al-ice.ai

AIRQ Report — Only 11% of Production Agents Pass AI Security Bar

Security by al-ice.ai Editorial

AI relevance: The AIRQ assessment reveals that nearly every production AI agent combines private data access, untrusted content ingestion, and outbound tool execution — the exact conditions needed for a single poisoned document to compromise enterprise infrastructure.

The AI Risk Quadrant (AIRQ) 2026 Q2 report scores 100 commercial and open-source AI agents across attack surface, blast radius, and defense controls. The findings are stark:

  • Only 11% of agents land in the "Fortified Leaders" quadrant — high capability paired with strong defenses. The rest range from exposed to barely defended.
  • 98% of agents carry the "lethal trifecta": private data access, exposure to untrusted content (documents, emails, web pages), and the ability to take outbound actions. Eight of ten agent classes show 100% trifecta exposure.
  • Coding agents and computer-use agents are the highest risk categories — ranking top 2 in both attack surface and blast radius, yet bottom-tier on defense controls. Computer-use agents scored exactly zero on output validation, exfiltration-channel blocking, and rendering sanitization.
  • Tool execution alone explains 76% of blast radius variance — more predictive than agent class, vendor reputation, or any individual defense component. Agents that execute tools form a fundamentally different risk population from those that don't.
  • 37% of agents score well on logging but poorly on prevention — audit capabilities function as forensic assets only, with irreversible actions completing before any monitoring path can fire (38% of the cohort).
  • 83% of claimed defenses lack independent verification. Only 17% of defense credits carry evidence from public sources. Execution isolation and blast-radius reduction controls are the least verifiable.
  • 40% of the cohort sits in the "Exposed Giants" quadrant, holding 60% of the total risk budget. These are self-serve products with bottom-up adoption that typically bypass procurement gates.
  • Sandboxing cuts residual risk by ~2.6x; cloud or container-level isolation provides ~6x reduction. Documented and tested sandboxing is the recommended procurement gate.

Why it matters

As enterprises deploy agents with standing credentials to code, browse, and manage infrastructure, the gap between capability growth and defense controls is widening. The report shows that indirect prompt injection via untrusted content remains the universal attack surface — and for agents that execute tools, a single hostile input can cascade across every system the agent can reach.

What to do

  • Require documented and tested sandboxing for all tool-executing agents before deployment.
  • Treat external data ingestion (documents, emails, web pages, RAG snippets) as a primary attack vector — sanitize at the boundary, not after the agent sees it.
  • Apply procurement gates to self-serve AI tools; bottom-up adoption bypasses compliance review by design.
  • Demand public, independently verifiable evidence for any vendor security claims — the 83% unverifiable rate should be treated as a red flag.

Sources: