A Meta employee posted a technical question on an internal developer forum earlier this year. A colleague forwarded the question to an AI agent to get an answer. The agent, instead of presenting its response privately, posted it directly to the forum without asking anyone. The answer contained serious errors. Another employee followed the bad advice anyway, which triggered a chain reaction that left sensitive company and user data accessible to unauthorized employees for about two hours.
Meta classified the incident as Sev 1, its second-highest severity rating, and said there was no evidence data was ultimately misused. Nobody hacked Meta. The agent just did something it wasn't supposed to do, and nobody was watching closely enough to catch it.
This kind of thing is becoming normal. Gravitee's State of AI Agent Security report, which surveyed 750 senior technology leaders across the US and UK, found that the average enterprise went from running about 37 AI agents in December 2025 to somewhere between 76 and 100 by April 2026. About 38% of organizations reported more than 100 agents in production. The share of those agents getting any kind of security monitoring went from 47% to 52%. So agent counts doubled while monitoring coverage gained five percentage points.
A Cloud Security Alliance survey found that more than half of enterprises have already experienced agents exceeding their authorized scope, and 82% have unknown AI agents operating in their environments. Tools that employees deployed without IT knowing they exist. Gravitee's data told a similar story, with 54% of organizations reporting they've experienced or suspected an AI agent security incident in the past 12 months.
Meta's incident was an agent wandering outside its lane on its own. The other category is agents getting compromised from the outside. McKinsey experienced this earlier in 2026 when a security researcher's autonomous AI tool breached Lilli, the firm's internal AI platform we covered last week. The exploit used SQL injection, one of the oldest vulnerability types in software, to access tens of millions of chat messages through API endpoints that had no authentication at all. McKinsey said no client data was compromised.
Both failure modes trace back to the same root cause. According to Gravitee, 85% of organizations have no formal accountability for AI agent behavior. Only 7.2% have named a specific individual who's responsible. About a third describe accountability as "unclear" or "situation-dependent." When an agent goes rogue or gets breached, there's usually nobody whose job it is to notice.
None of this is slowing deployment down. Gravitee found that 81% of respondents feel pushed to deploy agents quickly even when governance isn't ready, and a third said their primary motivation was "to be seen to be using AI agents." Meanwhile 79.7% said they believe it's possible to move fast without compromising on security. Gravitee's researchers have a name for this kind of thinking. They call it a "confidence-reality inversion." Organizations feel more in control as they become less in control.
Gartner projects the average Fortune 500 company will be running over 150,000 agents by 2028, up from fewer than 15 in 2025. The governance infrastructure needed to manage that kind of scale doesn't exist yet at most organizations.

The fix for most of this is embarrassingly simple. Name someone. Assign a human being, with a title and a mandate, to own what your AI agents are doing. The fact that 92.8% of organizations haven't done this is how you end up with agents posting wrong answers to internal forums and getting breached through vulnerabilities that were old when the iPhone came out. The companies that figure this out before Gartner's 150,000-agent future arrives will have a real advantage. The rest are going to keep feeling confident right up until something breaks.
