Survey finds 79% of organizations lack clear accountability/RACI for AI agents
- Deloitte said in January that 85% of companies expect to customize autonomous AI agents for their business, even as governance and production controls lag behind deployment across large enterprises. - Cloud Security Alliance said in March that 68% of organizations cannot clearly distinguish human activity from AI agent activity, a basic accountability problem as agents move into production systems. - Microsoft’s April toolkit release and PwC’s 2025 survey both point to the same gap: agent use is scaling faster than monitoring and control. (opensource.microsoft.com)
Companies are pushing AI agents into real work before they have nailed down who owns the risks those systems create. (deloitte.com) (cloudsecurityalliance.org) Deloitte said on January 21 that 85% of companies expect to customize autonomous agents for their business, and only 25% have moved 40% or more of their AI pilots into production so far. Its survey covered more than 3,000 director-to-C-suite leaders involved in AI initiatives. (deloitte.com) The Cloud Security Alliance said on March 24 that 73% of organizations expect AI agents to become vital within a year, but 68% cannot clearly distinguish human actions from agent actions. The group said 85% already use AI agents in production environments. (cloudsecurityalliance.org) That distinction is the first step in accountability. If a purchasing agent approves a payment, a coding agent pushes flawed software, or a security agent changes settings, investigators need logs that show what acted, under whose authority, and with what permissions. (cloudsecurityalliance.org) (opensource.microsoft.com) PwC said on October 30, 2025 that AI agents are pushing companies away from one-time policy reviews toward continuous monitoring and control. Half of respondents in its Responsible AI survey said operationalizing those practices is their biggest hurdle. (pwc.com) Microsoft made the same point in product form on April 2, when it released its open-source Agent Governance Toolkit under an MIT license. The company said the toolkit was built to cover all 10 risks in OWASP’s 2026 Top 10 for Agentic Applications, including tool misuse, identity abuse, rogue agents, and cascading failures. (opensource.microsoft.com) Microsoft said the toolkit intercepts agent actions before execution, adds cryptographic identity and trust scoring, and is designed to work with existing frameworks such as LangChain, AutoGen, CrewAI, Microsoft Agent Framework, and Microsoft Foundry Agent Service. The pitch is simple: make agent behavior inspectable at runtime instead of relying on policy documents alone. (opensource.microsoft.com) The pressure to solve this is rising with regulation. Microsoft noted that high-risk obligations under the European Union AI Act take effect in August 2026, and the Colorado AI Act becomes enforceable in June 2026. (opensource.microsoft.com) Some vendors are publishing even more dramatic numbers, but many of those claims come from company-sponsored surveys or marketing material tied to their own products. The firmer cross-check across Deloitte, PwC, CSA, and Microsoft is narrower: adoption is moving fast, and identity, monitoring, and governance are not keeping pace. (writer.com) (deloitte.com) (pwc.com) (cloudsecurityalliance.org) (opensource.microsoft.com) The cleanest version of the problem is now visible: enterprises know they want agents in production, but many still cannot say, with precision, which machine actor did what. (cloudsecurityalliance.org)
