49% of Organizations Can’t See Their AI Agent Traffic
By Stephanie GoodmanApril 10, 2026
Darktrace’s 2026 cybersecurity report finds nearly half of organizations cannot monitor their AI agents, while most deployed agents bypassed security review.
AI Agents In BusinessSecurity In AI SystemsNews
A March 2026 report from Darktrace reveals a growing gap between AI agent deployment and the ability to govern it. Nearly half of organizations surveyed are entirely blind to machine-to-machine traffic generated by their AI agents. Only 14.4 percent of AI agents went into production with full security and IT approval, meaning the vast majority of deployed agents bypassed at least part of the review process.
The findings paint a picture of rapid deployment outpacing organizational readiness. Most organizations now use generative AI in at least one business function, and spending continues to climb. But formal AI policies remain uncommon, and a significant share of AI agent deployments are shadow installations that IT departments do not know about. These governance blind spots cannot be addressed by any external toolkit or regulation when the agents themselves are invisible to the teams responsible for managing them.
Perhaps most concerning is the disconnect between executive perception and operational reality. Leadership expressed broad confidence that existing policies protect against unauthorized agent actions, yet one in five organizations reported security breaches connected to unauthorized AI deployment. The gap between confidence and outcomes suggests many organizations are operating on assumptions about agent behavior rather than actual visibility into what their agents are doing.
The report arrives as new AI governance infrastructure becomes available, from state legislation to open-source security toolkits. But the data suggests the immediate bottleneck is not the absence of governance tools. It is the absence of basic visibility into agent activity—a prerequisite for any governance framework to function. Without knowing which agents are running, what they are accessing, and whether they were approved, organizations cannot meaningfully apply any policy, automated or otherwise.
For enterprises building agent-driven workflows, the takeaway is blunt: governance starts with inventory. Before evaluating frameworks, compliance checklists, or security toolkits, the first step is knowing exactly which agents operate in your environment and what they do. Everything else follows from that.
Sources
- State of AI Cybersecurity 2026 — Darktrace