Most security teams can't answer this. The ones who can are the ones still in control of their environment.
Ask the smartest CISO you know how many AI agents are running on company data this week. Watch the pause. Most of them can't give a number. Microsoft's 2026 telemetry says 80% of Fortune 500 organizations have active AI agents in production. A separate Gravitee survey says 75.6% of organizations lack visibility into how those agents communicate with each other. The math isn't subtle. Most companies have agents they don't know about, doing things nobody approved.
This is the inventory problem. It comes before every other agent governance question. You can't write a kill switch for an agent you don't know exists.
Key takeaways:
A 2026 Gravitee survey found 75.6% of organizations lack full visibility into inter-agent communication, even when they think they've deployed responsibly.
Microsoft reported 80% of Fortune 500 organizations are running active AI agents in production environments today.
A discovery scan at one Fortune 500 company in early 2026 surfaced 600 ungoverned AI agents in 24 hours. They had access to AWS, Snowflake, GitHub, and production code deployment.
Most shadow agents are spawned by trusted employees: marketing automation, sales enablement, finance forecasting. Not malicious insiders. Eager ones.
Visibility before governance. The fastest path to an inventory is the 10-minute leadership question, the network log scan, and the finance audit. None of them require a new vendor.
Why can't most CISOs say how many AI agents are running in their company?
The agents weren't deployed the way traditional software is deployed. They were spun up by business teams who needed to move faster. Marketing built one to draft outbound emails. Sales built one to qualify leads. Finance built three for forecasting. Engineering built five to triage support tickets. None of them went through IT. None of them generated a ticket your security team could see. The first time most CISOs find out about a shadow AI agent is when it does something they have to answer for.
Industry data backs this up. Microsoft's 2026 security blog reports 80% of Fortune 500 companies are running AI agents in production. Gravitee's State of AI Agent Security 2026 report found 75.6% of organizations lack visibility into inter-agent communication. A discovery scan at a single Fortune 500 in early 2026 surfaced 600 agents that nobody had approved, nobody was monitoring, nobody could shut down on command, and nobody owned the consequences.
The root cause is structural. Most identity and access management systems were built for human employees. They can tell you when Sarah from finance logs in. They cannot tell you when a finance forecasting agent makes 47 API calls overnight against your data warehouse. The agent might be using Sarah's credentials. The agent might be using a service account nobody renewed. The agent might be using a token someone copied into a Slack channel six months ago.
Visibility for non-human identity is a different discipline than visibility for humans. Most companies haven't built it yet.
How do you build a fast first inventory of AI agents in your environment?
You don't need a new vendor to start. You need three things in one week. A leadership conversation, a network log scan, and a finance audit. Together they surface the majority of shadow AI agents in most environments. None of them require procurement.
Step 1: The 10-minute question. Ask your IT lead, your engineering lead, and your business unit heads the same question, separately, before they've compared notes: "What AI agents or automations are running in our environment right now, and what systems do they have access to?" You will get different answers. The gap between those answers is your governance gap.
Step 2: Network logs against AI provider endpoints. Run your network logs for the past 90 days against the API endpoints for OpenAI, Anthropic, Google AI, Cohere, Mistral, and the major AI provider IP ranges. Anything calling those endpoints from a service account or unattended workstation is an agent in production, whether your security team approved it or not.
Step 3: Finance audit for unexplained AI charges. Pull the last six months of vendor charges from finance. Anything labeled OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Vertex AI, or any AI-platform line item where you don't have a corresponding security review is an agent in production. Cross-reference the cost center to find the team running it.
A discovery scan tool, like the ones in this year's RSAC Innovation Sandbox, will get you there faster. The point isn't the tool. The point is that the inventory exists somewhere in your environment right now. It just isn't documented anywhere a CISO can find it.
What should be in an AI agent inventory record?
A useful inventory has six fields per agent. Without all six, you're tracking software, not governing it. The six fields: a unique agent name and version, a named human owner, the systems and data the agent can read, the actions the agent can take, the kill switch procedure, and the date the inventory record was last reviewed.
Anything less is a list. The point of governing the agent is being able to answer specific questions when something goes wrong. "Who is on the hook?" needs the named owner field. "What did it touch?" needs the read scope. "What did it change?" needs the action scope. "How fast can we stop it?" needs the kill switch procedure. "Is this still accurate?" needs the review date.
Run the inventory in a tool you already have. A spreadsheet works. A ticketing system works. A purpose-built agent governance platform works better at scale, but doesn't need to be in place to start. What matters is that every agent has a row, every row has all six fields, and every row gets reviewed at least quarterly.
How do you stop the shadow AI inventory from growing while you're trying to count it?
Three concurrent moves. Set a deployment standard. Make it easy to register an agent. Communicate that an unregistered agent is a security incident. The combination is what stops the growth. Any one of them alone fails.
Set the deployment standard. Every new AI agent gets an inventory record before it sees production data. Owner. Scope. Failure definition. Kill switch. The four-question approval model takes thirty minutes. It's not a security review. It's a governance conversation.
Make registration trivial. A web form. A Slack command. A simple intake that takes the developer ten minutes and produces a draft inventory record. The security team reviews and approves. If your registration process takes three weeks, your developers will route around it. The shadow agent problem grows.
Communicate that an unregistered agent is a security incident. Not a paperwork issue. An incident. With an incident response process attached. The Air Canada chatbot ruling in 2024 made it clear that companies own what their AI says or does. An unregistered agent operating on production data is a liability that gets attached to whoever turned it on. Make sure that fact is known across the business, not just in the security team.
The companies that get this right treat agent registration the way they treat onboarding a new vendor. The vendor doesn't get production access until the legal review and the security review are done. The same standard belongs on agents.
What does good visibility look like once the inventory is in place?
A weekly cadence beats a quarterly audit every time. Good visibility is not a one-shot inventory. It's a living view that detects change as it happens. Three signals matter: new agent appearing in network logs, an existing agent expanding its scope, and an existing agent failing in a way the owner hasn't acknowledged.
A new agent shows up the moment a developer registers it, or the moment your network logs flag a call to an AI provider endpoint from an asset that wasn't there last week. Either signal is fine. The point is that you find out within seven days, not 90.
An existing agent expanding scope is harder. You'll catch it through three patterns. New types of API calls in network logs. New systems showing up in the agent's audit trail. A meaningful change in cost on the finance side. Treat each as a trigger to review the inventory record and re-confirm scope.
A failing agent is the most expensive signal to miss. A customer-service agent at a mid-size company in 2025 began issuing refunds outside policy after a customer learned how to prompt it correctly. It ran for 11 days before anyone noticed. The cost wasn't the refunds. The cost was the trust rebuilding that took six months. Wire your monitoring to the agent's failure definition, not just to system uptime.
Frequently asked questions
What's the difference between a workflow automation and an AI agent?
A workflow automation runs a fixed series of steps on a trigger. The same input produces the same output. An AI agent reasons about the inputs, plans the steps, and makes choices. The same input can produce different outputs based on context. From a governance standpoint, the AI agent needs all six inventory fields because its actions aren't predictable in advance.
Do shadow AI agents really pose a different risk than shadow IT?
Yes. Shadow IT is a tool a person uses without approval. Shadow AI is a system that takes actions without approval, often without a human in the loop. The blast radius is bigger because the agent acts at machine speed. A shadow Dropbox folder is a data leak risk. A shadow AI agent with database write access is a data integrity risk, an audit risk, and a regulatory risk all at once.
How often should we re-run the inventory?
The inventory should update continuously through registration and monitoring. The full re-validation cadence depends on your risk tolerance. Most regulated organizations land on quarterly for full re-validation, with weekly delta reports for change. Anything slower than monthly will leave you operating on stale data.
What if the business unit refuses to register their agent?
Treat it as an incident. Loop in compliance and legal, not just security. Most refusals come from misunderstanding what registration is, not active resistance. Once a business owner understands the company owns what the agent says or does, the conversation usually shifts. If it doesn't, you have a bigger governance problem than shadow AI.
Where do shadow AI agents most often get discovered first?
In the finance system, when an unexpected line item appears for AI usage. In incident reports, when an agent does something that triggers an investigation. In network logs, when traffic to a new AI endpoint shows up. The discovery method that surprises CISOs least often: a regulator's question. Don't wait for that one.
The bottom line
You can't govern an agent you don't know exists. The first move in agent governance is the inventory. The fastest path to an inventory is the 10-minute leadership question, the network log scan, and the finance audit. The hardest part is keeping the inventory current as agents proliferate. Visibility before governance. Governance before scale. Scale before regret.
What AI agents are running in your environment that your security team doesn't know about?
Want to see where your organization stands? The free Agentic Trust Framework assessment at verifiedagents.ai takes ten minutes. For a deeper read, check out Agentic AI + Zero Trust: A Guide for Business Leaders and the Agentic Trust Framework.
