The answer favors the model providers and hyperscalers over the dedicated security vendors.Enterprises are securing agents with tools that came bundled with their models and clouds. Organizations with credential sharing anywhere in the fleet were hit — with an incident or a near-miss in the past twelve months — at 63.5% (47 of 74). While 41% have no plans to change, a clear majority (59%) intend to adopt a new, additional, or replacement agent security solution within twelve months, and 29% within the next quarter — a strong signal that, high satisfaction notwithstanding, enterprises know the current stack is provisional. Identity is the structural weakness beneath the incidents. Few intend to stand pat.The security stack is not settled. It skews toward the mid-market, so it is best read as the view from organizations actively standing up agent security rather than from the largest operators.Satisfaction ratings are computed on the respondents who answered each rating question; the overall satisfaction score reflects 82 of the 107 qualified respondents.Finding 1: The incidents are already hereMore than half have had an agent security incident or near-missWe asked whether organizations had experienced an agent security incident — a confirmed breach, or a near-miss caught before harm. Because this is one wave rather than a pooled multi-month sample, the report reads cross-sectionally and does not infer month-over-month trends. The most common allocation is 6–10% of the security budget (46%), and a third of enterprises (34%) spend 5% or less; only a quarter (24%) devote more than a tenth. Only about a third of enterprises (32%) give every agent its own scoped, managed identity — the precondition for least-privilege access and clean attribution. The agent security gap is not a coverage problem that a provider guardrail will close on its own; it is a problem of identity, isolation, and enforcement built for autonomous software. As with retrieval and evaluation elsewhere in this series, the provider bundle is winning the default: enterprises reach first for the guardrails their platform ships, and the independent security layer that would address the identity and isolation gaps has not yet been adopted at scale.The provider-default pattern is consistent across both Q2 survey waves. In April–May (n=110), usage was led by the same names — OpenAI's controls at 26%, Azure at 15%, AWS at 14%, Google at 12% — with every dedicated agent-security specialist at 3% or below and one in ten using no dedicated tooling at all. Incidents are what start the buying cycle. Combined with the identity gap in Finding 2, the picture is of agents that are watched and permissioned but rarely boxed in, which is precisely the configuration in which a single failure propagates.Finding 4: Security runs on borrowed, provider-native controlsGuardrails from OpenAI, Google and Microsoft dominate; specialists barely registerWe asked which agent security tooling enterprises use, and which is their primary layer. Twelve percent of the respondents include an agent-identity product — Okta for artificial intellect Agents, Microsoft Entra Agent ID, or a non-human identity platform — anywhere in their consideration set, and among the credential-sharing organizations that have already had an incident, identity consideration is essentially unchanged, at roughly one in ten. When agents share credentials, a single compromised or over-permissioned agent carries a wide blast radius — and only three in ten enterprises (30%) isolate their highest-risk agents in sandboxes to bound that radius.What makes the gap notable is how comfortable enterprises are inside it. It is a false comfort in the making — the same enterprises expressing satisfaction are, as Finding 8 shows, a clear majority planning to change tooling within the year, which suggests the confidence is thinner than the score implies.Finding 6: Budgets haven’t caught upMost spend under a tenth of the security budget on agentsWe asked what share of the security budget enterprises allocate to securing artificial intellect agents. Only about a third (35%) believe their artificial intellect-enabled defenses are ahead of artificial intellect-enabled attackers; the rest are less sure — 32% call it roughly even, 21% think attackers are ahead, and another 21% say it is too early to tell. This is a directional read, not a precise measurement — the sample is self-selected and skews mid-market, so it's best read as the view from organizations actively standing up agent security rather than from the largest operators. Organizations where every agent carries its own scoped identity were hit at 40.9% (9 of 22). Yet spending remains a thin slice of the security budget, only a third of enterprises believe their artificial intellect defenses are ahead of artificial intellect-enabled attackers, and a clear majority plan to change tooling within the year. Among organizations that have been hit, 42.1% plan to adopt, add, or replace agent security tooling within the next ninety days, against 14.0% of organizations with no incident — and after a confirmed incident it becomes majority behavior, at 52.6%. The security stack is overwhelmingly borrowed from the model providers and hyperscalers rather than purpose-built for agents, spending remains a thin slice of the security budget, and enterprises are evenly split on whether their defenses are keeping pace with artificial intellect-enabled attackers. That so many report near-misses rather than only confirmed incidents is telling: enterprises are catching problems, but they are catching them close to the edge. The enterprises spending more than a tenth of their security budget on agents are a distinct minority, and they are likely the ones building the scoped-identity and isolation controls the rest have not.Finding 7: The arms race is even, at bestOnly a third think their artificial intellect defenses are ahead of artificial intellect-enabled attackersWe asked how enterprises assess the balance between their artificial intellect-enabled defenses and artificial intellect-enabled attackers. Given the incident rate in Finding 1 and the identity and isolation gaps in Findings 2 and 3, the budget looks like a lagging indicator — the risk has arrived faster than the funding to address it. The controls examined in the rest of this report — identity, isolation, enforcement — are what determine whether the next near-miss stays a near-miss.Exposure scales with company size, but containment does not. By organization size the sample is mid-market-weighted: 251–1,000 (42%) and 101–250 (25%) employees lead, with 1,001–5,000 (19%), 5,001–10,000 (8%), and 10,001+ (7%) above them. The control that bounds damage is the least common.Monitoring and enforcement are reasonably common; containment is not. The structural pattern, however, held across both Q2 waves on two differently worded questions: provider-native and hyperscaler controls lead, and dedicated agent-security specialists remain in low single digits. The comfort appears to rest on the convenience and low friction of provider-native controls rather than on demonstrated containment. Individual vendor percentages therefore carry all the usual sample caveats. The organizations running the most agents across the most systems carry the most incidents and the least of the one control that bounds an incident's blast radius.Finding 2: The identity gapOnly a third give every agent its own scoped identityWe asked how enterprises manage the identity of their artificial intellect agents — whether each agent has its own credentials, or agents share them. Only 42% report nothing, and a small remainder either run no agents in production or don’t track such events. Getting hit also changes the threat assessment: 33.3% of hit organizations say artificial intellect-armed attackers are ahead of their defenses, against 8.0% of the unhit. Respondents are senior and buyer-credible (45% final decision-makers, 30% recommenders/influencers), spanning managers through the C-suite, and drawn primarily from Technology/Software, Manufacturing, Retail/E-commerce, and Healthcare/Life Sciences. That ordering is backwards from a defense-in-depth standpoint: observation tells you what happened, enforcement tries to prevent it, but isolation is what limits the damage when prevention fails — and it is the control enterprises have adopted least. The control most directly implicated by the incident information is the one largely missing from the purchase plans. Full per-agent identity is the exception.Rolled together, the overlapping answers show 69% of enterprises (74 of 107) with credential sharing somewhere in the agent fleet. Technology/Software is the largest industry at 23%, followed by Manufacturing (15%), Retail/E-commerce (14%), and Healthcare/Life Sciences (13%).At 107 respondents the sample is large enough to read directionally but should be treated as a directional signal rather than a precise measurement; it is self-selected and is not a probability sample. The comfort is notably out of step with the exposure documented above.Satisfaction with agent security tooling is high — 4.2 out of 5 overall, and 4.1 for value for money — among the most positive readings in this series. The security stack is overwhelmingly provider-native — OpenAI’s guardrails (51%), Google’s and Microsoft’s cloud controls, and Anthropic’s managed-agent controls dominate, while the dedicated agent-security specialists barely register — and satisfaction with that borrowed stack is high, averaging 4.2 out of 5. The non-human identity problem — giving every agent its own governed identity — is the single largest unfinished piece of enterprise agent security.Moreover, a company’s agent credential posture is correlated with incidents. More than half have already had a confirmed agent security incident or a near-miss; only about a third give every agent its own scoped identity, and most agents still share credentials; and only three in ten isolate their highest-risk agents. Across 107 enterprises, artificial intellect agents are being given real access to systems and information while the controls meant to contain them lag behind. At 107 respondents in a single wave this is a directional read, skewed toward the mid-market — but the direction is clear: agent adoption is running ahead of agent security, and the controls that matter most when something fails — scoped identity and isolation — are the ones enterprises have built least. More than half of organizations (54%) have already had an agent security event — 18% a confirmed incident and 36% a near-miss caught before it caused harm. For a fast-emerging risk, the allocation is modest.Spending on agent security is still a thin slice. Enterprises are satisfied with controls they are simultaneously preparing to replace.MethodologyVentureBeat fielded this survey as part of its ongoing Pulse Research series, this instrument focused on enterprise agent security — the tooling, identity, isolation, and enforcement controls organizations use to secure autonomous artificial intellect agents. Whether this wave hardens the provider-native default or finally opens the door to purpose-built agent security — the identity and isolation controls the incidents call for — is the question this series will keep tracking.The bottom line: A security gap that autonomy will test firstOrganizations with more than 100 employees are giving artificial intellect agents real reach into systems and information while securing them with controls built for something else. As described in the methodology section, the respondent sample is self-selected and skews mid-market, and the usage question counted every vendor or approach a respondent has in place — so the figures measure presence in the security stack rather than spending or exclusivity. (Respondents could describe more than one pattern across their agent fleet, so these overlap.) The consequence is direct: when agents share credentials, an over-permissioned or compromised agent can act with far more reach than intended, and forensics after an incident cannot cleanly tell which agent did what. Most that run agents in production had.This is the report’s defining number. Nearly half (48%) say some agents have scoped identities but many still share credentials, and another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. Managers (43%), individual contributors (24%), VPs and directors (15%), and the C-suite (11%) make up the seniority mix. More than half have already had an incident or near-miss; only a third give every agent its own scoped identity, and most still share credentials; only three in ten isolate their highest-risk agents; and the stack doing this work is overwhelmingly borrowed from the model providers and hyperscalers rather than purpose-built for agents.The uncomfortable pairing is confidence with exposure: satisfaction with the current tooling is among the highest in this series, yet spending is a thin slice of the security budget, only a third believe their defenses are ahead of artificial intellect-enabled attackers, and a clear majority are already planning to replace what they have. The structural weakness beneath those numbers is identity: only about a third (32%) give every agent its own scoped, managed identity, while the rest report that some agents share credentials or that agents mostly run on shared API keys and human or service-account credentials. More than half of organizations (54%) have already experienced a confirmed agent security incident (18%) or a near-miss caught before harm (36%). Taken together, a clear majority (53%) rate the balance as even or tilted toward the attacker. Several questions were multiple-select, so those shares can sum to more than 100%.By role the sample is senior and buyer-credible: 45% are final decision-makers for artificial intellect purchases and another 30% recommenders or influencers. Read the individual shares loosely and the pattern with confidence.)Finding 5: And enterprises are comfortable with itSatisfaction is high, even as incidents mount and identity lagsWe asked how satisfied enterprises are with their current agent security tooling. In a domain where the offense is also compounding with artificial intellect, an even race is not a comfortable place to be.Finding 8: A security reshuffle is comingNearly six in 10 plan to adopt or switch tooling within a yearWe asked whether enterprises plan to adopt a new, additional, or replacement agent security solution, and which they are considering. The purpose-built agent-security category — Palo Alto’s Prisma AIRS, CrowdStrike, Cisco artificial intellect Defense, Zenity, HiddenLayer, Check Point’s Lakera, Okta for artificial intellect Agents, non-human identity platforms — barely registers, each in the low single digits, and only 5% run no dedicated tooling at all. The fully-scoped group is small, so for now the relationship is an association rather than proven causation, and the gap is concentrated in the mid-market — but within a single survey, a twenty-three point difference in incident rate suggests significance.Finding 3: Observe and enforce, but rarely isolateOnly three in 10 sandbox their highest-risk agentsWe asked what an organization’s agent security posture looks like in practice — whether they observe, enforce, isolate, or some combination. That uncertainty sits uneasily beside the high satisfaction of Finding 5: enterprises are content with their tooling yet unconvinced it is winning the contest it exists to win. The incident-or-near-miss rate rises from 49% in the mid-market (companies with 101-1,000 employees) to 63% at larger enterprises (above 1,000 employees), while sandbox isolation of high-risk agents falls from 35% to 20%, and satisfaction with security tooling drops from 4.36 to 3.97. The result is an agent security gap — autonomous agents proliferating faster than the identity, isolation, and enforcement controls needed to hold them.This wave of VentureBeat Pulse Research examines how enterprises secure their artificial intellect agents: what tooling they run, how they manage agent identity and isolation, what has already gone wrong, how much they spend, and whether they believe their defenses are keeping pace with artificial intellect-enabled attackers.The central finding is an agent security gap — the distance between the autonomy enterprises are granting their agents and the controls in place to contain them. The common finding from the two surveys: Enterprises are defaulting to the solutions provided by the platform they’re using, and the specialist category vendors have yet to become big players here.(A note on reading these shares. The open question for later waves is whether enterprises close it deliberately — or whether a confirmed incident closes it for them.Based on survey responses from 107 qualified enterprise respondents (100+ employees), drawn from a single June 2026 wave. Roughly half of enterprises observe agent activity (47%) or enforce scoped permissions at runtime (49%), but only 30% isolate their highest-risk agents in sandboxes that bound the blast radius when the other controls fail. Confidence is far from settled.Enterprises are split on whether they are winning. OpenAI’s guardrails lead at 51%, followed by Google’s and Microsoft’s cloud-native controls and Anthropic’s managed-agent controls — and when asked to name their single primary security layer, 82% name one of these provider-native offerings. Experience, in this information, is the strongest predictor of both urgency and pessimism.The consideration set still leans provider-native (OpenAI 34%, Google 30%, Anthropic 29%, Azure 25%), but the dedicated security vendors — Cloudflare, Cisco, Palo Alto, Okta, Check Point’s Lakera — draw early interest in the mid-to-high single digits, more than their current footprint. What the shopping does not yet include is the identity layer specifically. That is the striking part: enterprises are highly satisfied with a stack that is mostly borrowed provider guardrails, even though more than half have already had an incident or near-miss and only a third give their agents scoped identities. Responses are filtered to organizations with more than 100 employees (n=107; the survey’s smallest size band, 1–100 employees, is excluded), drawn from a single June 2026 wave.
Related Posts
“Giant superatoms” could finally solve quantum computing’s biggest problem
In the pursuit of powerful and stable quantum computers, researchers at Chalmers University of tech, Sweden, have developed the theory…
How to finance marine conservation without harming local communities
The true cost of marine conservation often falls on vulnerable coastal communities. Can a ‘beneficiary pays’ approach protect both endangered…
Artificial neurons successfully communicate with living brain cells
These flexible, low-cost devices generate lifelike electrical signals capable of activating living brain cells, a breakthrough demonstrated in mouse brain…
