代理安全缺口:54%企業已遭遇AI代理事故,多數仍讓代理共享憑證
重點摘要
在107家企業中,AI代理被賦予實際系統與資料的存取權限,但其管控機制卻遠遠落後。超過半數企業已確認發生代理安全事件或險些事故;僅約三分之一為每個代理分配專屬身分,多數代理仍共享憑證;只有三成企業隔離最高風險的代理。安全防護堆疊大多來自模型供應商與超大型雲端業者,而非專為代理打造;安全預算僅佔極小比例;企業對於自身防禦能否跟上AI攻擊者腳步的看法分歧。結果形成代理安全缺口——自主代理擴散速度遠超過所需的身分、隔離與執行控制機制。
Across 107 enterprises, AI agents are being given real access to systems and data while the controls meant to contain them lag behind. More than half have already had a confirmed agent security incident or a near-miss; only about a third give every agent its own scoped identity, and most agents still share credentials; and only three in ten isolate their highest-risk agents. The security stack is overwhelmingly borrowed from the model providers and hyperscalers rather than purpose-built for agents, spending remains a thin slice of the security budget, and enterprises are evenly split on whether their defenses are keeping pace with AI-enabled attackers. The result is an agent security gap — autonomous agents proliferating faster than the identity, isolation, and enforcement controls needed to hold them.This wave of VentureBeat Pulse Research examines how enterprises secure their AI agents: what tooling they run, how they manage agent identity and isolation, what has already gone wrong, how much they spend, and whether they believe their defenses are keeping pace with AI-enabled attackers.The central finding is an agent security gap — the distance between the autonomy enterprises are granting their agents and the controls in place to contain them. More than half of organizations (54%) have already experienced a confirmed agent security incident (18%) or a near-miss caught before harm (36%). The structural weakness beneath those numbers is identity: only about a third (32%) give every agent its own scoped, managed identity, while the rest report that some agents share credentials or that agents mostly run on shared API keys and human or service-account credentials. When agents share credentials, a single compromised or over-permissioned agent carries a wide blast radius — and only three in ten enterprises (30%) isolate their highest-risk agents in sandboxes to bound that radius.What makes the gap notable is how comfortable enterprises are inside it. The security stack is overwhelmingly provider-native — OpenAI’s guardrails (51%), Google’s and Microsoft’s cloud controls, and Anthropic’s managed-agent controls dominate, while the dedicated agent-security specialists barely register — and satisfaction with that borrowed stack is high, averaging 4.2 out of 5. Yet spending remains a thin slice of the security budget, only a third of enterprises believe their AI defenses are ahead of AI-enabled attackers, and a clear majority plan to change tooling within the year. Enterprises are satisfied with controls they are simultaneously preparing to replace.MethodologyVentureBeat fielded this survey as part of its ongoing Pulse Research series, this instrument focused on enterprise agent security — the tooling, identity, isolation, and enforcement controls organizations use to secure autonomous AI agents. Responses are filtered to organizations with more than 100 employees (n=107; the survey’s smallest size band, 1–100 employees, is excluded), drawn from a single June 2026 wave. Because this is one wave rather than a pooled multi-month sample, the report reads cross-sectionally and does not infer month-over-month trends. Several questions were multiple-select, so those shares can sum to more than 100%.By role the sample is senior and buyer-credible: 45% are final decision-makers for AI purchases and another 30% recommenders or influencers. Managers (43%), individual contributors (24%), VPs and directors (15%), and the C-suite (11%) make up the seniority mix. By organization size the sample is mid-market-weighted: 251–1,000 (42%) and 101–250 (25%) employees lead, with 1,001–5,000 (19%), 5,001–10,000 (8%), and 10,001+ (7%) above them. Technology/Software is the largest industry at 23%, followed by Manufacturing (15%), Retail/E-commerce (14%), and Healthcare/Life Sciences (13%).At 107 respondents the sample is large enough to read directionally but should be treated as a directional signal rather than a precise measurement; it is self-selected and is not a probability sample. It skews toward the mid-market, so it is best read as the view from organizations actively standing up agent security rather than from the largest operators.Satisfaction ratings are computed on the respondents who answered each rating question; the overall satisfaction score reflects 82 of the 107 qualified respondents.Finding 1: The incidents are already hereMore than half have had an agent security incident or near-missWe asked whether organizations had experienced an agent security incident — a confirmed breach, or a near-miss caught before harm. Most that run agents in production had.This is the report’s defining number. More than half of organizations (54%) have already had an agent security event — 18% a confirmed incident and 36% a near-miss caught before it caused harm. Only 42% report nothing, and a small remainder either run no agents in production or don’t track such events. That so many report near-misses rather than only confirmed incidents is telling: enterprises are catching problems, but they are catching them close to the edge. The controls examined in the rest of this report — identity, isolation, enforcement — are what determine whether the next near-miss stays a near-miss.Exposure scales with company size, but containment does not. The incident-or-near-miss rate rises from 49% in the mid-market (companies with 101-1,000 employees) to 63% at larger enterprises (above 1,000 employees), while sandbox isolation of high-risk agents falls from 35% to 20%, and satisfaction with security tooling drops from 4.36 to 3.97. The organizations running the most agents across the most systems carry the most incidents and the least of the one control that bounds an incident's blast radius.Finding 2: The identity gapOnly a third give every agent its own scoped identityWe asked how enterprises manage the identity of their AI agents — whether each agent has its own credentials, or agents share them. Full per-agent identity is the exception.Rolled together, the overlapping answers show 69% of enterprises (74 of 107) with credential sharing somewhere in the agent fleet. Identity is the structural weakness beneath the incidents. Only about a third of enterprises (32%) give every agent its own scoped, managed identity — the precondition for least-privilege access and clean attribution. Nearly half (48%) say some agents have scoped identities but many still share credentials, and another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. (Respondents could describe more than one pattern across their agent fleet, so these overlap.) The consequence is direct: when agents share credentials, an over-permissioned or compromised agent can act with far more reach than intended, and forensics after an incident cannot cleanly tell which agent did what. The non-human identity problem — giving every agent its own governed identity — is the single largest unfinished piece of enterprise agent security.Moreover, a company’s agent credential posture is correlated with incidents. Organizations with credential sharing anywhere in the fleet were hit — with an incident or a near-miss in the past twelve months — at 63.5% (47 of 74). Organizations where every agent carries its own scoped identity were hit at 40.9% (9 of 22). The fully-scoped group is small, so for now the relationship is an association rather than proven causation, and the gap is concentrated in the mid-market — but within a single survey, a twenty-three point difference in incident rate suggests significance.Finding 3: Observe and enforce, but rarely isolateOnly three in 10 sandbox their highest-risk agentsWe asked what an organization’s agent security posture looks like in practice — whether they observe, enforce, isolate, or some combination. The control that bounds damage is the least common.Monitoring and enforcement are reasonably common; containment is not. Roughly half of enterprises observe agent activi
Related
相關文章

百融智能4款AI新品亮相WAIC!推出錄音卡、工作手機,預告智能戒指
百融智能在WAIC 2026前推出四款企業級AI產品,包括錄音卡、工作手機、百語及百服,分別聚焦辦公信息處理、客戶管理與語音交互等場景,並預告正在研發的AI戒指。這些產品旨在將人工智慧導入企業工作流程,扮演「硅基員工」角色,協助記錄、分析及執行任務,以提升效率。

被曝上傳用戶代碼後,馬斯克官宣開源Grok Build,GitHub上線即斬獲7.7k Star
馬斯克旗下的xAI宣布開源代碼智能體Grok Build,完整代碼庫已上傳至GitHub,迅速獲得7.7k星。此舉被視為對先前開發者揭露Grok Build會上傳整個用戶代碼倉庫至伺服器、引發隱私風波的補救回應。xAI同時解除服務器使用限制並支援完全本地運行,讓開發者能審查代碼並自主控制數據流向。
The AI context gap: Enterprise AI organizations have a trust problem, not a retrieval problem — and most are still building the fix
Across 101 enterprises, the infrastructure that feeds AI agents their business context is being built faster than it can be trusted.

小米米家中央空調風管機巨省電 Pro 3 匹 / 4 匹上架預售,國補價 5609 元起
首頁 > 數碼之家>智能家電 小米米家中央空調風管機巨省電 Pro 3 匹 / 4 匹上架預售,國補價 5609 元起 2026/7/16 16:45:03 來源:IT之家 作者:浩渺 責編:浩渺 評論: 感謝IT之家網友 很宅很怕生 的線索投遞!
AI代理評估鴻溝:企業AI組織面臨的是現實校準問題,而非覆蓋率問題——多數仍照常部署至生產環境
在對157家企業的調查中,組織正賦予AI代理更多自主性,同時卻對用以管控該自主性的評估機制愈發缺乏信任。半數企業已曾將通過內部評估、卻在生產環境中導致客戶失誤的代理部署上線;僅二十分之一企業完全信任自動化評估;最常被指出的弱點是評估與實際結果不符。然而,仍有三分之二企業已允許或正積極規劃僅憑自動化評估結果(無人工介入)就將代理變更部署至生產環境。這導致「評估鴻溝」的出現——即企業賦予代理的自主程度,與其對理應能攔截失誤的測試機制的信任度之間的落差。本波VentureBeat Pulse研究深入探討此現象。
NVIDIA Nemotron 3 Embed 在 RTEB 中整體排名第一,推動代理檢索發展
檢索在多步驟的代理工作流程中至關重要。NVIDIA Nemotron 3 Embed 在 RTEB(檢索任務評估基準)中榮獲整體第一名,顯著提升了代理檢索的能力。