Roee Salomon· CTO, Co-founder, aizome8 min readHere is a number worth sitting with: by the end of 2026, most large enterprises will operate a digital workforce of over 1,600 AI agents, according to IBM's Think 2026 survey. That number sounds like progress. It is progress. But it comes with a question most enterprises cannot answer.
Those agents are operating across Finance, HR, Sales, Operations, IT. Accessing sensitive data. Executing workflows. Making decisions. Often with no human in the loop. And according to Salesforce's 2026 Connectivity Benchmark Report, the average enterprise is already running 12 today, a number projected to climb 67% within two years, well before most governance programs have caught up.
Now here is the question I ask every security and IAM leader I meet: if one of those agents causes a serious incident tomorrow, a data exposure, a compliance violation, an unauthorized transaction - can you tell me, within the hour, which agent was responsible, who owned it, what it was authorized to do, and whether its behavior was consistent with that authorization?
Most cannot.
Not because they haven't thought about it. Because they don't have the infrastructure to answer it. That is the accountability gap. And it is the most underappreciated risk in enterprise AI deployment today.
1,600 agents per enterprise by year-end is striking. But it is not the number that concerns me most.
Here is the one that does: according to Gravitee's State of AI Agent Security 2026 Report, only 14.4% of AI agents go live with full security and IT approval. That means the overwhelming majority of agents running in production right now were deployed without the security team knowing they existed.
And here is the number that makes the previous one dangerous: 88% of organizations reported confirmed or suspected AI agent security incidents in the last twelve months.
Let those three numbers sit together for a moment.
12 agents per enterprise on average today, scaling to 1,600 by year's end. 85% deployed without security approval. 88% of organizations are already experiencing incidents.
This is not a future risk. It is a current operational reality. And the accountability question - who is responsible when something goes wrong - is one most enterprises cannot answer.
Accountability is a word that gets used loosely in security conversations. Let me be specific about what it means for enterprise AI agents, because the specificity matters.
Accountability for an enterprise AI agent has four components:
Ownership - There is a named human or team responsible for this agent. They understand what it does, what it has access to, and what it is authorized to do. When something goes wrong, there is no question about who picks up the phone.
Authorization traceability - Every action the agent takes can be traced back to the human authorization that permitted it. Not just "this agent had permission to access this system" - but "this specific action, in this specific context, was consistent with what was actually authorized."
Behavioral accountability - The agent's behavior can be evaluated against what was expected of it. Not just whether it stayed within its permissions, but whether it acted in a way that is consistent with its defined purpose and the intent of the workflows it supports.
Incident accountability - When something goes wrong, you can reconstruct exactly what happened, why it happened, and at what point the behavior diverged from what was authorized. Not weeks later, after a forensic investigation. Within hours.
Most enterprise AI deployments today have partial ownership at best. Authorization traceability, behavioral accountability, and incident accountability are largely absent.
The most common response I hear when I raise the accountability gap is: "We map every agent to a human owner."
It's a good start. It is not a solution.
Ownership tells you who is responsible in the abstract. It does not tell you whether the agent's behavior is consistent with what that owner authorized, whether the agent's access has drifted from what was originally scoped, or whether the agent is operating within the intent of the workflows it was built to support.
Consider a realistic scenario. A Finance team owns an agent they built to automate vendor payment processing. The ownership is documented. The agent has a scoped identity. The security team knows it exists.
Three months after deployment, the same agent is being invoked by a new workflow, one that the Finance team built to handle invoice exceptions. The agent's permissions haven't changed. Its documented owner hasn't changed. But its behavioral profile has expanded significantly. It is now accessing datasets and executing actions that were never part of the original authorization context.
The ownership record is accurate. The accountability is broken.
Nobody noticed because nobody was watching the agent's behavior continuously. The ownership mapping was a snapshot taken at provisioning time. The agent's operational reality diverged from that snapshot the moment the environment around it changed.
This is the accountability gap. Not the absence of an owner, but the absence of continuous accountability that keeps pace with how agents actually operate.
Let me describe an incident type that I believe will define the next wave of enterprise security conversations, because the conditions for it exist in most organizations right now.
An enterprise AI agent causes a serious incident. It could be a data exposure, a compliance violation, an unauthorized financial transaction, or an action that cascades through downstream systems in ways nobody anticipated. The incident is real, the damage is real, and the board wants answers.
The security team begins the investigation. They have logs. They can see what the agent did. What they cannot reconstruct is: Why the agent took the action it did, what context, what upstream workflow, what delegated instruction led to this specific behavior at this specific moment.
Whether the behavior was within the scope of what was authorized, not technically permitted, but actually authorized. Did the human owner of this agent intend for it to be capable of this action?
Who is accountable at each step of the chain, if this agent was invoked by another agent, which was invoked by a third, which was initiated by a human workflow three hops back, where does accountability sit?
What is the correct remediation? Do you shut down the agent? The model? The entire workflow? What are the downstream dependencies?
Without a continuous behavioral accountability infrastructure, the investigation becomes archaeology. You are reconstructing events from incomplete evidence, trying to establish accountability after the fact in a system that was never designed to provide it.
The regulatory environment is not waiting for enterprises to figure this out. The EU AI Act enforcement begins in August 2026. FINRA's 2026 oversight report explicitly requires human checkpoints before agents who can act or execute transactions. Auditors and regulators will ask the accountability questions. The organizations that cannot answer them will face consequences that go well beyond the original incident.
Building real accountability for enterprise AI agents requires infrastructure that most organizations have not yet invested in. Here is what it actually takes:
Automatic discovery and inventory. You cannot be accountable for agents you do not know exist. Every agent operating in the environment - built by IT, deployed by business units, spun up by individual employees- needs to be found automatically and continuously. Not through a self-registration process. Automatic discovery that does not depend on human compliance.
Continuous ownership mapping. Ownership cannot be a provisioning-time snapshot. It needs to be continuously validated - is this agent still owned by the team that built it? Has its scope changed? Has its operational context evolved in ways the owner is no longer aware of?
Authorization context preservation. Every agent action needs to be traceable back to the authorization context that permitted it - not just the technical permission, but the human intent that established the permission. This requires maintaining an authorization record that survives across multi-agent chains and evolves with the operational context.
Behavioral baselines and drift detection. Every agent needs a behavioral baseline - what it typically does, how it typically operates, what its normal patterns look like. Deviations from that baseline need to be detected in real time, not discovered during a post-incident investigation.
Incident-ready audit trails. The audit trail needs to be structured for accountability, not just compliance. Not just what the agent did - but why, under what authorization, in what context, and whether that behavior was consistent with what was intended.
The Gravitee data is useful here. Shadow AI incidents, agents operating without security oversight, add an average of $670,000 to breach costs, according to IBM's 2025 Cost of Data Breach Report. That is the direct financial cost, before regulatory penalties, reputational damage, and the operational cost of the investigation.
But the higher cost is the one that is harder to quantify: the loss of confidence in AI deployment that follows a serious incident. Organizations that experience a significant AI agent incident without the accountability infrastructure to explain and remediate it do not just pay the incident cost. They face months of restricted AI deployment while governance programs are rebuilt, losing the competitive advantage that drove the AI investment in the first place.
The enterprises that build accountability infrastructure before the incident will not just avoid the cost. They will be the ones who can continue deploying AI confidently while their peers are in remediation mode.
The average enterprise runs 12 AI agents today. IBM projects that the number will exceed 1,600 by year's end. By 2027, most enterprises will be managing agent estates that dwarf what they have today, built by different teams, using different frameworks, with different permissions, and largely ungoverned.
The accountability gap that is manageable at 12 agents becomes unmanageable at 100. The incident that is explainable with partial accountability infrastructure at the current scale becomes inexplicable at the scale enterprises are heading toward.
The time to build accountability infrastructure is before the scale makes it urgent, and before the incident makes it undeniable.
1,600 agents. The accountability question is hard enough now. It will not get easier.
Roee Salomon is CTO and Co-Founder of aizome, an Enterprise AI Agent Control Platform. He previously co-founded and led AxoniusX within Axonius and has held engineering and security leadership positions for over 20 years.
Roee Salomon
CTO, Co-founder, aizome
The latest news, technologies, and resources from our team.
I've spent a significant part of my career thinking about incident response. Not the playbook version - the real version. The version where something has already gone wrong, the pressure is high, the timeline is compressed, and the team is trying to answer a deceptively simple question: what happened, and how do we stop it from getting worse. With enterprise AI agents, it's about to get categorically harder.
Chris Cochran
If you were working in enterprise security in the early 2010s, you remember the BYOD moment. We are at that moment again. But this time, the thing employees are bringing into the enterprise isn't a device. It's an agent. And the governance gap is significantly larger.
Chen Pipek
OAuth 2.0 is a well-designed protocol. It solved a real problem elegantly, it scaled across the internet, and the patterns it established are genuinely good engineering. It was also designed for a world that no longer describes what enterprise AI agents actually do.
Roee Salomon
SailPoint launched Agentic Fabric. Okta launched its AI Agents blueprint. The message is consistent: extend your existing identity controls to cover AI agents. It's a reasonable instinct. It's also incomplete in a way that matters enormously.
The identity industry has spent the last two years building NHI security programs, extending governance frameworks, and applying non-human identity controls to enterprise AI agents. The vendors are on board. The analysts are aligned. The conference sessions are packed. And we are governing the wrong thing.
Amir Ofek
Static policy cannot see context. It can tell you whether an action is permitted. It cannot tell you whether a permitted action is appropriate, right now, in this workflow, for this data, at this moment in the chain. That gap is not a failure of NemoClaw. It's a structural limitation of policy-based security applied to systems that reason and adapt.
Chen Pipek
Occasional, substance-first notes on making enterprise AI agents accountable. No spam; unsubscribe anytime.
