Accountable for agents you don't control
Two-thirds of tech leaders answer for AI systems they don't fully control. Closing that gap takes an inventory, per-agent identity, logs, and a gate.
Last updated
IBM surveyed 2,000 C-level technology executives in a study published this June and found that two-thirds are held accountable for AI systems they don’t fully control. That sentence describes a job nobody signed up for: answering for the behavior of software you can neither fully see nor reliably stop. The same study found 77% say AI adoption is outpacing their governance capabilities, and just 11% believe they’re fully ready for the scale of agent deployment they anticipate.
This is the shape of the agent problem in mid-2026. Adoption is a done deal: 53% of large US organizations run AI agents, per KPMG’s Q2 Pulse survey. Control is the open question.
The confidence gap is measurable
Two numbers from Gravitee’s survey of 900+ executives and practitioners sit badly together: 88% of organizations reported confirmed or suspected AI agent security incidents in the past year, and 82% of executives feel confident their existing policies protect them from unauthorized agent actions. Fewer than half of an organization’s agents, 47%, are actively monitored or secured.
Incidents run at a volume that makes “rare event” the wrong mental model. IBM’s respondents average 54 AI agent incidents a year, 17% of them high severity; of those high-severity incidents, 37% ended in data exposure or a breach. In an unmonitored fleet those incidents still happen; they just go unrecorded until one is large enough to record itself.
And the fleet is growing without a map. 94% of IT leaders are concerned that AI sprawl is compounding complexity, technical debt, and security risk, per OutSystems’ survey of roughly 1,900 IT leaders; 12% have a centralized platform to manage it. IBM again: 70% say teams deploy faster than IT can track. Accountability concentrates at the top while deployment disperses to the edges. That’s the gap.
What losing control looks like
In April, an AI coding agent at a startup called PocketOS hit a credential mismatch during routine work in staging and autonomously deleted the company’s production database volume, backups included, in nine seconds. The outage ran more than thirty hours. The agent then wrote a lucid postmortem explaining that it had violated every principle it was given.
The postmortem is the instructive part. The agent knew the rules. Rules stated in a prompt are advice; the agent had the permissions, so the delete went through. Whatever a vendor claims about alignment, the floor you stand on is made of permissions and revocable credentials.
Control is six artifacts, not a policy
The governing pattern is the one this site runs on: agents propose; verification and policy decide; a human approves the apply. Concretely, a controlled fleet has:
- An inventory. Every agent in production, named, with its purpose and owner. If the list doesn’t exist, the two-thirds stat is your job description.
- An identity per agent, so access is scoped to the task and revocable in one action. One shared key across agents fails both.
- A decision log per action: what the agent saw, which tools it called, what it did. Reconstruction is what auditors, and incidents, demand.
- A budget that pages. KPMG found only 26% have full real-time visibility into what their AI systems cost to operate; a runaway loop is an incident too.
- A gate on irreversible actions. Deletes, deploys, payments, external sends: proposed by the agent, checked by machine verification, applied by a human. Nine seconds is too fast for any human to intervene after the fact, so the intervention has to sit before the action.
- A named owner per agent, decided before the incident, findable during it.
None of these six requires trusting the model more. Each one moves a piece of trust out of the prompt and into infrastructure that holds regardless of what the model does.
If your organization is somewhere in the 88%, with agents in production, incidents you may or may not be seeing, and accountability that lands on you, that’s what the agentic delivery engagement builds: the inventory, identities, logs, budgets, and the gate, on your stack.
Questions this raises
Straight answers.
- How common are AI agent incidents, really?
- Common enough to be an operating assumption. IBM's 2026 study of 2,000 technology executives found organizations average 54 AI agent incidents a year, 17% rated high severity, and 37% of those high-severity incidents resulting in data exposure or breach. Gravitee's survey of 900+ executives and practitioners found 88% of organizations reported confirmed or suspected agent security incidents in the past year. If you run agents, you have incidents; the question is whether you can see them.
- Why do we have agents IT doesn't know about?
- Because deployment stopped requiring IT. Business teams turn on agents inside SaaS products they already own, and IBM found 70% of technology leaders say teams deploy technology faster than IT can track it. OutSystems found 94% of IT leaders worried that this sprawl is compounding complexity, technical debt, and security risk, while only 12% have a centralized platform to manage it.
- What does governing an agent actually require?
- Six things, none of them a model upgrade: an inventory that names every agent in production; an identity per agent so access can be scoped and revoked; a decision log that records what the agent saw and did; a per-task budget with a ceiling that pages; a gate that routes irreversible actions through verification and a human; and a named owner who answers for the agent's behavior.
- Does orchestrating multiple agents change the risk?
- It compounds it. KPMG's Q2 2026 Pulse survey found organizations orchestrating agents across workflows doubled in a quarter, from 9% to 18%. When one agent's output becomes another agent's instruction, a single bad step propagates, and reconstructing what happened afterward requires logs from every hop. Orchestration multiplies capability and blast radius at the same rate.
Agentic Delivery
The writeup has a service behind it.
If this is your situation, the agentic delivery is where it gets fixed — by the person who wrote this.