Share one API key across five AI agents, and a single compromised agent inherits the reach of all five. The attacker immediately benefits from the accumulated permissions of every workflow that the key touches. The forensic trail goes cold at the credential level because five agents on one account leave no record of which agent did what.
Sixty-nine percent of enterprises run agents with credential sharing somewhere in their deployments, according to VentureBeat’s June 2026 Pulse Research wave of 107 enterprises.
That one number explains the buying spree reshaping enterprise security this year. Palo Alto Networks, CrowdStrike, and Cisco have collectively bet more than $22 billion on it in the past year, targeting exactly the layer most enterprises in this survey haven't finished building.
Palo Alto Networks completed its acquisition of CyberArk on February 11 for $21.1 billion in total consideration at close — a deal it announced last July at roughly $25 billion and the largest in the company's history.
CrowdStrike closed its $740 million acquisition of runtime authorization platform SGNL and, by June 15, shipped the first product from the deal, Continuous Identity for AI Agents. CrowdStrike integrated SGNL in less than a year, delivering a product that validates every agent action in real time based on who owns it, who is calling it, and the device's risk posture.
Cisco announced its intent to acquire non-human identity specialist Astrix Security on May 4 for a reported $400 million.
For a security director, this survey reads as a board-level question, not a trend line. It also surfaces a finding no competitor’s data shows, one that exposes which companies are the most at risk.
The data below is the first look at VentureBeat’s Q2 Agentic Security report, drawn from 107 qualified respondents at organizations with more than 100 employees. The full report will be released to attendees at VB Transform, the event in Menlo Park next week (July 14-15) focusing on enterprise autonomous agents.
Forty-five percent are final decision-makers for AI purchases. The sample skews mid-market, so read the numbers as the view from organizations adopting agent security right now rather than from the largest enterprises.
More than half of respondents, 54%, have already had an agent security incident or near-incident. Eighteen percent confirmed an incident, and thirty-six percent caught a near-miss before a breach. Security teams are stopping most of these events at the last control point in the chain, but the rest of the data shows how thin that margin is.
Your agents are sharing credentials
Only 32% of enterprises give every AI agent its own scoped, managed identity. Nearly half (48%) report that some agents have scoped identities, while many still share credentials. Another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. The survey question allowed more than one selection, and 24 of the 107 respondents chose multiple options — which is why the three categories sum to 112%. Deduplicated by respondent, 74 organizations, or 69%, flagged credential sharing in at least one answer.
One number explains why the acquisitions target this layer. A shared credential converts a single compromised agent into many, and CyberArk's research puts machine identities at 82 for every human in organizations worldwide, with agents as the fastest-growing category of the ratio. Cisco made the same diagnosis when it bought Astrix, whose founders built the company around API keys, service accounts, and OAuth tokens. Cisco’s announcement calls those the credentials AI agents are now “using (and abusing)” to execute work at scale.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, described the mechanism directly in an interview with VentureBeat. Some AI systems have their own identities, he said, and in other cases “people give their identity to the AI to take action on their behalf, and that also further kind of murkies the water and makes it very complex.” The murk is the point, because when the identity is shared, attribution dies with it.
Exposure scales with size, and containment does not
Forty-nine percent of enterprises enforce scoped permissions at runtime, and 47% monitor and log agent activity, which can help reduce security incidents. Only 30% sandbox their highest-risk agents, the one control that limits blast radius when the first two fail. Isolation is what keeps a single compromised agent from becoming a deployment-wide event. Enterprises have funded detection and resistance, but the containment layer barely exists.
The sharpest finding in the survey, and the one no vendor report captures, shows up when you split results by company size. The incident rate is 49% for companies with 101 to 1,000 employees, but it shoots up to 63% for companies with more than 1,000. Sandbox isolation moves the other way, falling from 35% to 20% at the larger companies.

The exposure-to-containment gap widens from 7 points at small companies to 60 points at the largest. Source: VentureBeat Pulse Research, June 2026 wave, n=107.
The chart above shows the same finding at finer granularity: the 49%/63% split above is a binary cut at 1,000 employees, while the bars here break incident rate and isolation rate into four size bands. The red line measures incidents and near-misses, and the navy tracks the one control that contains damage after everything else fails. At organizations with 101 to 250 employees, the two sit 7 points apart, but above 5,000, the gap blows out to 60 points. That top band pools the survey's two largest size groups and holds only 15 respondents, so treat the number as directional. Larger enterprises run more agents across more systems, which drives incidents up while sandboxing, the engineering project that would contain them, goes unfunded. The enterprises with the most agents have the least isolation around them.
The deals target exactly those accounts. Palo Alto Networks, Cisco, and CrowdStrike sell to large enterprises first, where incident rates are highest and containment is the thinnest.
Guarded by whoever shipped the model
The model providers are the security layer. OpenAI's built-in guardrails lead at 51%. Google Cloud reaches 36%, Microsoft Azure's Purview and Copilot Studio DLP 35%, and Anthropic's managed-agent controls 29%. Eighty-two percent of respondents name a provider-native or hyperscaler control as their single primary agent security layer.

A red cliff of bundled controls, then a long tail of purpose-built specialists in single digits. Source: VentureBeat Pulse Research, June 2026 wave, n=107.
The purpose-built specialists are in single digits, with Palo Alto Networks' Prisma AIRS at 7%, CrowdStrike at 6%, and Okta for AI Agents at 4%. Zenity and the dedicated non-human identity platforms are at 3% each. Microsoft Entra Agent ID is the highest-penetration identity-specific control in the dataset at 13%, the only one from a hyperscaler, and it still falls outside the top four. Only 5% of enterprises run no dedicated agent tooling at all, and the rest have tooling that came pre-installed.
Bundled controls lead because they ship free and are enabled by default. Most filter prompts and outputs, but they do not give an agent its own identity or sandbox it. Hyperscalers sell identity-layer products, and Entra Agent ID is in the dataset at 13%, but adoption stays low. The two controls that reward incident data the most, scoped identity and isolation, are the two that the default stack does not include.
Prompt-and-output filters evaluate whether a call looks malicious. That is an intent problem, and intent cannot be solved at the language layer. CrowdStrike CTO Elia Zaitsev drew the line in an interview at RSAC 2026. "Observing actual kinetic actions is a structured, solvable problem," Zaitsev said. "Intent is not." CrowdStrike's Falcon sensor walks the process tree on an endpoint and tracks what agents did, not what agents appeared to intend. A scoped identity and an isolation boundary give that sensor something to track, while a shared credential on a bundled guardrail does not.
Cloud security went through the same cycle a decade ago, and Palo Alto Networks, CrowdStrike, and Wiz built multi-billion-dollar businesses on the gaps native cloud controls left open. Agent security is tracking the same path faster. A misconfigured storage bucket sat open until a human noticed. A misconfigured agent exploits its own over-permissioning on every run, and no human is watching when it does. Merritt Baer, chief security officer at Enkrypt AI and a former deputy CISO at AWS, told VentureBeat that the default layer is thinner than enterprises assume. "Enterprises believe they've 'approved' AI vendors, but what they've actually approved is an interface, not the underlying system," Baer said. "The real dependencies are one or two layers deeper, and those are the ones that fail under stress."
Comfortable, unconvinced, and already shopping
Here is the contradiction worth a keynote slide. Enterprises rate their agent security tooling 4.2 out of 5, with value for money at 4.1 and ease of implementation at 3.9. Those scores would make most SaaS vendors envious.

High satisfaction, low conviction, and a 12-month buying wave. Source: VentureBeat Pulse Research, June 2026 wave, n=107. Arms-race shares sum to over 100% (multiple responses).
Only 35% believe their AI-enabled defenses are ahead of AI-enabled attackers, while thirty-two percent call it roughly even. Twenty-one percent say attackers lead, and another 21% say it is too early to tell, showing how enterprises trust their tooling more than they trust its outcomes.
Budgets confirm it. Forty-six percent allocate 6 to 10% of the security budget to agent security, and a full third spend 5% or less. Half the sample has already had an incident or near-miss, but the funding does not match the exposure.
Fifty-nine percent plan to adopt, add, or replace agent security tooling within 12 months, and twenty-nine percent plan to move this quarter. OpenAI leads forward interest at 34%, followed by Google at 30%, Anthropic at 29%, and Azure at 25%. The dedicated vendors draw more interest looking forward than their current single-digit footprint suggests. Satisfied customers do not reshuffle this fast unless they know the stack they're currently using is provisional.
Three moves for security directors
1. Inventory every agent’s credentials this quarter. Map which agents share credentials with other agents and which run on borrowed human or service-account identities. The goal is not one credential per agent. Agents that touch multiple systems need multiple scoped identities. The goal is zero shared credentials between agents and zero borrowed human identities. Thirteen percent of surveyed enterprises already run Microsoft Entra Agent ID. Okta for AI Agents and the non-human identity specialists sell equivalents. Shared and borrowed credentials are the first thing to eliminate.
2. Sandbox the riskiest agents first. Isolation is the least-adopted control at 30% and the only one that contains blast radius after prevention fails. Rank agents by the sensitivity of what they touch and isolate the top of the list. Above 1,000 employees, where isolation falls to 20%, this is the single highest-return move in the dataset. Sandboxing does not require replacing the agent or the platform. It requires a policy decision and an isolation layer.
3. Match the budget to the incident rate. A third of enterprises fund agent security at 5% or less of the security budget, even though more than half have already had an incident or near-miss. Nine percent allocate more than 25% today. The full report breaks out exposure and containment by company size, showing which bands carry the most risk and the least protection.
The board's question is simpler. If one of our AI agents was compromised this afternoon, which systems did it touch, and whose credentials was it holding? For the 69% of enterprises running agents on shared credentials, the answer is a shrug. The trail goes cold at the key.
The full Q2 Agentic Security report, with the complete vendor matrix, industry cuts, and the full dataset behind these charts, debuts July 14 and 15 at VB Transform, held at Hotel Nia in Menlo Park. The open question it leaves is whether enterprises close the agent security gap on their own terms, or whether a confirmed breach closes it for them.









English (US) ·