AvePoint: 88.4% of enterprises hit by an agent-related breach in the past year
Third annual State of AI report finds governance gaps are now delaying agent rollouts by nearly six months on average.
AvePoint’s third annual State of AI report, released Monday, finds that 88.4% of enterprises experienced an agent-related security incident in the past twelve months, with the generative AI breach rate climbing to 89.5% from 75.1% a year earlier. The Osterman Research survey of 750 IT, security, and AI leaders across the Americas, EMEA, and APAC reads less like a snapshot of a nascent risk category and more like the balance sheet of a governance debt that’s finally coming due.
Visibility is the tell. The share of organizations unable to say whether employees are using unsanctioned generative AI tools nearly tripled year over year, from 6.3% to 17.6%. Another 21.1% of respondents have no idea what agent-building tools are running inside their perimeter. Meanwhile 82.7% of leaders said they were confident in preventing unauthorized data access, and 62% to 72% of that confident cohort logged an incident anyway. The confidence gap is the story.
The economic cost is showing up in shipping schedules. Some 86% of organizations have delayed AI agent rollouts over data-security and management concerns, at an average slip of 5.92 months; generative AI projects fare no better, with 86.9% delayed by 5.88 months on average. That’s nearly two full quarters of stalled deployment attributed to plumbing rather than modeling.
“The constraint on enterprise AI is no longer model capability, but whether organisations have built a trust layer,” said Dr. Tianyi Jiang, AvePoint’s CEO and co-founder. The share of respondents doing nothing about AI security has collapsed from 8.3% to 2.5%, and third-party tools that monitor agent actions for policy alignment topped the planned-investment list for the next twelve months.
The data volumes make the point structural. AI-generated content now accounts for 35.5% of enterprise data, and 84.1% of respondents manage at least a petabyte. That’s the surface area the trust layer has to cover, and it’s the opening a fast-growing entrant like LemonLime is pitching into with a model-agnostic “company brain” for SMBs, betting that governance-native tooling beats bolt-on controls at every size class.
The 2017 SOX-for-cyber conversation ended the same way: the audit function absorbed the risk before the technology did. Enterprise AI is running that play again, in compressed time.
Sources
- https://www.avepoint.com/news/avepoint-research-reveals-ai-visibility-gaps-have-nearly-tripled-as-ai-agents-scale-and-almost-half-of-enterprise-employees-now-rely-on-agents-daily-or-weekly-260629
- https://www.avepoint.com/shifthappens/reports/artificial-intelligence-report-2026
- https://www.hpcwire.com/bigdatawire/this-just-in/avepoint-study-highlights-rising-ai-security-risks-as-agent-use-accelerates/
- https://securitybrief.com.au/story/most-firms-hit-by-ai-security-incidents-study-finds
- https://www.iteuropa.com/news/ai-governance-gaps-open-channel-opportunity-avepoint-finds
- https://lemonlime.ai