By Rajesh Beri | July 11, 2026
Enterprise companies knowingly deployed AI agents before building the controls to govern them. Now they are paying for it — and scrambling to retrofit.
That is the central finding from VentureBeat Research's June 2026 survey of 573 technical leaders at companies with 100 or more employees. The survey spanned five parallel investigations of the "agentic stack" — identity, evaluation, cost telemetry, context, and orchestration — and found the same pattern in every layer: deployment ran ahead of governance, visibility, and cost control. Fifty-four percent of companies already experienced an agent security incident or near-miss in the past 12 months. Twenty-seven percent do not learn what an agent costs until the invoice arrives.
Meanwhile, the hardware enterprises bought to power these agents sits largely unused. Eighty-six percent of GPU operators report utilization of 50% or less — the most expensive equipment in the building, running at no more than half capacity. Wall Street has spent the quarter debating whether the AI buildout is overbuilt. Enterprises just answered: it is underused.
The spending response tells the real story. Roughly six in 10 enterprises plan to switch or add vendors in each of the five control layers within the next 12 months. A third plan to move within the quarter. No layer has an established incumbent. The AI governance market, valued at roughly $492 million in 2026, is projected to exceed $1 billion by 2030. This is not a technology story. It is a $22 billion buying spree that has already begun.
The Five-Layer Agentic Control Gap
VentureBeat's research reveals that enterprises need governance across five distinct layers — and most are inadequately covered in all of them.
Layer 1: Identity — Who Is This Agent?
Sixty-nine percent of enterprises run credential sharing somewhere in their agent fleet. Multiple agents operate under one API key or service account, which means a single compromised agent inherits the reach of every workflow the key touches. The forensic trail goes cold at the credential level — five agents on one account leave no record of which agent did what.
The security math is unambiguous. Organizations with credential sharing anywhere experienced incidents at a 63.5% rate, versus 40.9% where every agent has its own scoped identity. Only 32% of enterprises give each agent a managed, scoped identity today.
The market has noticed. Palo Alto Networks completed its $25 billion acquisition of CyberArk in February 2026 and rebranded it as Idira, a next-generation identity platform for AI agent access and authorization. CrowdStrike closed its $740 million acquisition of SGNL and shipped Continuous Identity for AI Agents by June 15, using SPIFFE-based cryptographic identities that dynamically grant, deny, and revoke access based on real-time risk. Cisco acquired Astrix Security for $400 million, targeting the API keys, service accounts, and OAuth tokens that agents use to execute work at scale.
Combined: more than $26 billion in acquisitions targeting the single control layer most enterprises haven't built yet.
Layer 2: Evaluation — Is the Agent's Work Any Good?
Two-thirds of enterprises already permit agents to push changes to production on automated evaluations alone — or are engineering their pipelines to do so within 12 months. The problem: only 5% fully trust those evaluations.
Half of enterprises shipped an agent that passed internal evaluations and then caused a customer-facing failure. One in four watched it happen more than once. The most common weakness cited: "poor alignment with real-world outcomes" (29% of respondents). Once agents are live, only 23% run real-time quality checks on outputs. Another 51% monitor uptime only — the system is running, but nobody is checking whether the answers are right.
The NIST Generative AI Profile makes the same point: measurements gathered in controlled environments may not transfer to deployment because behavior changes with prompts, users, context, and operating conditions.
Layer 3: Cost Telemetry — What Does Each Agent Actually Cost?
Twenty-seven percent of enterprises exercise only reactive control of agent spend — they learn what an agent costs when the invoice arrives, with no per-agent budget or ceiling in place. Only 44% rigorously track what their AI compute actually costs and returns. Everyone else is estimating.
This measurement gap is compounded by the GPU underutilization crisis. Despite 86% of enterprises reporting GPU utilization at 50% or less, 45% say the emerging compute option they are most likely to evaluate next is an AI-specialized neocloud (CoreWeave, Lambda, Crusoe, Nebius). Under 2% actually use one today. Enterprises are shopping for more compute before measuring what they already own.
The FinOps Foundation's 2026 State of FinOps report found that 98% of FinOps teams now manage AI spend, up from 31% — but 41% of enterprises still waste 15% or more of their AI budgets on idle or poorly allocated resources.
Layer 4: Context — What Business Data Do Agents Read?
Fifty-seven percent of enterprises traced at least one confident, wrong agent answer to their own missing or inconsistent business context: wrong metrics, stale definitions, absent documents. Most saw it happen repeatedly.
The fix is a governed semantic layer — one authoritative definition of the business that every AI reads from. Only 25% of enterprises run one in production. Thirty-four percent are building one. Forty-one percent haven't started.
Microsoft's IQ platform targets exactly this layer, unifying siloed enterprise data into the single source of truth that feeds enterprise agents. ServiceNow's AI Control Tower took a similar approach, positioning its platform as the orchestration layer that ensures agents read from governed business definitions.
Layer 5: Orchestration — Who Coordinates Multi-Step Work?
Here is where the "agentwashing" problem becomes measurable. Seventy-one percent of enterprises say a quarter or fewer of their deployed "agents" can complete multi-step work on their own. Only 10% say true agents are the majority. The rest are single-prompt chatbots — what Gartner calls "agentwashing."
This matters because the label determines the bill. A chatbot with a human reading every answer needs none of the identity, evaluation, or cost controls this report covers. A true multi-step agent needs all of them. The inflated adoption figures — Zapier's survey shows 72% deploying autonomous agents, Writer's survey shows 97% — are the benchmarks boards use to pressure technical leaders into moving faster. VentureBeat's data says the real bar is far lower than headlines suggest.
Why This Matters
For CIOs and CTOs: The Vendor Lock-In Shift
The survey captured a significant shift in enterprise priorities. In spring 2026, the top concern about provider-controlled orchestration was security and permissioning limits (32%). By June, vendor lock-in led at roughly a third. The likely catalyst: the June 12 Commerce Department export order that took Anthropic's Claude Fable 5 offline for nearly three weeks, followed by open-weight releases from Z.ai's GLM-5.2 (MIT license, one-sixth the price of GPT-5.5) and Tencent's Hy3 (Apache 2.0).
The posture data reflects this: 51% now expect their primary control plane to be hybrid — provider-native plus external orchestration — by end of 2026, up from 34% in spring. Enterprises relying purely on provider-managed agent services fell from 12% to 7%.
For CFOs: The $26 Billion Signal
The security vendors are spending $26 billion on acquisitions because the enterprises haven't spent enough on controls. According to Gartner, spending on dedicated AI governance platforms will reach $492 million in 2026, growing to more than $1 billion by 2030. But the real spending is in the adjacent categories: agent identity, evaluation tooling, cost telemetry, and semantic layer infrastructure. Combined, the AI agent market is projected to grow from $10.9 billion in 2026 to $182.9 billion by 2033, a 49.6% CAGR.
The GPU underutilization alone represents billions in wasted capital. An NVIDIA H100 SXM5 8-GPU server costs $250,000–$350,000. At 50% utilization, enterprises are burning $125,000–$175,000 per server per year in idle capacity. Multiply across fleet sizes and the write-down risk is enormous.
For Business Leaders: The Cancellation Cliff
Gartner predicts more than 40% of agentic AI projects will be canceled by 2027. The causes: escalating costs, unclear business value, and inadequate risk controls. Forbes contributor Robert Szczerba argues the coming cancellation wave is "a management problem wearing a technology costume." Gartner estimates only about 130 of the thousands of vendors claiming agentic AI capabilities are genuine.
Deloitte's 2026 State of AI in the Enterprise report found that 74% of companies plan to deploy sophisticated AI agents within two years — but deployment is no longer the hardest part. Redesigning work, defining governance for autonomy, and measuring value clearly are where projects die.
Framework 1: Agentic Control Stack Readiness Assessment
Score your organization across all five layers (1–5 points each, max 25):
Identity Layer (1–5 points)
| Score | Criteria |
|---|---|
| 1 | Agents share API keys or human credentials. No inventory of agent identities. |
| 2 | Partial inventory exists. Some agents have dedicated service accounts, many share. |
| 3 | Majority of agents have scoped identities. Credential rotation is manual. |
| 4 | All production agents have scoped, managed identities. Automated rotation in place. |
| 5 | Cryptographic (SPIFFE-based) identities per agent. Real-time dynamic authorization. Zero standing privileges. |
Evaluation Layer (1–5 points)
| Score | Criteria |
|---|---|
| 1 | No automated evaluation. Ship based on manual spot-checking. |
| 2 | Pre-deployment evals exist but not tested against production outcomes. |
| 3 | Pre-deployment evals validated against production data. No real-time monitoring. |
| 4 | Real-time quality monitoring on agent outputs. Production incidents feed back into eval suite. |
| 5 | Continuous regression testing against production outcomes. Every failure becomes a permanent test case. Repeatability measured as a first-class metric. |
Cost Telemetry Layer (1–5 points)
| Score | Criteria |
|---|---|
| 1 | Learn agent costs when invoice arrives. No per-agent budget tracking. |
| 2 | Aggregate AI spend tracked. No per-agent or per-workload attribution. |
| 3 | Per-workload cost tracking in place. No automated budget ceilings. |
| 4 | Per-agent cost attribution with automated alerts. GPU utilization tracked at workload level. |
| 5 | Real-time per-agent cost dashboards. Automated budget ceilings with kill switches. GPU utilization rigorously tracked and optimized above 70%. |
Context Layer (1–5 points)
| Score | Criteria |
|---|---|
| 1 | No governed definitions. Agents pull from whatever data they can reach. |
| 2 | Some key metrics and entities defined, but not enforced across all agents. |
| 3 | Governed semantic layer under construction. Core metrics unified. |
| 4 | Semantic layer in production. All agents read from governed definitions. Periodic audits. |
| 5 | Real-time governed semantic layer. Automated drift detection. Version-controlled business definitions with change management. |
Orchestration Layer (1–5 points)
| Score | Criteria |
|---|---|
| 1 | No orchestration. Individual agents deployed ad hoc. No multi-step coordination. |
| 2 | Basic workflow tooling. Agents primarily single-prompt with human-in-the-loop. |
| 3 | Multi-step agent workflows in production for some use cases. Hybrid control plane (provider + external). |
| 4 | Centralized control plane. Agent portability across providers. Rollback capabilities. |
| 5 | Full hybrid orchestration. Multi-provider agent portability. Real-time monitoring with automated intervention. Disaster recovery tested. |
Scoring Interpretation
| Total Score | Readiness Level | Recommended Action |
|---|---|---|
| 5–10 | Critical Gap | Stop deploying new agents. Audit existing fleet for shared credentials and unmonitored access. |
| 11–15 | Below Baseline | Prioritize identity and cost layers. Establish per-agent budgets. Begin semantic layer buildout. |
| 16–19 | Progressing | Close evaluation and orchestration gaps. Test evals against production outcomes. Build hybrid control plane. |
| 20–22 | Advanced | Optimize GPU utilization. Implement real-time dynamic authorization. Add continuous regression testing. |
| 23–25 | Production-Grade | Focus on portability and multi-provider resilience. Benchmark against VB Transform Q3 survey data. |
Based on VentureBeat's data, the median enterprise likely scores 8–12 — firmly in the "Below Baseline" range.
Framework 2: 90-Day Agentic Control Retrofit Plan
For enterprises that deployed agents ahead of controls (which is most of them), here is a phased remediation plan:
Phase 1: Weeks 1–4 — Inventory and Triage
Goal: Know what you have and where the biggest risks are.
| Week | Action | Success Criteria |
|---|---|---|
| 1 | Inventory all deployed agents — type (true agent vs. chatbot), credentials, data access, production status | Complete agent registry with credential mapping |
| 2 | Classify agents by autonomy level: single-prompt, human-in-loop, multi-step autonomous | Clear tier labels on each agent |
| 3 | Audit credential sharing. Identify all agents running on shared API keys or human credentials | Shared credential map with blast-radius assessment |
| 4 | Measure GPU utilization per workload. Calculate idle cost per server | Utilization report with dollar waste quantified |
Expected outcome: A clear picture of how many "agents" are actually chatbots (likely 75%+), which credentials are shared (likely 69%), and how much GPU capacity is wasted (likely 50%+).
Phase 2: Weeks 5–8 — Close the Identity and Cost Gaps
Goal: Eliminate the two highest-risk attack surfaces.
| Week | Action | Success Criteria |
|---|---|---|
| 5–6 | Assign scoped, managed identities to every production agent, starting with agents that touch customer data or financial systems | Zero shared credentials on high-risk agents |
| 7 | Implement per-agent cost tracking with automated budget ceilings | Per-agent cost dashboards live |
| 8 | Consolidate or decommission GPUs running below 30% utilization. Migrate bursty workloads to serverless/neocloud | Utilization above 50% on all retained hardware |
Expected outcome: Incident rate drops from ~63% (credential sharing) toward ~41% (scoped identities). GPU waste reduced by 30–50%.
Phase 3: Weeks 9–12 — Evaluation and Context Governance
Goal: Ensure agent outputs are correct, not just operational.
| Week | Action | Success Criteria |
|---|---|---|
| 9 | Test existing automated evaluations against production outcomes. Identify gaps between eval scores and customer-facing failures | Eval-to-production alignment report |
| 10 | Convert every production incident and customer escalation into a permanent regression test | Incident-driven test suite established |
| 11 | Begin governed semantic layer buildout: unify core metrics and entity definitions | Core metrics catalog published |
| 12 | Implement real-time output quality monitoring (not just uptime) on top-priority agents | Quality dashboards live on 3+ agents |
Expected outcome: Eval trust improves from 5% baseline. Context-driven hallucinations reduced as agents read from governed definitions.
Market Context: The $26 Billion Control Stack Arms Race
The enterprise security industry is consolidating around agent governance at unprecedented speed:
| Acquirer | Target | Deal Value | Control Layer | Status |
|---|---|---|---|---|
| Palo Alto Networks | CyberArk (now Idira) | $25B | Identity | Completed Feb 2026, GA May 2026 |
| CrowdStrike | SGNL | $740M | Identity | Completed, product shipped June 2026 |
| Cisco | Astrix Security | $400M | Identity (NHI) | Announced May 2026 |
These acquisitions total more than $26 billion — and they target just one of the five control layers. The evaluation, cost telemetry, context, and orchestration layers remain wide open, with no established incumbents. VentureBeat's data shows 57%–64% of enterprises plan to add or switch vendors across all five layers within 12 months.
The current default across all layers is the model provider's built-in tools — OpenAI's guardrails lead at 51%, followed by Google Cloud (36%), Microsoft Azure (35%), and Anthropic (29%). These defaults are winning on convenience, but they do not provide scoped identity or isolation, the two controls most correlated with lower incident rates.
The parallels to cloud security a decade ago are striking. Palo Alto Networks, CrowdStrike, and Wiz built multi-billion-dollar businesses on the gaps that native cloud controls left open. Agent security is tracking the same path — faster. As CrowdStrike CTO Elia Zaitsev put it at RSAC 2026: "Observing actual kinetic actions is a structured, solvable problem. Intent is not."
Forrester's 2026 agentic AI assessment, titled "Companies Are Chasing, Few Are Catching," found roughly three-quarters of enterprises adopting agentic AI but only a sliver running it in production. Forty-nine percent of security decision-makers flagged agentic AI as a concern. An academic study of agentic AI adoption across industrial firms placed most companies at the lowest rungs of an agent-maturity scale, with exactly one company reaching genuine multi-agent orchestration.
Case Study: From Credential Sharing to Scoped Identity at Scale
The VentureBeat data provides a natural experiment. Organizations that eliminated credential sharing everywhere in their agent fleet experienced a 40.9% incident rate. Those with credential sharing anywhere operated at 63.5% — a 55% higher risk.
One concrete example of the remediation path: CrowdStrike's Continuous Identity for AI Agents, shipped June 15, 2026, uses the SPIFFE open standard to assign every agent a cryptographically verifiable identity. Instead of sharing API keys, each agent gets a short-lived certificate that dynamically grants, denies, and revokes access based on the agent's owner, its calling context, and the device's real-time risk posture.
The practical lesson is straightforward. A financial services firm running 200 agents with 50 shared API keys faces exposure across every workflow those keys touch. Migrating to per-agent scoped identities — whether through CrowdStrike's SGNL-based solution, Palo Alto's Idira platform, or an in-house implementation — reduces the blast radius from "entire fleet" to "single agent." VentureBeat's data suggests this one change could cut incident rates by roughly 35%.
The UK's AI Safety Institute analyzed more than 177,000 agent tools built between late 2024 and early 2026 and found that "action" tools — those that send emails, change files, or move money rather than just describe it — rose from 24% to 65% of usage in 16 months. Agents are crossing from suggestion to action faster than controls can keep up. The credential-sharing problem is not static; it is compounding.
What to Do About It
For CIOs: Technical Next Steps
- Audit agent identities this quarter. The data is clear: credential sharing is the highest-correlation risk factor. Give every production agent a scoped, managed identity before adding new agents.
- Measure GPU utilization per workload, not per cluster. Eighty-six percent utilization below 50% means most enterprises should optimize existing compute before buying more — whether from neoclouds, AMD, or new NVIDIA hardware.
- Build a hybrid control plane. The majority (51%) expects hybrid orchestration by year-end. Start evaluating external orchestration tools that work across providers.
For CFOs: Financial Next Steps
- Quantify GPU waste in dollars. At current H100 prices, 50% idle capacity on a 10-server fleet burns $1.25–$1.75 million per year. This is a board-level write-down risk.
- Require per-agent cost attribution. Twenty-seven percent of enterprises lack it entirely. No agent should deploy without a budget ceiling and cost tracking.
- Watch the vendor switching wave. 57%–64% of enterprises plan to change vendors across five control layers. Your procurement team will be inundated. Build an evaluation framework now.
For Business Leaders: Strategic Next Steps
- Challenge "agentwashing" in your org. Ask the hard question: of deployed "agents," how many complete multi-step work autonomously? VentureBeat's data says it's probably fewer than 25%.
- Set success metrics before greenlighting pilots. Forbes' Robert Szczerba identifies three questions every executive should answer before funding an agent project: What is the success metric? What data does it need? When it fails, who owns the outcome?
- Plan for the retrofit, not just the rollout. Deloitte's data shows deployment is no longer the hardest part. Governance, value measurement, and rollback controls are where the next 18 months will be won or lost.
Continue Reading
- 88% of Enterprises Had AI Agent Security Incidents. 82% Think Their Policies Protect Them.
- 9 in 10 Enterprises Breached Through Identity No One Manages
- AI Saves 11 Hours a Week. Workers Waste 6.4 Babysitting It.
- 98% of FinOps Teams Now Manage AI Spend. It Was 31%.
- ServiceNow Just Launched AI Employees With Managers and KPIs. This Changes Everything.
