On April 16, 2026, the Cloud Security Alliance published a study — commissioned by Zenity, an AI security vendor with a commercial interest in these findings, and titled Enterprise AI Security Starts with AI Agents — with a finding that should stop any engineering leader running agents in production: in 53% of organizations, AI agents have at some point exceeded their intended permissions. Nearly half (47%) experienced a security incident involving an AI agent in the past year.
These aren't hypothetical risk projections. They're operational realities across organizations that have already shipped agents to production.
The natural response is to treat this as a policy enforcement failure — someone didn't write the right rules, or the team moved too fast without the right guardrails in place. That framing understates the problem. Scope violations aren't primarily happening because governance policies are absent. They're happening because the architecture most teams use provides no enforcement layer to honor the policies that do exist.
AI agent scope violations occur when an agent takes an action or accesses a resource outside the boundaries defined by its intended use. In well-governed systems, an agentic governance layer enforces those boundaries at runtime, before the action executes. In systems built without a dedicated governance plane — which describes the majority of production agent deployments today — there is no enforcement. The policy exists as intent, embedded in a system prompt or a deployment config, but nothing actually stops the agent from exceeding it.
Why Agents Exceed Scope — and Why Monitoring Doesn't Stop It
Agents exceed scope for a structurally predictable reason: they're maximally capable by default.
When an agent is provisioned with credentials, tool access, and a context window, it operates with everything it was given unless something explicitly constrains it. System prompts can express intent — "only access customer records for the active session user" — but an LLM following a system prompt is a probabilistic instruction follower, not a policy enforcement mechanism. Under adversarial conditions, with corrupted tool outputs, or simply at the boundaries of its training distribution, the model may not comply.
This is the gap the CSA study is measuring. Scope violations aren't evidence that teams don't care about permissions. They're evidence that caring isn't the same as enforcing.
The observability layer — logging, tracing, session recording — captures scope violations after they've occurred. That's useful for forensics and for post-incident review. But it doesn't prevent the violation. An agent that accessed an out-of-scope record or sent a request to an unauthorized endpoint has already done the thing by the time your tracing system logs it.
The temporal gap between "action executes" and "action is reviewed" is where violations live. Closing that gap requires enforcement that runs before execution, not monitoring that runs after it.
The Shadow AI Problem Is Compound
The CSA study surfaced a second finding that compounds the scope violation problem: 54% of organizations have between 1 and 100 unsanctioned AI agents running in their environment, and only 15% said that 76–100% of their agents have defined ownership.
This is the shadow AI problem, and it's worse for agentic systems than it was for traditional software. An unsanctioned SaaS application is a data governance concern. An unsanctioned agent is a behavioral governance concern — it has tools, credentials, and the ability to take consequential actions, often with no one tracking what it's been given or what it's doing.
Scope violation rates are hard to measure when you don't have a complete picture of what's running. If 54% of organizations have agents they can't fully enumerate, then the 53% scope violation figure likely undercounts the true exposure. Violations you can't attribute to a known agent don't make it into survey responses.
The remediation path starts with a complete agent registry — a system of record that tracks every agent in the fleet: what it has access to, who owns it, when it was deployed, what policies govern it. Without that catalog, enforcement is partial by definition. You can govern only the agents you know about.
What Pre-Execution Enforcement Actually Looks Like
The missing layer in most architectures is a policy enforcement component that sits between an agent's intent and the execution of each action. When an agent attempts to call a tool, read a record, or make an API call, that action hits the enforcement layer before it reaches the target system. The enforcement layer evaluates the action against the governing policies for that agent in that context, and either approves it, blocks it, or routes it for human review.
This pattern — sometimes called a governance plane — is standard in adjacent domains. API gateways do this for service-to-service calls. Firewalls do this for network traffic. IAM systems do this for identity-driven resource access. The agentic space has been slow to adopt it because agent deployments have, until recently, been experimental enough that the stakes felt manageable.
The CSA data suggests those stakes are no longer manageable without it.
The enforcement layer has to operate independently of the agent's reasoning process. Policies enforced through system prompts can be reasoned around or eroded by distributional drift. Policies enforced by an external layer — one that intercepts every action before it executes and evaluates it against explicit, versioned rules — cannot. The agent doesn't decide whether to comply. Compliance is structural.
Policy enforcement at this layer can cover the scope cases the CSA study identified: resource access limits, credential usage boundaries, data scope restrictions, and output validation. The same layer handles the cases that adjacent research has identified — token budget enforcement, PII containment, human-in-the-loop approval gates for high-consequence actions.
What Microsoft's Entry Means for This Problem
Two weeks before the CSA study published, Microsoft released the Agent Governance Toolkit on April 2, 2026 — an open-source project providing runtime security governance for AI agents, covering all ten risks in the OWASP Top 10 for Agentic Applications 2026, published in December 2025. The toolkit includes a policy engine, compliance verification tooling, plugin lifecycle management, and framework integrations for LangChain, CrewAI, Google ADK, and Microsoft's own Agent Framework.
Microsoft entering the governance tooling space is meaningful signal. It validates the architectural argument — that governance needs to run at the infrastructure layer, not in the model — and it expands the available options. It also sets a useful baseline for what "governance coverage" means: if a toolkit specifically designed for this problem covers the OWASP Top 10 for Agentic Applications 2026, the minimum bar for a production governance layer is now explicit and public.
What the open-source toolkit offers and what a purpose-built governance platform handles are different discussions. Self-hosted tooling has maintenance overhead and integration costs; vendor-neutral foundations shift on their own roadmaps. The right architectural choice depends on organizational context. What the landscape shift does clarify is that treating governance as an afterthought is no longer a position that survives scrutiny — not when the scope violation data is this clear, and not when major vendors have shipped dedicated tooling to address it.
How Waxell Handles This
Waxell's governance plane is built around exactly the enforcement gap the CSA study is measuring. Every agent action is intercepted by Waxell's policy engine before it reaches the target system. Policies — scope restrictions, resource access rules, data handling requirements, approval gates — are defined in the governance plane, not in the agent code or system prompt. They apply deterministically, regardless of what the agent's reasoning layer decides.
The agent registry addresses the shadow AI finding directly. Every agent in the fleet is catalogued: ownership, tool access, policy set, deployment history. Governance coverage is measurable, not estimated.
Policy enforcement covers the specific scope violation scenarios the study identifies — credential scope, resource access limits, data handling policies — as well as the adjacent governance requirements: token budgets, PII containment, HITL gates, and audit logging with full decision context.
The enforcement layer operates outside the model's reasoning process. Agents don't decide whether policies apply to them. Policies apply structurally, at the point where intent becomes execution.
Frequently Asked Questions
What is an AI agent scope violation?
An AI agent scope violation occurs when an agent accesses a resource, uses a credential, or takes an action that falls outside the boundaries defined by its intended operational scope. In most architectures, agents operate with whatever permissions they were provisioned with at deployment, and there is no runtime enforcement layer that prevents them from using those permissions outside their intended context.
Why do 53% of organizations have AI agents that exceed their permissions?
The CSA's April 2026 study found that most organizations deploy agents with permissions defined at provisioning time, but without a runtime enforcement layer that validates each action against those policies before execution. Agents are designed to be maximally helpful — they use what they have access to. Without pre-execution enforcement, scope violations are the expected outcome, not an edge case.
What is shadow AI, and why does it matter for scope violations?
Shadow AI refers to AI agents deployed outside formal IT governance processes, without documented ownership or sanctioned credentials. The CSA study found 54% of organizations have between 1 and 100 unsanctioned agents. Unsanctioned agents can't be covered by governance policies you haven't extended to them, which means the 53% scope violation figure likely understates actual exposure.
How is pre-execution enforcement different from monitoring or logging?
Monitoring and logging capture what an agent did after execution. Pre-execution enforcement intercepts the action before it reaches the target system and evaluates it against governing policies. The difference is causal: monitoring tells you a violation occurred; enforcement prevents it from occurring. The CSA study's scope violation data reflects the practical consequence of architectures that have monitoring without enforcement.
What does an agent registry have to do with scope violations?
An agent registry is a system of record that tracks every agent in a fleet: its tools, credentials, governing policies, ownership, and deployment state. Without a registry, enforcement coverage is incomplete — you can only govern agents you've catalogued. Given that 54% of organizations have significant shadow AI populations, complete registry coverage is a prerequisite for complete enforcement coverage.
Does using open-source governance tooling like Microsoft's Agent Governance Toolkit address this problem?
Microsoft's Agent Governance Toolkit, released April 2, 2026, provides policy enforcement, compliance grading, and OWASP Top 10 for Agentic Applications 2026 coverage. Open-source tooling can address the enforcement gap for teams with the integration capacity to deploy and maintain it. The architectural approach — external enforcement layer, independent of agent reasoning — is the same approach purpose-built platforms use. The choice between self-hosted tooling and vendor platforms involves maintenance tradeoffs, support requirements, and organizational context.
Sources
- Cloud Security Alliance / Zenity, Enterprise AI Security Starts with AI Agents, April 16, 2026. Press release via Business Wire. Key statistics: 53% scope violations, 47% security incidents, 54% shadow AI, 15% defined ownership coverage.
- Microsoft Open Source Blog, Introducing the Agent Governance Toolkit, April 2, 2026. Link. Details: seven-package open-source system, OWASP Top 10 for Agentic Applications 2026 coverage, sub-millisecond policy enforcement (verified: < 0.1ms for local enforcement; distributed deployments add 5–50ms for cryptographic verification).
- OWASP, Top 10 for Agentic Applications 2026, December 2025. Referenced in Microsoft toolkit announcement.
- Gravitee, State of AI Agent Security 2026: When Adoption Outpaces Control. Supporting stat: 88% of organizations reported confirmed or suspected AI agent security incidents; 14.4% have full security approval. Link.
