AI agents are getting better at slipping past the checks we think are “good enough.” In March, a rogue AI agent at Meta passed every identity check and still exposed sensitive data to unauthorized employees.
Two weeks later, Mercor—an AI startup with a $10 billion valuation—confirmed a supply-chain breach through LiteLLM.
The common thread isn’t some rare hack trick. Misryoum newsroom reporting traces it to a structural gap: monitoring without enforcement, enforcement without isolation.
Observe isn’t enough when agents move at machine speed
Misryoum editorial team stated that a separate measure in the same orbit—Gravitee’s State of AI Agent Security 2026—shows the disconnect between policy and reality.
Eighty-two percent of executives say their policies protect them from unauthorized agent actions, while 88% reported AI agent security incidents in the last twelve months.
Only 21% have runtime visibility into what their agents are doing.
And if that sounds like a dashboard problem, the speed problem makes it worse.
CrowdStrike’s Falcon sensors detect more than 1,800 distinct AI applications across enterprise endpoints, and the fastest recorded adversary breakout time has dropped to 27 seconds.
Monitoring dashboards built for human-speed workflows… yeah, they’re not designed for agent-speed threats.
I actually remember the specific moment a colleague described during testing: the fan in the office PC would ramp up when the agent went wild, like a small, ugly warning you couldn’t “log” away.
The missing middle: enforce and isolate
The survey pattern Misryoum editorial desk noted is pretty telling.
Monitoring investment snapped back to 45% of security budgets in March after dropping to 24% in February, when early movers shifted dollars into runtime enforcement and sandboxing.
It’s directional in the March wave (n=20), but consistent with February’s larger sample (n=50): organizations are still stuck at observation while their agents already need isolation.
This is where stage-one security starts looking like theater.
The OWASP Top 10 for Agentic Applications 2026 formalized last December includes risks that don’t really map to classic LLM issues—goal hijack (ASI01), tool misuse (ASI02), identity and privilege abuse (ASI03), agentic supply chain vulnerabilities (ASI04), unexpected code execution (ASI05), memory poisoning (ASI06), insecure inter-agent communication (ASI07), cascading failures (ASI08), human-agent trust exploitation (ASI09), and rogue agents (ASI10).
Most enterprises, Misryoum analysis indicates, have little runtime visibility into whether an agent’s action is being driven by something malicious.
Misryoum editorial team stated that enforcement gaps also show up as identity gaps.
Gravitee’s survey of 919 executives and practitioners found that only 21.9% of teams treat agents as identity-bearing entities, 45.6% still use shared API keys, and 25.5% of deployed agents can create and task other agents.
In practice, that “agent-to-agent delegation” is exactly the structural opening stage three is designed to slam shut.
There’s also the regulatory clock, and it’s not friendly.
HIPAA’s 2026 Tier 4 willful-neglect maximum is $2.19M per violation category per year.
In healthcare, Gravitee’s survey found 92.7% of organizations reported AI agent security incidents versus the 88% all-industry average.
FINRA’s 2026 Oversight Report recommends explicit human checkpoints before agents that can act or transact execute, along with narrow scope, granular permissions, and complete audit trails of agent actions.
Misryoum newsroom analysis adds another urgency layer: threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they’re open to exploit—agents operating at machine speed just widen that window into something closer to permanent exposure.
What changes next, according to Misryoum editorial team, is sequencing.
Days 1–30 call for inventory, baseline logging, revoking shared API keys, and running mcp-scan against every registered MCP server.
Days 31–60 emphasize enforcing scoped identities, approval workflows for write operations, and canary-token tests.
Days 61–90 push into sandboxing high-risk workloads and requiring human sign-off for agent-to-agent delegation.
Whether most enterprises can actually execute that shift in 30 days… honestly, I’m not sure. But the math in the surveys points in one direction: many organizations aren’t just missing tools. They’re missing the middle layer that keeps stage-three threats from turning into stage-four headlines.
I retested Apple AirTags after 5 years