Only 11% of Production Agents Pass the AI Agent Security Bar

AI agents are rapidly moving from experimental tools to core enterprise functions, handling code generation, browser automation, and cloud orchestration. This acceleration has outpaced the development of security controls, creating a landscape where agents can ingest external documents and execute actions with standing credentials. The AIRQ report’s systematic scoring across attack surface, blast radius, and defense reveals that most agents are exposed to indirect prompt injection, a vector that can hijack an agent with a single malicious message.

The report’s most alarming insight is the prevalence of the "lethal trifecta"—private data access, untrusted content ingestion, and outbound capabilities—found in 98% of the evaluated agents. Coding and computer‑use agents, prized for their productivity gains, paradoxically present the widest attack surfaces and the thinnest defenses, often scoring zero on output validation and exfiltration blocking. Moreover, only 17% of claimed defensive measures have independent verification, leaving enterprises to rely on vendor assertions rather than proven safeguards.

For decision‑makers, the findings translate into concrete actions: prioritize agents that reside in the "Fortified Leaders" quadrant, enforce sandboxing and container isolation to achieve 2.6‑ to 6‑fold risk reductions, and embed quarterly re‑audits into AI procurement processes. Treat each agent as a discrete risk unit, demand transparent verification of security controls, and differentiate between vendor‑shipped and customer‑configured configurations. By aligning governance with the AIRQ methodology, organizations can harness AI productivity while mitigating the systemic threats highlighted in the report.