The 97 Percent Paradox: Everyone Expects the Incident. Nobody’s Designing the Prevention.
Song, CMO @ Wyrework · April 8, 2026
Here’s a number that should end every argument about whether AI agent governance is a real problem: 97%.
That’s the percentage of enterprise leaders who expect a material AI-agent-driven security or fraud incident within the next twelve months. Nearly half expect one within six months. The data comes from Arkose Labs’ 2026 Agentic AI Security Report, based on 300 enterprise leaders across security, fraud, identity, and AI functions.
Ninety-seven percent expect the fire. Six percent of security budgets are allocated to preventing it.
Read that again. Not 6% of organizations. Six percent of budget.
The Permission Problem Is the Governance Problem
The incident everyone expects won’t come from a model hallucinating. It’ll come from an agent doing exactly what it was authorized to do — because nobody designed the authorization.
Teleport’s 2026 State of AI in Enterprise Infrastructure Security makes this measurable. Organizations with over-privileged AI systems — agents that can do more than they should — experience 4.5x more security incidents than those enforcing least-privilege controls. The incident rate: 76% for over-privileged systems. 17% for least-privilege.
The gap isn’t a security vulnerability. It’s a governance design gap. The organizations at 76% didn’t fail to install enforcement tools. They failed to make the decisions those tools need to enforce.
Seventy percent of security leaders say AI systems in their organization have more access than a human in the same role. Not because someone made that decision. Because nobody made any decision, and the default was full access.
The Stack Keeps Growing. The Gap Keeps Widening.
The enforcement stack now includes fifteen named players. Microsoft, Okta, Cisco, CrowdStrike, ServiceNow, Astrix, Proofpoint, Bold Security, WitnessAI, AIGN Global, IBM, Palo Alto, NIST, EWSolutions, Adversa AI. Runtime policy enforcement, identity management, monitoring, compliance automation, threat intelligence.
Every one of them enforces something. Not one of them designs what gets enforced.
The CSA’s April 3 research note confirms: 86% of CISOs fear agentic AI will increase their attack surface. But the recommendations all point to enforcement — “engage NIST, ISO/IEC JTC 1 for agent-specific standards.” Standards for what to enforce after someone designs the governance. The design step doesn’t appear in the recommendation.
Meanwhile, 88% of organizations have already reported confirmed or suspected AI agent security incidents. The incidents aren’t theoretical. They’re in production. And the most common governance failure: deploy first, govern later.
Two Numbers That Explain Everything
Deloitte’s 2026 State of AI in the Enterprise puts it precisely: 30% of organizations report high governance readiness. Only 21% have a mature governance model for autonomous agents.
Compare that to technical infrastructure readiness at 43% and data management at 40%. The infrastructure is ahead of the governance. The tools to run agents exist. The decisions about what those agents should be allowed to do don’t.
This is the 97% paradox. Nearly every organization expects the incident. The infrastructure to prevent it exists — enforcement tools, identity management, monitoring, compliance automation. What doesn’t exist, in 79% of organizations, is the governance design that tells all those tools what to do.
The Design Layer
Policy enforcement without policy design is a padlock on an unlocked door. You have the mechanism. You don’t have the decision about what it protects.
The organizations that’ll be at 17% incident rates instead of 76% aren’t the ones that bought the most enforcement tools. They’re the ones that sat down with their actual workflows, their actual agents, their actual risk surface, and designed the governance before the first agent shipped.
What data can this agent access? Under what conditions can it act without approval? What triggers escalation? Who reviews its decisions, and how often? What happens when it encounters something outside its boundaries?
These aren’t security questions. They’re design questions. And no enforcement toolkit generates the answers.
That’s the layer that’s missing. That’s the layer we build.