Forrester isn't exactly known for hyperbole. So when the firm's 2026 Cybersecurity and Risk report states — flatly, with supporting data — that an agentic AI deployment will cause a major public breach this year, it's worth sitting with that for a moment.
Not a data leak from a phishing email. Not a ransomware attack from a nation-state actor. A breach caused by your own AI agents. Deployed internally. By your own team.
That's the uncomfortable reality we're now navigating.
The Problem Isn't What You Think
Most enterprise security conversations still treat AI as a content tool — something that writes code, summarises documents, or answers employee questions. Through that lens, the risk profile looks manageable: prompt injection here, data leakage there, maybe some copyright headaches.
But that's not what agentic AI is.
Agentic AI systems don't just generate output. They take action. A modern AI agent can access your CRM, query your database, call external APIs, send emails on behalf of employees, modify configurations, and trigger downstream workflows — all without a human reviewing each step. Chain a few of these agents together in a workflow and you've got something that can cause real operational damage before anyone realises something has gone wrong.
The gap between "AI generates text" and "AI takes autonomous action" is enormous from a security perspective. And most enterprises haven't caught up.
The Numbers Are Hard to Ignore
Forrester's prediction isn't speculative. It's grounded in data that's already visible:
- **63% of organisations lack AI governance policies** — meaning the majority of companies deploying AI agents have no framework for what those agents are allowed to do
- **97% of organisations that have already experienced AI-related breaches lacked proper AI access controls** — nearly universal
- **80% of security teams report observing risky behaviour from deployed AI agents** in their own environments
- **48% of cybersecurity professionals now identify agentic AI as the number one attack vector for 2026**, according to a Dark Reading poll — ahead of deepfakes, advanced persistent threats, and supply chain attacks
This isn't a future risk. The conditions for the breach Forrester predicts already exist inside most large enterprises today.
Three Ways It Goes Wrong
Forrester identifies three primary breach scenarios. They're not exotic — they're the kind of thing that happens when speed beats governance.
Excessive data access without zero trust. When teams deploy agents quickly, they often grant broad permissions to make the agent "work" without friction. The agent gets read/write access to databases, file systems, CRM records. Nobody thinks through what happens if that agent is manipulated — or simply misconfigured. A single prompt injection attack against an over-permissioned agent can exfiltrate months of customer data.
Compromised DevOps and infrastructure agents. AI agents that touch CI/CD pipelines, cloud configurations, or infrastructure tooling are particularly high-value targets. A compromised agent with access to your deployment pipeline could delete production infrastructure, push malicious code, or open persistent backdoors. The blast radius is enormous.
Cascading failures across chained workflows. This one is subtle. When you chain multiple agents together — agent A calls agent B, which triggers agent C — a failure or compromise at one point can propagate through the whole system. Forrester describes these as "cascade failures rather than single points of compromise." By the time anyone notices, the damage has spread across multiple systems and the audit trail is fragmented.
Enterprises Are Breaching Themselves
This is the part of Forrester's prediction that security leaders should find most alarming: the predicted breach won't come from a sophisticated external attacker. It will come from internal deployment decisions made without proper governance.
Competitive pressure is real. Finance teams want AI that automates reconciliation. HR teams want agents that process applications. Engineering teams are building copilots, DevOps automations, and internal tools using whatever AI framework ships fastest. The pressure to "just get it working" is enormous.
Shadow AI compounds this. Employees are already importing unsanctioned tools without security review. More than a third of data breaches now involve unmanaged shadow data. Add autonomous agents to that environment and you've got a situation where AI systems are operating in your network with elevated permissions, connecting to external services, and acting on your behalf — and your security team has no visibility into any of it.
That's not a vulnerability gap. That's a governance gap.
What Actually Needs to Change
There are three things security leaders need to address before the breach Forrester predicts lands on their watch.
Get visibility first. You cannot govern what you cannot see. Before anything else, you need an accurate inventory of every AI tool and agent in your environment — including the ones nobody officially approved. Shadow AI discovery isn't optional at this point; it's the foundation everything else sits on.
Apply least-privilege to agents, not just humans. Most identity governance frameworks were built for human users. AI agents are non-human identities with API access, machine-to-machine authentication requirements, and elevated permissions that bypass the normal user access review process. Zero-trust principles need to be applied to agents as rigorously as they are to human users — that means scoped permissions, time-limited access, and regular audits.
Build governance before you build the agent. This is the behavioural change that's hardest to drive. The instinct is to build first and add guardrails later. But with agentic AI, by the time you're adding guardrails, the agent is already in production with access to live data. Security teams need a seat at the table before the first line of agent code is written — not after the first incident.
The Question Isn't If. It's Who.
IBM X-Force reported a 44% surge in AI-enabled exploits in 2026. GenAI usage in enterprises has tripled over the past two years while data policy violations have doubled. The infrastructure for an agentic AI breach isn't theoretical — it exists in most large enterprises right now.
Forrester's prediction will come true. The question is whether it happens to your organisation or your competitor's.
The companies that avoid making headlines this year will be the ones that treated AI governance as infrastructure — not as a compliance checkbox they'll get to eventually.
---
Aona helps enterprises discover every AI tool and agent in their environment, apply policy-driven guardrails, and get visibility before incidents happen. If you want to understand what AI agents are operating in your organisation right now, [book a demo](/book-demo).
