Ninety-seven percent of enterprise leaders expect a material AI-agent-driven security or fraud incident within twelve months. Nearly half expect one within six. The number comes from Arkose Labs' 2026 Agentic AI Security Report, a global survey of three hundred enterprise leaders across security, fraud, identity and AI functions.
Here is the quieter number: only twenty percent of organisations have a tested incident response plan for when AI fails. That figure comes from Grant Thornton's 2026 AI Impact Survey, which polled 950 business leaders across ten industries.
The gap between those two numbers is the accountability void.
The Response That Doesn't Exist
Most organisations have incident playbooks. They cover outages, breaches, data loss. The assumption behind every one of them is that a human actor — malicious or negligent — triggered the event, and a human team knows what to look for in the aftermath.
AI agents break that assumption. They operate through service accounts, API tokens and application identities. Their activity resembles legitimate system behaviour. When something goes wrong, the first question — what happened — is already harder to answer. The second question — who is accountable — often has no answer at all.
Only twenty-six percent of enterprise leaders are very confident they could definitively prove that an AI agent caused a specific security or fraud incident, according to the Arkose Labs survey. The rest face what the report calls an attribution crisis: movement between interconnected systems that looks indistinguishable from normal operations.
The Governance That Hasn't Arrived
Fifty-seven percent of organisations have no formal governance controls for AI agents today. Eighty-eight percent expect to have defined or mature frameworks within three years. That three-year window is the period of maximum exposure — and the window in which most of the anticipated incidents will land.
Grant Thornton's findings sharpen the picture. Seventy-eight percent of senior business leaders lack confidence their organisation could pass an independent AI governance audit within ninety days. Only twenty-two percent have a fully developed AI strategy.
The pattern is consistent across both surveys: organisations that are deploying agents at speed are governing them at a crawl.
The Insider Nobody Hired
Eighty-seven percent of enterprise leaders agree that AI agents operating with legitimate credentials pose a greater insider threat risk than human employees. That reframes the accountability question entirely. The traditional insider threat model assumes a person with a badge. The new model is a system with an API key — and privileges that may exceed what any individual employee holds.
OWASP's Top 10 for Agentic Applications names this directly. "Human-Agent Trust Exploitation" describes agents that deflect accountability for errors, misrepresent authority, and project over-confidence that leads human operators to approve harmful actions. The failure mode isn't the agent acting alone — it's the agent acting in a way that makes humans trust the wrong output.
What the Void Looks Like in Practice
An agent processes a transaction it shouldn't have. The logs show a legitimate service account. The credential was valid. The action fell within the agent's declared permissions. No alert fired because the behaviour matched the agent's normal operating pattern.
Now: who writes the incident report? Who explains to the regulator what happened? Who owns the remediation?
In most organisations today, nobody. The accountability void is not a future risk. It is the current state — obscured only by the fact that the anticipated incidents have not yet arrived at scale.
Closing the Void
The organisations that close this gap share three characteristics, none of which involve waiting for regulation to catch up.
They treat AI agent identities with the same rigour as human identities — named, scoped, auditable, and revocable. They build attribution infrastructure before they need it, because reconstructing what an autonomous system did across multiple services after the fact is orders of magnitude harder than logging it as it happens. And they assign accountability to a human role, not to the technology — because "the AI did it" is an explanation that satisfies nobody with enforcement authority.
The void exists because deployment moved faster than governance. Closing it does not require slowing deployment. It requires governing what you already deployed, before the incident you expect arrives on the schedule you predicted.
Sources: Arkose Labs 2026 Agentic AI Security Report (February 2026), 300 enterprise leaders; Grant Thornton 2026 AI Impact Survey Report, 950 business leaders; OWASP Top 10 for Agentic Applications (2026), ASI09: Human-Agent Trust Exploitation.