Enterprise AI adoption is moving faster than its security posture. According to a VentureBeat survey, 85% of enterprises are already running AI agents — but only 5% trust them enough to ship to production. The gap isn’t a technology problem. It’s a security architecture problem. The threats aren’t hypothetical anymore: 88% of enterprises reported an AI agent security incident in the past year. What’s changed in 2026 is where those incidents originate: not the model, not the network perimeter — the execution layer.
The Execution Layer: The New Attack Surface
Traditional enterprise security is built around a core assumption: actions are human-initiated. IAM, SIEM, DLP, and perimeter controls all optimize for monitoring and gating what a human does. AI agents invert that assumption. They operate at machine speed, across multiple systems simultaneously, with delegated credentials — and they do so based on instructions that can come from anywhere the agent is allowed to read.
This is the structural problem. Any content an agent retrieves — emails, documents, web pages, calendar events, PR descriptions, API responses — is simultaneously a data source and a potential instruction surface. The data layer has become the control plane. Bessemer Venture Partners’ 2026 analysis names this cleanly: 48% of cybersecurity professionals now rank agentic AI as the #1 attack vector. 92% of security professionals surveyed by Darktrace are concerned about AI agents’ impact on enterprise security.
How the Attacks Actually Work
The dominant attack class is indirect prompt injection — malicious instructions embedded in business data that an agent processes as legitimate tasks. A documented 2026 incident illustrates the risk: a single malicious instruction injected into a GitHub PR title caused three separate AI coding agents — Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent — to each post their own API keys publicly. One input. Three agents. Three credential leaks.
The attack surface goes deeper than content injection. CVE-2026-26030 and CVE-2026-25592 in Microsoft Semantic Kernel demonstrate prompt-injection-to-RCE chains: CVE-2026-26030 exploited unsafe string interpolation in a vector store filter, enabling AST traversal to achieve code execution. CVE-2026-25592 exposed a file-download function as a KernelFunction, enabling arbitrary writes to the Windows Startup folder — a full sandbox escape from a single malicious prompt. Google researchers documented a 32% surge in web-embedded malicious prompt injection payloads between November 2025 and February 2026.
Two additional vectors complete the attack taxonomy for 2026:
- Tool poisoning at the MCP layer: malicious logic injected into Model Context Protocol tool descriptions or open-source agent framework components, causing agents to execute attacker-controlled code while believing they’re invoking legitimate tools
- Agent skill supply chain attacks: the ClawHavoc campaign uploaded 1,100+ malicious skills to the ClawHub marketplace in early 2026; a separate audit of open-source agent frameworks found 43 vulnerable components, most lacking CVE identifiers
The Confidence-Control Gap
The most dangerous number in enterprise AI security right now is this: 82% of executives believe their existing policies protect against unauthorized agent actions. Only 14.4% of organizations actually send agents to production with full security and IT approval. That gap — between perceived coverage and actual governance — is not a sign of bad intentions. It’s a visibility problem. Only 21% of enterprises have runtime visibility into what their agents are doing. You can’t govern what you can’t observe.
The financial stakes are now measurable. IBM’s cost-of-breach data puts shadow AI incidents at $4.63M per event — $670K above the baseline for standard data breaches. Gravitee.io’s State of AI Agent Security 2026 found that 97% of security leaders expect a material AI-agent-driven incident within 12 months. Only 6% of security budgets are allocated to address it.
What Effective Defense Looks Like
The industry is converging on a defense posture that addresses the execution layer specifically. Key elements:
- Context-layer governance: controlling what content agents can retrieve and treating incoming data as untrusted — not as ground truth. Retrieval-augmented and browsing agents must have trust boundaries on their data sources, independent of model instructions.
- Runtime visibility: agent actions logged at the tool-call boundary, not just at the network layer. Microsoft launched MXC (Microsoft Execution Containers) as OS-level sandboxing for AI agents, with OpenAI and Nvidia as launch partners.
- Agent identity governance: bounded intent constraints as a complement to credential validation. The Meta confused-deputy case shows that a valid credential with authorized access is no longer sufficient — the agent’s scope of action must also be explicitly constrained.
Cisco and CrowdStrike both announced agent identity governance offerings at RSAC 2026. The OWASP Agentic Top 10 is now a framework reference for engineering teams building secure agent pipelines.
Conclusion
The security question for 2026 isn’t whether to deploy AI agents. It’s whether your security posture was designed for them. The execution layer is where current enterprise defenses have a structural blind spot — and attackers have already found it. The 5% of organizations shipping agents to production with confidence are not moving more carefully; they’ve built runtime visibility, context governance, and bounded identity constraints as prerequisites. For the 85% still in pilot mode, the gap between confidence and control is the risk that matters most.