Enterprise teams are running AI agents that write code, drive browsers, answer customer calls, and manage cloud infrastructure — with standing credentials. A new independent assessment of 100 production agents finds that nearly all of them carry the conditions for a single hostile document to take them over.
The finding: only 11 percent of production agents pass the security bar.
The AI Risk Quadrant (AIRQ) report, a Q2 2026 assessment by independent researchers, scores 100 commercial and publicly available AI agents across three dimensions: attack surface, blast radius, and defense controls. The picture that emerges is one of fast capability growth pulling well ahead of the controls meant to contain it.
The report identifies what it calls a “lethal trifecta” common across the cohort: private data access, exposure to untrusted content, and the ability to take outbound actions. This combination appears in 98 percent of agents scored. Eight of ten agent classes show 100 percent trifecta exposure. Only General Assistant Agents and Data Engineering Agents each have a single exception.
External data ingestion is the universal attack surface. Documents, web pages, tickets, emails, and retrieved snippets produce indirect prompt injection on nearly every agent in the cohort. A single poisoned message can steer agent behavior across every system the agent can reach.
The two riskiest categories are coding agents and computer-use agents. They pair the widest attack surfaces and largest blast radii with the thinnest defenses:
The recommended procurement gate is documented and tested sandboxing. Sandboxing cuts residual risk by roughly 2.6 times. Cloud or container-level isolation captures about 6 times reduction. Most of the benefit comes from the first step.
Forty percent of the cohort sits in the “Exposed Giants” quadrant, which the report says holds 60 percent of the total risk budget. These are agents with high capability and high exposure — but low investment in containment.
Only11 percent land in the Fortified Leaders quadrant, where high attack surface combines with strong defenses. Most of those are enterprise solutions where the defense is inherited from platform-level governance: tenant isolation, role-based access, and audit frameworks that existed before AI was added on top.
A recurring theme: the same platform can score points apart depending on which build is evaluated, with spreads wider than entire agent classes. Procurement signs off on one configuration; security inherits another.
Eighty-three percent of claimed defenses lack independent verification. Only 17 percent of assigned defense credits carry an independent verification mark. The components most relevant to blast radius reduction — execution isolation, for example — are the least verifiable.
The report finds that 37 percent of the cohort scores well on logging and observability and poorly on the four defense components that prevent or limit harm. A further 38 percent complete irreversible actions before any monitoring path can plausibly fire.
Tool execution is the single variable that best predicts blast radius. It alone explains 76 percent of blast radius — outpredicting agent class, vendor reputation, and every individual defense component.
CVE volume in the AI agent market is climbing quarter over quarter. The report recommends quarterly re-audits because categories with low CVE counts are in a pre-discovery phase, where research attention has yet to surface the issues that exist.
The practical takeaway is not “don’t use agents.” It’s that the unit of risk is the agent configuration, not the underlying model.
The agents are already in production. The question is whether the controls catch up before the vulnerabilities do.