Study: 92 percent of organisations are unprepared for security risks from AI agents
What it really says
On 8 April 2026 Salt Security published the '1H 2026 State of AI and API Security: Navigating the Agentic Era' report, based on a survey of 327 security professionals from technology, financial services, healthcare, manufacturing and other sectors. The headline finding: 92 percent of organisations lack the security maturity required to defend environments where autonomous AI agents are deployed at enterprise scale. Further key results: 99 percent of attack attempts analysed by Salt Labs originate from authenticated sources - increasingly from 'rogue agents' that use legitimate credentials but operate without human oversight, rate limiting or behavioural guardrails. 65 percent of attacks exploit security misconfigurations (OWASP API8), a vulnerability dramatically amplified when over-permissioned APIs are connected to AI agents capable of querying, chaining and exfiltrating data at machine speed. 48.9 percent of organisations are 'blind' to non-human traffic and cannot monitor what their autonomous agents are doing. 47 percent have already had to delay a production release due to security concerns about APIs exposed to autonomous systems.
Our assessment
The study highlights a real problem exacerbated by the current hype around AI agents: organisations deploy autonomous systems before their security infrastructure is ready. When nearly half of organisations cannot see what their AI agents are doing, that is not a theoretical risk but a concrete attack vector. At the same time, differentiation matters: Salt Security is itself a vendor of API security solutions and has a commercial interest in presenting the threat landscape as serious. The sample of 327 respondents is solid but not huge. The good news: the identified problems - lack of monitoring capabilities, over-permissioned APIs, missing rate limiting - are solvable. These are not fundamental design flaws but governance and configuration issues that organisations can address with existing tools and processes. The study serves as a useful wake-up call: before putting AI agents into production, API security must keep pace.
Relevance for Germany
For German companies the study is particularly relevant because the EU AI Act and GDPR impose high standards on the control of automated systems. If an AI agent accesses personal data through over-permissioned APIs and nobody monitors the traffic, this is potentially a GDPR violation - regardless of whether the exfiltration is carried out by an attacker or a misconfigured in-house agent. The EU AI Act requires human oversight and risk management for high-risk AI systems; blind spots affecting 48.9 percent of organisations are incompatible with these requirements. The BSI already warned in early April about growing cyber threats from AI. German mid-market companies now deploying AI agents such as Claude Managed Agents or Microsoft Copilot Studio should conduct an API security audit before going live and ensure that autonomous traffic is monitored, rate-limited and logged.
Fact check
The central figures - 92 percent lacking sufficient security maturity, 327 surveyed security professionals, 99 percent authenticated attack sources, 65 percent OWASP API8 exploitation, 48.9 percent without non-human traffic monitoring, 47 percent delayed releases - are consistently reported in Salt Security's own blog post, the PRNewswire press release, Security Boulevard and IT Security Guru. The methodology (survey of 327 security professionals from various industries in early 2026) is documented in the press release. Caveat: Salt Security is a vendor of API security products - the study also serves commercial purposes. The data primarily comes from Anglophone markets; German or European companies may be underrepresented in the sample.
Source
- • Salt Security Blog 08.04.2026 (salt.security/blog/the-era-of-agentic-security-is-here)
- • PRNewswire press release 08.04.2026 (prnewswire.com/news-releases/salt-security-research/302736506.html)
- • Security Boulevard 09.04.2026 (securityboulevard.com/2026/04/the-era-of-agentic-security-is-here)
- • IT Security Guru 08.04.2026 (itsecurityguru.org/2026/04/08/most-organisations-face-an-unsecured-api-surge)
- • AI TechPark 09.04.2026 (ai-techpark.com/salt-security-ai-agents-drive-surge-in-unsecured-apis/)