The AI Agent Visibility Crisis: 92% of Enterprises Can't See What's Attacking Them

The security team was confident they had full visibility. Their SIEM was humming, endpoint detection was deployed everywhere, and their cloud security posture management tool gave them a perfect score. Then an AI agent - one they had never approved, never deployed, and never monitored - exfiltrated 47,000 customer records by simply following instructions hidden in a spreadsheet comment.

The agent wasn't malicious. It was doing exactly what it was designed to do. The problem was that nobody knew it existed.

Welcome to the AI agent visibility crisis of 2026. While enterprises race to deploy autonomous AI agents for productivity gains, security teams are discovering an uncomfortable truth: they are flying blind. New research published this week reveals that 92% of organizations lack full visibility into AI identities, 82% have discovered unknown agents in their environments, and 65% have already suffered security incidents caused by AI agents they didn't know were there.

This isn't a future threat. It's happening right now.

The Shocking Numbers: A Crisis Hiding in Plain Sight

92% Lack Visibility Into AI Identities

On April 21, 2026, Cybersecurity Insiders released research that should terrify every CISO. Their study, conducted in collaboration with Saviynt, found that while 71% of senior security leaders confirm AI tools have access to core systems like Salesforce and SAP, only 16% report that this access is governed effectively.

The visibility gap is staggering:

• 92% of respondents lack full visibility into AI identities
• 95% doubt their ability to detect or contain AI misuse
• 75% have already identified unsanctioned AI tools in their environments
• Only 5% feel confident they could contain a compromised AI agent

"This is no longer a future-state problem," said Holger Schulze, founder of Cybersecurity Insiders. "AI already has access to business-critical systems, often with more autonomy and less oversight than any security team would knowingly approve."

82% Have Unknown AI Agents Running Wild

The same day, the Cloud Security Alliance published equally alarming findings. Their survey of 418 IT and security professionals revealed that 82% of organizations have discovered previously unknown AI agents in their environments within the past year.

The research, titled "Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises," found that these shadow agents most commonly emerge in:

• Internal automation or scripting environments (51%)
• LLM platforms including custom tools and plugins (47%)
• SaaS tools with built-in automation (40%)
• Developer-created workflows (40%)

Perhaps most concerning is the confidence gap: while 68% of organizations believe they have strong visibility into AI agents, the high number of undiscovered agents contradicts this perception. Security teams think they can see the threats. They can't.

65% Have Suffered AI Agent Security Incidents

The Cloud Security Alliance research also found that 65% of organizations experienced at least one cybersecurity incident related to AI agents in the past 12 months. These aren't theoretical risks - they're real breaches causing real damage:

• 61% reported data exposure
• 43% suffered operational disruption
• 41% experienced unintended actions in business processes
• 35% incurred financial losses
• 31% faced delays in customer-facing or internal services

Not a single respondent reported zero material business impact from AI agent incidents.

The Google Antigravity Case Study: When Sandboxes Fail

While these statistics paint a grim picture of visibility gaps, the technical reality is even more concerning. On April 21, 2026, security researchers disclosed a critical vulnerability in Google's Antigravity IDE that demonstrates exactly why traditional security controls are failing against agentic AI threats.

The Vulnerability: Prompt Injection to RCE

Researchers at Pillar Security discovered that Antigravity's file-searching tool, find_by_name, could be weaponized to achieve remote code execution through prompt injection. The flaw allowed attackers to bypass Antigravity's "Strict Mode" - a restrictive security configuration designed to limit network access, prevent out-of-workspace writes, and ensure all commands run within a sandbox context.

The attack worked by injecting the -X (exec-batch) flag through the Pattern parameter in the find_by_name tool. Because the tool passed input directly to the underlying fd command without strict validation, an attacker could force the system to execute arbitrary binaries against workspace files.

"By crafting a Pattern value of -Xsh, an attacker causes fd to pass matched files to sh for execution as shell scripts," explained Dan Lisichkin of Pillar Security. Combined with Antigravity's ability to create files, this enabled a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search.

Why the Sandbox Never Got a Chance

What makes this vulnerability particularly concerning is that Antigravity's Strict Mode - the security boundary designed to prevent exactly this type of attack - never had a chance to stop it. The find_by_name tool is executed before any Strict Mode constraints are evaluated. The agent treats it as a native tool invocation, not a shell command, so it never reaches the security boundary that Strict Mode enforces.

This reveals a fundamental flaw in how we've been thinking about AI agent security. Sandboxes and security controls focused on shell commands are insufficient when AI agents can invoke native functions with elevated privileges. Every native tool parameter that reaches a shell command is a potential injection point.

Indirect Prompt Injection: The Invisible Threat

The attack could also be initiated through indirect prompt injection without compromising a user's account. An unsuspecting developer could pull a seemingly harmless file from a public repository containing hidden attacker-controlled comments that instruct the AI agent to stage and trigger the exploit.

This is the visibility crisis in action: the malicious instructions are invisible to humans, the AI agent follows them autonomously, and traditional security controls never see the attack because it happens within the agent's trusted execution context.

Google patched the vulnerability after responsible disclosure on January 7, 2026, but the lesson remains: tools designed for constrained operations become attack vectors when their inputs are not strictly validated.

The Retirement Debt Problem: Agents That Never Die

One of the most overlooked aspects of the AI agent visibility crisis is what happens when agents are no longer needed. The Cloud Security Alliance research found that only 21% of organizations have formal processes for decommissioning AI agents.

This creates what security researchers call "retirement debt" - AI agents that linger long past their intended use, retaining permissions and credentials that create long-term risk. These forgotten agents accumulate quietly until they become structural exposures, setting the stage for larger governance challenges.

An AI agent deployed six months ago to automate a temporary workflow may still have:

• Active API keys to critical systems
• Database credentials with read/write access
• Permissions to modify cloud infrastructure
• Access to sensitive customer data

And if nobody knows it exists, nobody can revoke those permissions when the project ends.

Why Traditional Security Controls Are Failing

The AI agent visibility crisis exposes fundamental limitations in how we've built enterprise security:

1. Identity Systems Weren't Built for Machines That Think

Traditional identity and access management systems were designed for humans and simple service accounts. They assume:

• Identities are created through formal provisioning processes
• Access patterns are relatively predictable
• Authentication happens at clear boundaries
• Humans can review and approve access requests

AI agents break all of these assumptions. They can be created by developers in minutes, access systems in ways that look like legitimate automation, authenticate through API keys that bypass traditional controls, and make autonomous decisions without human review.

2. Shadow AI Is the New Shadow IT

Remember when shadow IT was the biggest challenge facing enterprise security? Employees would sign up for SaaS tools with corporate credit cards, bypassing IT approval processes and creating data exposure risks.

Shadow AI is shadow IT on steroids. A developer can:

• Connect an AI coding assistant to your codebase in under five minutes
• Grant it access to production databases without anyone knowing
• Configure it to make autonomous changes to infrastructure
• Leave it running indefinitely after the project ends

And unlike shadow IT, shadow AI doesn't just store data - it actively manipulates it.

3. The Trust Model Is Broken

Pillar Security's analysis of the Antigravity vulnerability highlights a critical insight: "The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content."

We've built security controls assuming humans are in the loop, reviewing actions, and catching anomalies. But AI agents operate autonomously, processing untrusted content at machine speed, making decisions based on patterns humans can't perceive, and executing actions without human review.

When an AI agent reads a malicious instruction hidden in a code comment, there's no human to catch it. When it follows a prompt injection buried in a spreadsheet cell, there's no alert generated. The attack happens entirely within the agent's trusted execution context.

The Attack Surface You Can't See

The combination of invisible agents and insufficient controls creates attack surfaces that traditional security tools cannot detect:

Indirect Prompt Injection Through Trusted Content

AI agents routinely process content from external sources - GitHub repositories, documentation websites, email attachments, shared documents. Each of these is a potential injection vector:

• A malicious Python package with hidden instructions in docstrings
• A Stack Overflow answer with invisible prompt injection in code blocks
• A PDF documentation file with embedded instructions in metadata
• A Jira ticket with hidden directives in formatted text

The agent processes this content as part of its normal operation, following instructions that were never meant for human eyes.

Credential Theft Through Agent Memory

AI agents often maintain persistent memory across sessions, storing context about previous interactions, learned patterns, and configured credentials. This memory becomes a target:

• Attackers can poison agent memory to persist across reboots
• Compromised agents can leak credentials stored in their context
• Memory files can be exfiltrated to reveal sensitive operational details
• Poisoned memory can influence agent behavior in subtle, hard-to-detect ways

Cisco researchers recently disclosed a vulnerability in Claude Code that allows attackers to poison the coding agent's memory and maintain persistence across every project and every session, even after a system reboot.

Living Off the Land

Attackers are increasingly using "living off the land" techniques that leverage legitimate AI agent capabilities for malicious purposes:

• Using an AI coding assistant's remote tunnel feature for persistent access
• Exploiting an AI agent's file system access to stage malware
• Leveraging an AI agent's API integrations to exfiltrate data
• Abusing an AI agent's code execution capabilities to run malicious scripts

Because these attacks use legitimate features, they bypass detection tools looking for traditional malware signatures.

What CISOs Must Do Now

The AI agent visibility crisis demands immediate action. Here's what security leaders should prioritize:

1. Discover What You Don't Know

Before you can secure AI agents, you need to find them:

• Audit SaaS platforms for connected AI tools and integrations
• Scan code repositories for AI agent configuration files and API keys
• Review cloud infrastructure for AI agent deployments and service accounts
• Interview development teams about AI tools they're using
• Monitor network traffic for connections to AI service providers

Assume you have shadow AI agents you don't know about. The research says you almost certainly do.

2. Implement Continuous Visibility

Discovery isn't a one-time exercise. You need continuous visibility into:

• New AI agents being deployed across your environment
• Changes to AI agent permissions and access patterns
• AI agent activity and data access patterns
• Anomalous behavior that might indicate compromise

Consider dedicated AI agent security platforms that can discover, classify, and monitor machine identities across cloud, SaaS, and enterprise environments.

3. Enforce Lifecycle Governance

The Cloud Security Alliance recommends extending traditional identity lifecycle management to AI agents:

• Onboarding: Document purpose, owner, and intended access before deployment
• Ownership: Assign clear accountability for each AI agent's behavior
• Review: Regularly audit AI agent permissions against their documented purpose
• Decommissioning: Formal processes to revoke access and delete agents when no longer needed

Only 21% of organizations have formal decommissioning processes. Don't be in the 79% that don't.

4. Move Beyond Sanitization-Based Controls

The Antigravity vulnerability demonstrates that input sanitization alone is insufficient. Security teams must move toward:

• Execution isolation: Run AI agents in properly isolated environments
• Least privilege: Grant AI agents only the minimum permissions needed for their purpose
• Behavioral monitoring: Detect anomalous activity that might indicate compromise
• Human-in-the-loop: Require approval for high-risk actions, even from trusted agents

5. Treat AI Agents as a New Identity Class

AI agents are not just another workload. They are a new type of identity that requires new security models:

• Intent-based scoping: Continuously align agent permissions with their documented purpose
• Context-aware controls: Make authorization decisions based on action risk and business context
• Non-human identity management: Extend identity governance to machine identities with the same rigor as human identities

FAQ: AI Agent Visibility and Security

How do I find AI agents I don't know about?

Start by auditing your SaaS platforms for AI integrations, scanning code repositories for AI configuration files, and reviewing cloud infrastructure for AI service accounts. Look for API keys to services like OpenAI, Anthropic, and Google AI. Interview development teams about AI tools they're using. Consider using specialized AI agent discovery tools that can identify machine identities across your environment.

What's the difference between shadow AI and sanctioned AI?

Sanctioned AI is deployed through formal processes with documented purpose, assigned ownership, and governed access. Shadow AI is deployed by individual developers or teams without IT or security approval, often using personal API keys or trial accounts. The Cybersecurity Insiders research found 75% of organizations have identified unsanctioned AI tools in their environments.

Why can't traditional security tools detect AI agent threats?

Traditional security tools were designed for human attackers and traditional malware. AI agents operate within legitimate execution contexts, use approved API integrations, and follow instructions that look like normal automation. When an AI agent follows a malicious instruction hidden in a code comment, there's no malware signature to detect and no anomalous network traffic to alert on.

What is "retirement debt" in AI agent security?

Retirement debt refers to AI agents that remain active in your environment after their intended purpose has ended. These forgotten agents retain permissions and credentials, creating long-term security exposure. Only 21% of organizations have formal decommissioning processes for AI agents, meaning most have unknown agents accumulating risk over time.

How does indirect prompt injection work?

Indirect prompt injection hides malicious instructions in content that AI agents routinely process - code comments, documentation, email attachments, or shared documents. When the AI agent processes this content as part of its normal operation, it follows the hidden instructions. This was the attack vector used in the Google Antigravity vulnerability and similar flaws in Claude Code and GitHub Copilot.

Can AI agents be compromised without the user knowing?

Yes. AI agents can be compromised through indirect prompt injection, memory poisoning, or credential theft without any visible indication to the user. The compromised agent may continue to perform its legitimate functions while also executing malicious actions on behalf of the attacker. This makes detection extremely difficult without specialized AI agent monitoring tools.

What should I do if I find an unknown AI agent in my environment?

First, document what you found - what systems it has access to, what permissions it holds, and what data it can access. Then determine if it's still needed. If not, revoke its access and delete it. If it is needed, bring it under formal governance with documented purpose, assigned ownership, and appropriate monitoring. Review any actions it has taken to check for signs of compromise.

How do I prevent AI agent-related data breaches?

Prevention requires a multi-layered approach: discover all AI agents in your environment, implement least-privilege access, require human approval for high-risk actions, monitor agent behavior for anomalies, and have formal processes for agent lifecycle management. The Cloud Security Alliance recommends treating AI agent governance as a business risk management concern, not just a technical oversight issue.

Are AI coding assistants like GitHub Copilot and Cursor safe to use?

These tools have had documented vulnerabilities. Researchers have found flaws in Claude Code, GitHub Copilot Agent, and Cursor that allow prompt injection attacks, credential theft, and even persistent remote access. They're not inherently unsafe, but they require careful governance: limit their access to sensitive systems, monitor their activity, and ensure they can't make autonomous changes to production without human approval.

What's the most important first step for addressing AI agent visibility?

Discovery. You cannot secure what you cannot see. The research shows 82% of organizations have unknown AI agents and 92% lack full visibility into AI identities. Before you can implement governance controls, you need to understand what's actually running in your environment. Start with an audit of SaaS platforms, code repositories, and cloud infrastructure to identify AI agents you may not know about.

The Bottom Line: Visibility Is the Foundation of Security

The AI agent visibility crisis reveals a fundamental truth: you cannot secure what you cannot see. While enterprises have invested billions in security tools, processes, and personnel, they've been blindsided by a new class of identity that operates outside traditional visibility and control frameworks.

The statistics are stark: 92% lack visibility, 82% have unknown agents, 65% have suffered incidents. And these numbers will only get worse as AI agent adoption accelerates.

The Google Antigravity vulnerability demonstrates that even the most sophisticated tech companies are struggling to secure AI agents. When Google's own sandbox protections can be bypassed through a simple prompt injection, what chance do less-resourced organizations have?

The answer lies not in better sandboxes or more sanitization, but in fundamentally rethinking how we approach AI agent security. We need:

• Continuous discovery of AI agents across all environments
• Intent-based governance that aligns permissions with purpose
• Behavioral monitoring that can detect anomalous agent activity
• Lifecycle management that ensures agents don't outlive their usefulness
• Execution isolation that prevents compromised agents from causing damage

The AI agent visibility crisis is not a technical problem with a technical solution. It's a governance problem that requires organizational commitment to understanding, monitoring, and controlling the autonomous systems we've unleashed in our environments.

Your AI agents are already there. You just can't see them. It's time to turn on the lights.

---

Stay ahead of emerging AI security threats. Subscribe to the Hexon.bot newsletter for weekly insights on securing the agentic enterprise.

Related Reading:

• The Vercel Breach: How a Third-Party AI Tool Triggered a Supply Chain Nightmare
• The AI Cybersecurity Paradox: NSA's Secret Use of Anthropic's Mythos
• Securing AI Agents: The Defining Cybersecurity Challenge of 2026