Many companies say they haven’t assessed agentic AI risks

A study released earlier this week by Riskonnect pointed out that companies are mostly “flying blind” on agentic AI.

The study found that while nearly 60% of risk leaders say their organizations are considering incorporating agentic AI into their operations or products, 55% admit they haven’t formally assessed the risks.

“Alarming Riskonnect statistics indicate that more than half of businesses are exploring agentic AI technologies without evaluating the dangers of the tools operating autonomously,” said Noelle Murata, senior security engineer at Xcape, Inc. “Unmonitored systems like these provide new, heightened risks, such as unintentional, highly privileged code execution throughout the network, or autonomous data exfiltration.”

Chad Cragle, chief information security officer at Deepwatch, added that agentic AI has already slipped into business operations, often without leaders noticing — and that’s where the real risk begins.

Cragle said these systems don’t just follow instructions: they make their own decisions based on context, which means that bad inputs, flawed datasets, or excessive permissions can quickly spiral into data leaks, compliance violations, or system outages.

“Companies that skip vendor risk assessments are essentially giving autonomy to software they don’t fully understand,” said Cragle. “Treat it like any other high-impact asset, with strong access controls, detailed audit trails, and human oversight for critical decisions. Organizations that establish governance and transparency early will not only reduce risk but also build trust and resilience, while others scramble to keep up.”