Global study shows most organizations cannot detect compromised AI agents for hours, and are already spending over $1 million managing the fallout

NEW YORK and TEL AVIV, Israel, May 12, 2026 /PRNewswire/ -- Two-thirds of organizations using AI agents suspect those agents have already accessed data beyond their intended scope, according to a new global study released today by Akeyless, the company redefining identity security for the AI era. The findings are based on a survey of 400 IT and security leaders across the United States and United Kingdom, offering one of the first detailed looks at how AI agents are being deployed and secured inside enterprise environments.

The 2026 State of AI Agent Identity Security report shows how quickly AI agents have moved from limited use cases into core business systems, often with direct access to sensitive data and operational workflows.

Key findings include:

• 67% suspect AI agents have already accessed data beyond their intended scope
• 61% have revoked or rotated AI agent credentials due to suspected exposure
• It takes an average of 14 hours to detect a compromised AI agent, followed by nearly a week to contain and remediate
• Only 7% believe their controls would prevent a compromised agent from operating
• Organizations spent more than $1 million on average in the past year responding to AI agent identity and security issues

"AI agents are not breaking in, they're being invited in with real credentials and broad access." said Oded Hareven, CEO and Co-Founder of Akeyless. "What this research shows is that most organizations don't yet have a clear picture of how those agents behave once deployed. The risk isn't unauthorized access, it's authorized access that isn't controlled in real time. And that risk persists because AI agents are being given static identities and long-lived credentials. AI agents need to be continuously governed at runtime, with ephemeral identity created at the moment of execution and removed immediately after."

The findings highlight a widening gap between how AI systems operate and how enterprises secure them. AI agents act in milliseconds, but detection and response still happen on human timelines. That delay creates a critical window in which compromised or misconfigured agents can move across systems using valid credentials.

The study shows widespread reliance on persistent credentials such as API keys and static secrets, often embedded in code or workflows. These credentials frequently carry broad permissions. More than four in five organizations say a single compromised credential could affect multiple major systems. At the same time, fewer than half report full visibility into where those credentials are stored, and many acknowledge that developers bypass identity controls to keep systems running.

The research also points to a structural mismatch with most identity and access management systems built around human users operating in defined sessions, not autonomous systems acting continuously across distributed environments. As a result, organizations are managing AI agent identity across multiple disconnected tools, with limited consistency or real-time enforcement.

Highlighting the implications, nearly three-quarters of organizations say AI adoption would move faster if these risks were better controlled, suggesting that identity security is becoming a constraint on how far enterprises can push AI into critical operations.

Akeyless provides a runtime identity security platform designed for this shift, enabling organizations to secure connectivity between every AI agent and every system, continuously control AI agents through context-aware access, and maintain full visibility into how they access systems and data. The platform delivers complete forensic auditability of every action, securing AI agents, machine identities, and human access through a single, unified solution.

The full 2026 State of AI Agent Identity Security report is available at https://www.akeyless.io/ebooks/state-of-ai-agent-identity-security-report/

WEBINAR: What Are the Top AI Agent Identity Threats in 2026? Insights From the State of AI Agent Identity Security Report

Join Akeyless and MRA Research  

Date: June 4, 2026 at 12 pm ET / 4 pm GMT

Link: https://www.akeyless.io/webinars/what-the-data-reveals-about-ai-agent-identity-risk/

About Akeyless

Akeyless delivers runtime identity security for AI agents, machines, and humans, securing over 220 billion identity interactions. Trusted by Fortune 500 enterprises, the platform establishes secure connectivity and enforces dynamic policies at runtime by issuing ephemeral, least-privilege identities with in-line control, monitoring, and revocation. Built on a zero-knowledge, post-quantum–ready foundation, Akeyless reduces risk and operational complexity. Backed by leading cybersecurity investors including  JVP, Team8, NGP Capital, and Deutsche Bank, Akeyless enables organizations to secure every identity. For more information, visit www.akeyless.io.

Media Contact
Terri Shapiro
terri@number10strategies.com

View original content:https://www.prnewswire.com/news-releases/two-thirds-of-enterprises-suspect-ai-agents-have-already-accessed-unauthorized-data-akeyless-finds-302769768.html

SOURCE Akeyless