63% of Businesses Can't Control What Their AI Agents Do

AI agents are making decisions with your company data right now. Not just answering questions or generating text, but reading emails, accessing files across SharePoint, pulling records from your CRM, and taking actions on behalf of employees without waiting for approval at each step. According to Kiteworks’ 2026 AI Agent Security Guide, 63% of organizations cannot enforce purpose limitations on what these agents do with the data they access. If your business has deployed Microsoft 365 Copilot or any third-party AI automation, that statistic likely applies to you.

AI Agents Are Not Software Tools

The distinction matters. A traditional software tool does what a user tells it to do, one action at a time. An AI agent operates autonomously. It observes your environment, decides what to do next, and executes multi-step workflows across multiple systems on its own.

Microsoft Copilot can draft an email based on a customer record in your CRM, pull a contract from SharePoint to reference pricing, and schedule a follow-up meeting in Outlook, all from a single instruction. Third-party AI tools connected to your environment can monitor inboxes, classify documents, update databases, and trigger workflows throughout your tech stack.

This autonomy is what makes agents useful, and it’s what makes them dangerous when ungoverned. A traditional application with overly broad permissions sits idle until someone uses it. An AI agent with overly broad permissions actively uses those permissions on its own, potentially accessing data it shouldn’t, sharing information across boundaries you didn’t intend, or taking actions that violate your compliance requirements.

The governance challenge is not just about what data AI can see. It’s about what AI decides to do with that data once it has access.

The Governance Gap Is Wider Than Most Businesses Realize

The numbers from Cybersecurity Insiders and Practical DevSecOps’ 2026 AI Security Statistics report tell a specific story:

• 63% of organizations cannot enforce purpose limitations on AI agents, meaning they can’t restrict what an agent does with data once it has access
• 60% of organizations cannot quickly terminate a misbehaving AI agent
• 92% of organizations say generative AI has fundamentally changed how employees share information
• Only 13% have integrated AI into their security strategy

That last number is the one that should concern business owners most. Nearly every organization acknowledges that AI has changed how data moves through their company, but barely one in eight has updated their security approach to account for it.

For a 200-employee company running M365 Copilot, this gap plays out in a specific way. Copilot inherits user permissions, so an agent acting on behalf of an employee with broad access has that same broad access to every SharePoint site, every shared mailbox, and every Teams channel that user can reach. Most SMBs never tightened those permissions because, before AI agents, the risk of someone manually browsing thousands of files was low. Agents change that calculation entirely. They can process thousands of files in seconds.

Shadow AI Multiplies the Risk

Your IT-approved AI tools are only part of the picture. Employees are connecting their own AI tools to company data without IT involvement. A sales rep hooks an AI prospecting tool into the company CRM. A marketing manager uses an AI writing assistant that pulls from shared drives. An operations lead sets up an AI workflow that reads financial reports and generates summaries.

Each of these creates an unmanaged AI agent with access to company data and no logging, no permission boundaries, and no kill switch. Your IT team doesn’t know these agents exist, which means they can’t monitor, restrict, or shut them down when something goes wrong.

Threat actors are paying attention to this exact gap. The CrowdStrike 2026 Global Threat Report documented an 89% increase in AI-enabled adversary attacks, with an average breakout time of 29 minutes. Attackers are using AI to craft more convincing phishing emails, automate reconnaissance, and exploit misconfigurations faster than human defenders can respond. When your own AI agents have broad, ungoverned access to sensitive data, they become targets. A compromised agent credential or a prompt injection attack can give an adversary the same access the agent has, across every system it touches.

The combination of shadow AI expanding your attack surface and AI-enabled attacks growing more sophisticated creates a risk that traditional security monitoring alone cannot address.

Compliance Frameworks Don’t Have an AI Exemption

If your business operates under HIPAA, PCI DSS, SOX, or any other regulatory framework, those rules apply equally to actions taken by AI agents. There is no carve-out for machine-driven data access.

HIPAA requires that access to protected health information be limited to the minimum necessary for a specific purpose. An AI agent that can access your entire SharePoint tenant, including folders containing patient records, violates this principle even if no human asked it to look at those records. The agent’s ability to access the data is itself the problem.

PCI DSS 4.0.1 requires strict controls over who and what can access cardholder data environments. If an AI agent connected to your business applications can reach systems that process or store payment card data, you have a scope problem that your QSA will flag during your next assessment.

SOX requires documented controls over financial reporting processes. If an AI agent is summarizing financial data, generating reports, or moving information between systems involved in financial reporting, those agent actions need the same audit trail and approval controls that apply to human users.

The practical risk here is straightforward. When an auditor asks “who accessed this data and why,” the answer cannot be “an AI agent did it and we don’t know what triggered it.” If you’ve been working on your compliance posture, AI agent governance needs to be part of that effort.

A Practical Governance Framework

You don’t need to ban AI agents or wait for perfect tools to manage them. Five controls should be in place now.

1. Inventory every AI agent in your environment. You can’t govern what you can’t see. Audit your M365 tenant for Copilot agents, Power Automate flows with AI steps, and third-party apps with AI capabilities. If you’ve deployed Agent 365, use its observe features to surface active agents. Survey department heads about AI tools their teams use that IT didn’t provision.

2. Enforce least-privilege access for every agent. AI agents inherit the permissions of the user or service account they run under. Review those permissions and scope them to the minimum required. A Copilot agent helping your marketing team write content doesn’t need access to HR files or financial reports. Create dedicated service accounts for agent workflows with permissions limited to exactly what each workflow requires.

3. Classify your data and set boundaries. Not every document in your environment should be accessible to AI agents. Classify data by sensitivity level and configure information barriers that prevent agents from crossing those boundaries. Microsoft Purview can label and protect sensitive content so that even if an agent has technical access to a file, policy enforcement blocks it from processing restricted data. We covered data classification in detail in our AI data governance guide.

4. Establish kill switches and escalation procedures. If an agent starts behaving unexpectedly, your team needs to shut it down immediately. Document who has authority to terminate an agent, how to do it technically, and what the escalation path looks like when the initial responder can’t resolve it. The 60% of organizations that can’t quickly terminate a misbehaving agent are one bad automation away from a data incident.

5. Log and audit all agent activity. Every action an AI agent takes should be logged: what data it accessed, what actions it performed, and what triggered the activity. These logs serve two purposes. They give your security team the ability to detect anomalies in real time, and they give your compliance team the audit trail that regulators expect. Configure your SIEM to ingest agent activity logs alongside your other security telemetry.

These five controls won’t eliminate AI agent risk, but they close the most dangerous gaps. Businesses that already have AI governance policies can extend them to cover autonomous agents specifically. Businesses starting from scratch should treat this framework as the minimum for operating AI agents safely. An AI services partner can help you implement these controls without slowing down the adoption that’s already underway.

Start With Visibility

If you take one action this week, run an inventory of every AI agent and AI-connected tool in your environment. You will likely find agents you didn’t know about, permissions broader than they should be, and data flowing to places it shouldn’t. That inventory becomes the foundation for every governance decision that follows.

AI agents deliver real productivity gains for businesses that control them. The 63% that can’t are carrying risk they haven’t quantified yet.