The most dangerous AI failures aren't dramatic. They're invisible.
With just 0.001% of poisoned data, a model can lose up to 30% of its accuracy. The drift happens gradually. The agent keeps running. Nobody gets an alert. By the time anyone notices something is wrong, the damage is done.
"Your teams don't even know it happened," said Pearl Almeida, Research Director, Security and Privacy at Info-Tech Research Group, opening her keynote at Info-Tech LIVE 2026 in Las Vegas. "We don't have enough people who understand the scope of agents. Our tooling isn't designed to catch drift. And we're not monitoring or logging transactions the way we need to."
The numbers back her up. According to Info-Tech's research, 52.9% of agents across organizations are not monitored or secured. The average cost of a shadow AI breach is $4.63 million — more than the average ransomware incident. And that figure, Almeida noted, is likely conservative.
"This isn't a technology problem," she said. "It's a governance problem."
Why Traditional Security Controls Fail
The root issue is architectural. Traditional security was built for predictable systems — static code, tightly scoped permissions, deterministic workflows. Agentic AI operates on entirely different terms: dynamic reasoning, nondeterministic decisions, shifting permissions, and autonomous loops that can change behavior from one session to the next.
Two identical inputs can produce completely different outputs depending on context. Agents can adopt permissions from other agents as their tasks evolve. They're making decisions in real time, autonomously, and the controls built for conventional software simply weren't designed to track any of that.
Almeida traced the timeline: from the ChatGPT launch in late 2022 and early prompt injection attacks, through indirect injection and RAG poisoning, to the current era of multi-agent environments and agent-to-agent protocols. Each phase created a new attack surface before the previous one was secured. The gap between adoption and governance, she said, is the attack surface.
Four Questions That Frame the Entire Problem
Almeida's framework starts not with controls but with questions — four of them, in order:
What is the agent doing? What resources does the agent require? Does the agent have predefined ranges for its decisions? And what happens when something goes wrong?
"By answering these questions," she said, "you establish autonomy boundaries for the agent. And autonomy boundaries are the new perimeter."
The Anatomy of an Attack Surface
To understand where to apply controls, you first have to understand how an agent actually works. Almeida walked through the full architecture: input arrives from a user, API, or event trigger; a RAG engine retrieves relevant context; a context manager assembles that background information; the LLM plans, reasons, and decides; and the agent executes through tool calls — API calls, database queries, application actions — before producing output.
Every one of those components is an entry point. And every action the agent takes is executed through an API call.
"APIs are a dominant attack vector," Almeida said, "and agents increase the blast radius." Her research found that 36% of AI vulnerabilities are API vulnerabilities. Most API keys in production are carrying more permissions than the task requires, stored incorrectly, and not logged or monitored.
The Three-Layer Security Architecture
Almeida's framework builds security in layers, each one addressing a different question from her opening framework.
The first layer is API security — controlling who can request an action and what actions are allowed. Every agent interaction is authenticated, authorized, and auditable. Scoped tokens define what the agent can access, what tasks it can perform, and the conditions for valid access.
API security works like a hotel key. Your key gives you access to your room, the gym, the pool, and the elevator — but nowhere else the hotel wants you to have access to. The elevator is like an MCP server: it reads your key, but only takes you to your floor. The token defines what you're allowed to reach. The MCP gateway enforces where you can actually go.
The second layer is the MCP gateway. Model Context Protocol has become the standard for how agents call tools, and the gateway creates a single enforcement point for every tool call. It handles authentication verification, routes the agent to the relevant MCP server, enforces policy requirements, filters which tools are visible to the agent, and provides centralized logging. API controls scope. MCP controls access to resources.
The third layer is the orchestration layer — where behavioral nuance lives. This is where intent-based access control, policy-based access control, and indirect prompt injection detection operate. The orchestration layer provides contextual runtime enforcement: intent consistency checking, output scanning, and behavioral anomaly detection.
Together, the three layers mean no single point of failure. Orchestrator, MCP gateway, API security — intent and context, call enforcement, credential validation — each layer catches what the previous one can't.
Identity Governance: Still Emerging
The fourth layer — identity governance for agents — adds attribution on top of access control. An identity provider takes over token issuance, rotation, and revocation. When something goes wrong, you can revoke the token immediately, which shuts the agent down. The identity layer also handles agent and MCP discovery and registration, making it possible to know what agents are running in your environment at any given time.
Almeida was candid about the maturity of this space. "Identity for agents is still in theory," she said. Vendors are in beta testing. The tooling is still developing. But that doesn't mean organizations should wait — it means they should be evaluating vendors now based on behavioral monitoring capabilities, policy controls, and the quality of the governance interface their security teams will actually use.
Governance Is the Missing Link
The final question — what happens when something goes wrong — requires organizations to think through the full NIST framework: identify, protect, detect, respond, recover. Most organizations have the protect layer partially in place. Almost none have the detect layer working properly.
"Logging isn't just a compliance checkbox," Almeida said. "You need to start baselining actions for every agent, especially agents that are touching sensitive systems. You can't secure what you can't see."
The call to action she left the room with was direct: get started today. Map your agents. Understand what they can see, what they can do, and what they can touch. Define what catastrophic failure looks like for each one. Build the revocation capability before you need it. And don't wait for the governance framework to be perfect before you start.
"We secured the internet once," Almeida said. "We can do it again. We just need to start."