Blind spots for agentic AI

A lot of companies are racing to give artificial intelligence agents permission to do real work, but Salt Security says 48.9% of organizations are still blind to machine-to-machine traffic, which means they often cannot see what those agents are doing through application programming interfaces. That matters because an agent is not just a chatbot answering questions; it is software that can open systems, move data, trigger workflows, and make decisions through application programming interfaces, which are the digital doorways connecting one system to another. Salt’s April 8, 2026 report says 92% of organizations lack the advanced security maturity needed for this shift, and 47% have already delayed artificial intelligence projects because of application programming interface security concerns. The old model assumed a human employee clicked the button, opened the file, or approved the transaction, so audit trails were built around people. Agentic systems change that model because the “user” can now be another piece of software acting at machine speed. That is a bigger problem in businesses with long, paper-heavy processes like mortgage underwriting and mortgage servicing, where one case can involve pay stubs, bank statements, insurance records, hardship letters, investor rules, and years of payment history. If an agent reads those documents, extracts data, decides which rule applies, and sends an update into a servicing platform, the company needs a record of which system the agent touched, which policy it used, and what data it saw. Without that, a later audit can turn into guesswork. Freddie Mac’s Bulletin 2025-16 pushed this from theory into compliance by requiring approved seller-servicers to establish artificial intelligence governance by March 3, 2026, including oversight of how models are used in mortgage operations. TechRadar’s April 8 piece argues that the bottleneck is not the model itself but the process around it, because companies built many back offices as handoffs between teams, spreadsheets, inboxes, and legacy systems rather than as clean, observable workflows. That is why “visibility” keeps coming up in these reports. If a company cannot see machine-to-machine calls, it cannot tell whether an agent followed policy, exceeded its permissions, or quietly copied regulated customer data into the wrong system. Salt also says 78.6% of security leaders are getting more executive scrutiny on artificial intelligence risk, but only 23.5% say their legacy security tools are effective for the job. Boards are asking for answers before the monitoring exists. So the fight over agentic artificial intelligence is turning into a plumbing fight. The winners may be the companies that can show, line by line, which agent called which application programming interface, which document it used, and why it took that action.