatening.

The question is no longer whether agents will become part of your infrastructure - they already are. The question is whether you maintain control.

Source: The State of AI Agent Security 2026 report by Gravitee