Let’s be real for a second—Agentic AI isn’t just a buzzword floating around research labs anymore. It’s actively making its way into our daily operational workflows. We are officially moving past the “what if” phase and dealing directly with what autonomous systems are already doing inside live enterprise environments.
But while the excitement is off the charts, there’s a catch.
To understand how organizations are navigating this massive transition, we recently surveyed senior IT and security leaders from across Cisco’s customer base [1]. The results confirmed that the momentum is very real: a massive 85% of these organizations are already experimenting with, piloting, or deploying agentic AI.
Yet, when you look at who has actually crossed the finish line, the numbers drop off a cliff. Only a tiny 5% of respondents report having AI agents in broad production.
Why the massive gap between piloting and production? It all comes down to trust. Business leaders are absolutely thrilled about the productivity gains agentic AI promises—projects that were previously shelved due to resource constraints are suddenly back on the table. But as we move from experimentation to execution, maturity is becoming the ultimate differentiator. The organizations that successfully scale AI won’t be the ones that move the fastest; they’ll be the ones that establish solid guardrails early and enforce them consistently. It is widely acknowledged by the analyst community that the lack of security controls for AI agents is becoming the fastest-growing and most significant security blind spot.
Security: The Ultimate Frenemy of AI Adoption
So, what exactly is causing this massive 85% vs. 5% chasm? Security is playing a fascinating dual role in the agentic era. It’s not an afterthought—it is simultaneously the biggest roadblock and a top strategic priority.
Our research shows that nearly 60% of security leaders view security concerns as the primary barrier to broader agentic AI adoption. At the exact same time, 29% rank securing agentic AI among their top three priorities for the coming year.
When we asked leaders what specifically keeps them up at night regarding AI agents, the answers were incredibly consistent:
- Agent access control
- Data exfiltration
- Agent autonomy and behavior
These aren’t just edge cases; they are structural risks. When you grant an AI system autonomy without clearly defined constraints, things can go sideways quickly. You aren’t just worried about what data the agent can access; you are worried about what actions the agent might take.
The Reality Check: Who is Actually Adopting Agentic AI?
Now that we know what’s holding people back, let’s look at where the successful adoption is actually happening. According to our research, North America is currently leading the charge, with 61% of respondents in the region piloting or producing agentic AI, followed by APJC (53%) and EMEA (48%).
When we break it down by industry, Financial Services, Technology, Manufacturing, and Healthcare are adopting it the fastest. These are highly regulated, complex industries that have a lot to gain from operational efficiency, but they also have the most to lose if things go wrong. This perfectly sets the stage for why that 5% production number is so low.
The Internal vs. External Divide: Why Customer-facing Agents are Stuck in Pilot
If we zoom in on that 5% of organizations that have actually pushed agentic AI into broad production, a fascinating pattern emerges. These successful deployments are almost entirely internal-facing. We’re talking about IT operations, Security Operations (SecOps), internal financial analysis, and R&D.
So, what about customer support?
In a lot of early industry chatter, customer support was touted as the ultimate use case for AI agents. But our survey data tells a slightly different story. While businesses were quick to adopt chatbots for customer-facing interactions, moving from a chatbot to a fully autonomous, customer-facing AI agent has made businesses pause. As our survey suggests, those customer-facing projects currently remain in the pilot phase. Very few have made it to full production.
Why the hesitation? Because the stakes are simply too high. Leaders are deeply worried about an agent’s non-deterministic behavior. When an AI agent is public-facing, it is exposed to the wild. Much like a public-facing web service, an external AI agent can be attacked, exploited, or “poisoned” by malicious inputs. Until organizations can guarantee that their customer-facing agents won’t be tricked into doing something harmful or off-brand, those external projects will remain in the sandbox.
Evolving Zero Trust: From “Who You Are” to “What You Do”
Let’s break down those top concerns using some of the insights from our advisory board. When we talk about access control and data exfiltration, identity management lies at the foundation.
But here is where things get interesting. Because agents act autonomously and non-deterministically, traditional IAM isn’t enough anymore. Zero Trust access principles must evolve. We need to mature from a human-centric, identity-based access model and transition toward an action-based access model.
It’s a two-way street. Think of it like this:
- You have to protect the agent from the world. You need to defend against supply chain risks, prevent the agent from being tricked, and ensure it doesn’t act beyond its intended scope. In fact, our survey explicitly highlighted these exact fears: respondents cited “agents acting beyond intended scope,” “agents being tricked,” and “agent supply chain risk” as major secondary barriers to adoption.
- You have to protect the world from the agent. You need strict security controls to consistently enforce access boundaries, ensuring your sensitive data, your customers, and your critical resources are safe from an agent that might go rogue and make a business process error.
You need these autonomous systems to work for you, not against you. And that requires security infrastructure that is embedded into identity, access, and behavioral controls from day one.
The “Who Owns This?” Problem
As agentic AI expands into operational systems, who is actually responsible for securing it? Right now, the answer is: everyone and no one.
Our research shows that decision-making and ownership are highly fragmented across the enterprise:
- 29% say the CISO owns it.
- 27% say the CIO or IT organization owns it.
- 24% point to a central AI committee.
- 11% admit there is no clear ownership at all.
This spread makes sense for the experimentation phase, but it’s a nightmare for production. When autonomy touches identity systems, operational infrastructure, and security workflows all at once, fragmented ownership dilutes accountability. The security team might manage access controls, IT oversees the infrastructure, and the AI team governs the models. Without unified oversight, your policies and your actual enforcement are going to be completely out of sync.
As agentic AI scales, clear accountability isn’t just a nice-to-have; it’s a structural requirement.
Closing the Control Gap Without Killing Innovation
Agentic AI is an operational reality. It is actively being woven into workflows that dictate IT uptime, security incident response, and internal financial health. The momentum is undeniable, but the control is still wildly uneven.
Closing this “control gap” doesn’t mean you have to hit the brakes on innovation. It just means you need to structure it.
Securing agentic AI means clearly defining non-human identities, enforcing least-privilege access, constraining behavior within approved boundaries, and continuously monitoring activity to contain the blast radius. When these elements work together, autonomy becomes manageable. When they operate in silos, your risk compounds.
The organizations that win in the agentic era won’t be the ones that rush to deploy the fastest. They will be the ones that embed dynamic guardrails early, ensuring their autonomous systems operate strictly within defined, observable, and safe limits.
Ready to safely scale your AI agents from pilot to production?
Don’t let the Agent Trust Gap slow down your innovation. Security shouldn’t be a barrier—it should be your foundation for autonomy. Discover how Cisco can help you build dynamic guardrails and enforce action-based Zero Trust for your autonomous systems.
Explore our Agentic AI Security Solution to learn more, or view the full survey results infographic.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Facts Only
A survey of senior IT and security leaders across Cisco’s customer base found 85% of organizations are experimenting with, piloting, or deploying agentic AI.
Only 5% of respondents report having AI agents in broad production.
60% of security leaders identify security concerns as the primary barrier to broader agentic AI adoption.
29% of leaders rank securing agentic AI among their top three priorities for the coming year.
Top security concerns include agent access control, data exfiltration, and agent autonomy/behavior.
North America leads in adoption (61% piloting/producing), followed by APJC (53%) and EMEA (48%).
Financial Services, Technology, Manufacturing, and Healthcare are the fastest-adopting industries.
Customer-facing AI agents remain mostly in pilot, with internal deployments (IT, SecOps, finance) dominating production.
29% of organizations say the CISO owns agentic AI security, 27% the CIO/IT, 24% a central AI committee, and 11% report no clear ownership.
Traditional identity-based Zero Trust models are deemed insufficient for autonomous agents, requiring action-based access controls.
Supply chain risks, agent deception, and scope overreach are cited as secondary barriers to adoption.
Executive Summary
Agentic AI is rapidly transitioning from experimental research to operational deployment, with 85% of surveyed organizations experimenting, piloting, or deploying autonomous AI systems. However, only 5% have reached broad production, highlighting a significant gap driven by trust and security concerns. Security leaders cite agent access control, data exfiltration, and autonomous behavior as primary risks, with 60% viewing security as the main barrier to adoption. Despite this, 29% prioritize securing agentic AI as a top strategic goal for the coming year.
Adoption varies by region and industry, with North America leading (61% piloting/producing), followed by APJC (53%) and EMEA (48%). Financial Services, Technology, Manufacturing, and Healthcare are the fastest adopters, though their highly regulated nature contributes to cautious scaling. Internal-facing deployments—such as IT operations, SecOps, and financial analysis—dominate production, while customer-facing agents remain largely in pilot due to risks of exploitation, non-deterministic behavior, and potential harm. The lack of clear ownership (CISO, CIO, AI committees, or none) further complicates scaling, as fragmented accountability undermines consistent security enforcement. The path forward requires evolving Zero Trust models from identity-based to action-based controls, embedding guardrails early to balance innovation with risk management.
Full Take
The strongest version of this narrative acknowledges a genuine tension: agentic AI’s operational potential is undeniable, but its security risks are structural, not incidental. The 85%-versus-5% chasm isn’t just a lag—it’s a signal that trust gaps are hardening into systemic bottlenecks. The article deserves credit for avoiding hype, instead framing security as both a roadblock and a strategic priority, a duality that reflects real-world ambiguity. It also highlights a critical shift in Zero Trust—from "who you are" to "what you do"—which is a principled evolution in access control philosophy.
Yet patterns of subtle framing emerge. The repeated emphasis on "frenemy" dynamics (security as both barrier and priority) risks normalizing tension as inevitable rather than solvable. The focus on "non-deterministic behavior" in customer-facing agents leans into fear appeals, though the concern is valid. More problematic is the fragmented ownership data (CISO/CIO/committee/no one), presented as a neutral fact but implicitly reinforcing the narrative that governance chaos is an unavoidable phase of innovation. This echoes the classic "move fast and break things" paradigm, where structural risks are treated as teething problems rather than design flaws.
Root cause: The narrative assumes that scaling agentic AI is primarily a technical challenge (guardrails, Zero Trust) rather than a governance one. The unstated assumption is that autonomy can be "contained" with better controls, but history suggests that complex systems often outpace their safeguards. Who benefits? Vendors like Cisco, positioning themselves as the solution to a problem they’ve helped define. Who bears costs? Organizations caught between innovation pressure and liability exposure, and end-users interacting with untested autonomous systems.
Implications for human agency: If security remains an afterthought in design, autonomy will default to the interests of those who control the guardrails. Second-order consequences include regulatory whiplash (as industries demand standards post-crisis) and erosion of public trust if customer-facing agents fail spectacularly.
Bridge questions: What would a governance-first approach to agentic AI look like, where security isn’t bolted on but baked into ownership structures? How might the 5% production rate change if liability frameworks were clarified before deployment? And if internal agents are succeeding where customer-facing ones stall, what does that reveal about the limits of autonomy in unpredictable environments?
Counterstrike scan: A coordinated influence campaign would amplify the "security vs. innovation" false binary, using fear of being left behind to rush adoption while positioning a single vendor as the sole solution. This article avoids that trap—it acknowledges risks without exploiting them and presents Cisco’s role as one of many possible paths. No structural alignment with manipulation detected.
Patterns detected: ARC-0024 Ambiguity (framing security as both problem and solution without resolving the tension), ARC-0043 Motte-and-Bailey (implying governance chaos is temporary when it may be systemic).
Sentinel — Human
The article exhibits strong human characteristics, including stylistic idiosyncrasies, passionate emphasis, and domain-specific insights, with no clear signs of synthetic generation.
