97% Expect a Breach. 6% Are Paying for It.
A new report from Arkose Labs surveyed 300 enterprise security leaders globally. The numbers tell a familiar story.
97% expect a serious AI-agent security or fraud incident within the next 12 months — nearly half expect one within six months. Yet only 6% of security budgets are allocated to this risk.
That gap alone is damning — but the details are worse. 82% of executives say existing policies protect against unauthorized agent actions, yet only 14% actually send agents to production with full security and IT sign-off. More than half of all agents run with no oversight or logging at all, and only 24% have full visibility into which agents are talking to each other.
So: near-universal expectation of failure, near-zero budget response, and a majority of executives who believe their 2023 policies cover autonomous systems that didn’t exist in 2023.
This is the same organizational delusion that played out with cloud, mobile, and IoT — each time with the same sequence: deploy fast, assume existing controls transfer, discover they don’t, scramble to patch.
By end of 2026, agents are predicted to execute 30% or more of SOC workflows. The security function meant to catch incidents will itself be running on systems with no oversight or logging.
The breach isn’t the risk anymore. The coverup is.