88% of orgs had AI agent incidents. 82% of execs think they're protected. here's the gap.

Gravitee surveyed 900+ executives and technical practitioners for their State of AI Agent Security 2026 report. Two numbers from it that don't make sense together: 88% of organizations reported confirmed or suspected AI agent security incidents in the last year 82% of executives feel confident their existing policies protect against unauthorized agent actions Both numbers are real. Both are from the same report. And they describe the same organizations. So what's going on? The governance stack has a missing layer The report also found that 80.9% of technical teams have moved past planning into active testing or production. But only 14.4% deployed with full security/IT sign-off. That means the majority of agents running in production right now were deployed without the security team approving them. RSAC 2026 (March 23-27, San Francisco) made this painfully visible. Every major vendor announced agentic AI governance features: Cisco open-sourced DefenseClaw -- scans MCP servers, inventori