A Hard Number on a Soft Promise
The newly published AI Risk Quadrant report, in its Q2 2026 edition, assessed 100 commercial and publicly available AI agents across three dimensions: attack surface, blast radius, and defense controls. The headline finding is bracing. Only 11 percent of agents land in the Fortified Leaders quadrant, where a high attack surface is matched by genuinely strong defenses. The rest, by implication, are exposed to some degree.
We have spent months reporting on agentic AI's promise, so a rigorous, adversarial benchmark is exactly the corrective the market needs. Vendors sell autonomy and integration as features. AIRQ measures them as risk surfaces. The distribution is unflattering: 40 percent of agents sit in the Exposed Giants quadrant, holding roughly 60 percent of total measured risk, meaning a minority of widely deployed agents concentrate the majority of danger.
The Lethal Trifecta, Almost Everywhere
The most alarming statistic is the prevalence of what the researchers call the lethal trifecta: private data access, exposure to untrusted content, and the ability to take outbound actions. That combination appears in 98 percent of assessed agents. Each capability is individually useful; together they create the precise conditions for prompt injection to become data exfiltration or unauthorized action.
This aligns with the steady drumbeat of real-world agent exploits we have covered, from research agents steered by planted web content to copilots turned into data-theft tools. The trifecta is not an edge case, it is the default architecture of a useful agent. Enterprises deploying agents that read sensitive data, ingest external content, and act on systems should assume they are running the trifecta unless they have explicitly engineered it out.
Coding and Computer-Use Agents Are the Sharp Edge
The report singles out the riskiest categories. Coding agents rank second highest in capability but only eighth in defense, a dangerous gap given their direct access to source code and build systems. Computer-use agents fare worse still, scoring zero on average output guardrails, which means nothing constrains what they can do once they take control of a machine.
Tool execution alone explains 76 percent of the variation in blast radius, confirming that the ability to act, not merely to reason, is what makes an agent dangerous. Perhaps most damning, 83 percent of claimed defenses lack independent verification, and 37 percent of agents score well on logging but poorly on actual defenses. In other words, many agents are observable but not defensible, generating audit trails of incidents they cannot prevent.
Why Procurement Never Saw It Coming
The structural problem is distribution. AIRQ project lead Eugene Neelou observes that these agents are self-serve products with bottom-up adoption that usually bypass procurement gates. Employees adopt agents the way they once adopted SaaS, individually and invisibly, long before security or vendor risk teams are consulted. By the time governance arrives, the agents are already wired into production data and workflows.
This is the agentic version of shadow IT, and it is more dangerous because each agent can act, not just store data. We have repeatedly argued that governance has to be embedded before deployment rather than retrofitted after, and this report is the empirical case for that position. The 11 percent that pass largely inherit their defenses from platform-level governance, not from anything the individual agent does on its own.
What To Do Before the Next Incident
For security leaders, the actionable read is to inventory agents the way you once inventoried SaaS, then map each against the trifecta. Any agent combining sensitive data, untrusted input, and outbound action needs explicit controls: scoped credentials, output guardrails, human approval for high-blast-radius actions, and independent verification of vendor defense claims. Logging is necessary but, as the data shows, nowhere near sufficient.
We do not read this report as a reason to halt agentic adoption, the productivity case is real and the competitive pressure to deploy is only intensifying. We read it instead as a mandate to deploy through governed platforms rather than self-serve sprawl. The enterprises landing in that 11 percent did not get there by luck; they got there by inheriting defenses from a controlled platform layer that enforced credentials, guardrails, and approvals by default. That is the architecture worth copying before, not after, the first serious incident, and the difference between leading and exposed is increasingly a question of where you let agents run, not which model powers them.
