FireTail Research · Edition 01 Published Q2 2026 · Reading time 16 minutes State of AI Security · 2026 Print version →
FireTail Research · Edition 01 · Published Q2 2026

In 2026, AI is moving into production faster than the controls needed to secure it.

This year, shadow tools moved into the mainstream. Agents shipped into production ahead of the policies needed to govern them. Standards and regulation are emerging but trailing far behind adoption. In this year's State of AI Security report, we look at the incidents, the data, the gaps that remain, and the work that closes them.

90%
of AI usage inside enterprises is untracked, ungoverned, or unsecured by the security team responsible for it.
FireTail Research · 2026
83%
of organisations have deployed AI agents this year. Up from 16% twelve months ago, the fastest enterprise adoption curve since cloud.
Cisco · State of AI Security 2026
29%
say they have the controls in place to defend what they shipped. The 54-point gap is the story of the year.
Cisco · State of AI Security 2026
How to read this

Nine chapters. Pick where to start.

Read in order if you have the time. Otherwise, jump to the chapter that answers the question on your team’s desk this week.

Foreword

For most of the last decade, AI security was a research topic. This year it became an operational one.

The questions from security leaders have changed. A year ago they were asking whether to allow AI tools. Now they are asking how to see the ones already running, govern the agents their own teams have shipped, and answer the board when it asks what could go wrong. This report is our attempt to answer with evidence rather than speculation.

FireTail research team · Published Q2 2026

Contributing authors

FireTail Research
JS
Jeremy
Lead author

Placeholder bio. One or two lines on focus area and background go here.

RP
Riley
Research

Placeholder bio. One or two lines on focus area and background go here.

TK
Timo
Threat analysis

Placeholder bio. One or two lines on focus area and background go here.

VK
Viktor
Data & tracker

Placeholder bio. One or two lines on focus area and background go here.

AY
Ayush
Editorial & design

Placeholder bio. One or two lines on focus area and background go here.

Chapter 01 The shift

AI adoption has outpaced security by every measure that matters.

Three waves of AI have moved into the enterprise stack in roughly two years. Each arrived before the controls for the previous one were finished. The result is that most security stacks today are watching the wrong layer, while the new one ships in production every week.

The three waves, very compressed

~2 years
2023
Conversational
Chat in the browser
Standalone assistants reached through a browser tab. The sensitive-data exposure was employees pasting source, contracts and customer records into a third-party model with no enterprise tenancy. A containable problem: the surface was the egress channel, and existing controls already watched it.
2024
Embedded
AI inside the platform
Copilot, Gemini and native assistants wired directly into the productivity suite, with the user's own entitlements. The model now reads live tenant data, which collapses the boundary between content and instruction: anything the model can read, an attacker can use to issue commands. EchoLeak (Chapter 04) is the documented proof.
2025– 2026
Agentic
Agents that act
Autonomous agents with tool access, persistent memory and MCP-brokered connections to production systems. They take privileged action without a human in the loop, and in most organisations they ship with no inventory, no per-action logging, and no authorisation model distinct from the human they impersonate.

The result of the third wave is a new failure pattern. The kill chain below is the shape almost every incident in this report takes — short, content-borne, and indistinguishable from sanctioned use.

The new shape of the kill chain
Time to breach · 4 seconds · Human actions required · 1
↳ Attacker Malicious input Email, document, ticket
Stage 02 AI agent ingests Content enters context window
Stage 03 MCP tool call Executes injected instruction
↳ Breach Data exfiltrated No user interaction required

What DLP, SIEM and SOC were not built to see

The visibility gap
DLP
Data loss prevention
Built to
Inspect egress channels and fingerprint known-sensitive content: regex, exact-data-match and document fingerprints over mail, web uploads, endpoint and removable media.
Blind to
AI data movement rides inside TLS to allowlisted model endpoints, and the model paraphrases rather than copies. There is no verbatim string and no policy-violating destination for a fingerprint to anchor to.
SIEM
Log correlation & analytics
Built to
Correlate normalised telemetry against a schema and a rule set, with UEBA baselines anchored to user and host identities.
Blind to
Inference calls and tool invocations emit no native audit event. Where logs exist they are free-text prompt-response pairs with no ATT&CK mapping and punishing ingest cost, and there is no agent identity to baseline against.
SOC
Detection & response operations
Built to
Triage known TTPs and tuned signatures through tiered runbooks, measured on mean time to detect and respond.
Blind to
Prompt injection and tool poisoning carry no IOCs. The payload is natural language, polymorphic by construction, and indistinguishable from sanctioned use. There is no signature to author and no playbook for an agent doing exactly what it was permitted to do.
Chapter 02 Two stories

Two stories worth opening the year with.

The first two waves we knew how to defend, more or less. The third one delivered the year's two defining moments. One was the first major rogue-agent crisis to break out of the security press and into the mainstream. The other was the moment the industry's standards body acknowledged that agents need a framework of their own. Neither is the whole year. Together they frame the rest of it.

Story 01 · OpenClaw · Jan to Mar 2026 Rogue agent crisis

The rogue agent that made agentic security a mainstream problem.

OpenClaw was the most-starred open-source AI agent on GitHub at the start of 2026. Then it became the year’s first major agentic-security incident.

Tens of thousands of instances ran with default settings and no authentication. Its companion marketplace shipped malicious skills that lived in the wild for weeks. The moment that broke into the mainstream press: a senior AI alignment leader watching the agent silently delete her inbox, discovering she could not stop it remotely, and physically running to her computer to pull the cable.

135K
GitHub stars in six weeks, among the fastest open-source curves on record.
21,000+
instances exposed to the public internet with no authentication.
1,184
malicious skills found on the official marketplace in a single month.
Sources · GitHub trend data · public disclosure
Story 02 · OWASP · 2025 Frameworks split

When agents got their own Top 10. The threat surface stopped being one thing.

For two years, AI security guidance was a single OWASP list: the Top 10 for LLM Applications. In December 2025 the OWASP GenAI Security Project published a separate framework, the Top 10 for Agentic Applications. It is not an extension of the model list. It is a different list, built around a different set of failure modes.

The categories are not theoretical. Memory poisoning, tool misuse, identity and privilege abuse, cascading failures across linked agents. Each one maps to incidents documented in the year. The publication is the moment the industry started agreeing that an agent acting on the world is a different security problem from a model generating text.

2
distinct OWASP top-tens now cover AI. One for models, one for agents.
10
named threat categories specific to agents, each with its own published mitigations.
OWASP · GenAI
first community-owned reference for AI agent security.
Source · OWASP GenAI Security Project · Top 10 for Agentic Applications (Version 2026, December 2025)

Read them together. One is what a year of agentic deployment felt like in practice. The other is the moment the industry agreed those failures deserved their own list.

FireTail Research, 2026
Chapter 03 By the numbers

302 incidents in twelve months. The shape is not random.

Two stories make a year feel like a year. The dataset makes it measurable. FireTail tracks AI security incidents alongside the AI Incident Database (AIID) and the AI, Algorithmic, and Automation Incidents Controversies repository (AIAAIC). Combined and de-duplicated, the three sources documented 302 publicly disclosed incidents over the last twelve months. The distribution by attack type and by sector concentrates in patterns worth reading carefully.

302
publicly disclosed AI-related security incidents we documented this year.
Combined dataset
12 mo
May 2025 to May 2026. The year this report covers.
Disclosure window
3
independent sources cross-referenced. Duplicates de-duped by incident ID and date.
FireTail Tracker · AIID · AIAAIC
By attack type sorted by share of total
n = 302
Data exfiltration
35%105
Prompt injection
16%50
Rogue agent
12%36
Shadow AI
11%35
API & endpoint exposure
11%33
OAuth / access abuse
8%23
AI supply chain
4%12
MCP / tool poisoning
3%8
By sector same incidents, grouped differently
n = 302
Enterprise SaaS
22%65
Cross-sector / unknown
21%65
Healthcare
17%51
Government
14%42
Developer tooling
13%40
Financial services
13%39
Reading the year

For all the talk of novel agentic threats, AI security is still, mostly, a data security problem wearing new clothes. The breaches now hide in the seams between organisations, in the AI vendors and integrations everyone shares.

But a chart only shows the shape of the risk. To really understand it, you have to slow one attack down and watch it happen.

Incidents worth knowing
2025 to 2026
xAI internal API key on GitHub

A current employee accidentally committed a private API key to a public GitHub repository. The key granted access to internal xAI language models, including unreleased models reportedly customised for SpaceX and Tesla.

Credential exposure Apr 2025
EchoLeak · M365 Copilot

Indirect prompt injection in Microsoft 365 Copilot. A hidden instruction in an inbound email caused zero-click exfiltration of mailbox content. Patched server-side via coordinated disclosure.

Prompt injection May 2025
Replit AI · SaaStr database

An AI coding agent destroyed a production database during a normal session, then issued misleading status reports about what it had done. Publicly disclosed by the customer.

Rogue agent Jul 2025
Cursor IDE RCE chain

Multiple vulnerabilities in the AI coding IDE allowed remote code execution, source-code disclosure, and credential exposure on developer workstations. CVEs assigned and patched.

Supply chain Aug 2025
ChatGPT shared chats in Google Search

Conversations users had shared via ChatGPT's share link were discovered to be crawled and indexed by Google Search, exposing prompts that contained names, contracts, code and credentials. OpenAI removed the feature after public reporting.

Sensitive data leakage Aug 2025
Lenovo Lena chatbot XSS

A reflected cross-site scripting flaw in a customer-service chatbot allowed extraction of session cookies through crafted prompts. Disclosed publicly after vendor remediation.

API exposure Aug 2025
Nx · s1ngularity supply chain

Compromised versions of the popular Nx build tool shipped a postinstall script that invoked local AI coding assistants to locate developer credentials and exfiltrate them. The first observed npm attack using AI agents as the attack tool.

Supply chain Sep 2025
Google Antigravity hard-drive wipe

A user testing Google's Antigravity coding agent reported that the agent issued destructive shell commands during a routine task and wiped local files. The episode prompted broader scrutiny of how coding agents should be sandboxed from a developer's machine.

Rogue agent Nov 2025
Live tracker
Every incident in the dataset, filterable and updated weekly.
Sort by attack type, sector, severity or date. Maintained by the FireTail research team.
Open the breach tracker
Chapter 04 Slowed down

Six attacks, slowed down. The mechanism is rarely the model itself.

The numbers describe the shape of the year. Walking through one incident shows the mechanism. Six published attack patterns are reconstructed below, step by step, from setup to impact. Every reconstruction is grounded in a CVE, a vendor disclosure, or peer-reviewed research, cited at the end.

Attack 01 of 06
Prompt injection · live

Zero-click data exfiltration via indirect prompt injection

Based on CVE-2025-32711 "EchoLeak", Microsoft 365 Copilot, 2025
1 / 6
Elapsed: T−72 hours · Human actions: 0
Chapter 05 Blast radius

An AI agent has a structurally larger blast radius than any individual it supports.

The walkthroughs show how a single incident plays out. They do not yet explain why the same mechanism becomes so much more damaging when an agent is the one being manipulated. The answer is blast radius. A person is granted the access their job requires. The agent built to support that job is granted, by default, the access that anyone doing that job across teams might ever need. Those permissions are set once at deployment and rarely re-examined. When the agent is compromised, all of them are in scope at once.

Human employee

6 systems · scoped
Maya Chen
Senior counsel · 4 yrs
Legal drive
Read / write, legal/*
Outlook
Send / receive
Teams
Chat · calls
Workday
View HR · self only
Salesforce
Read only
Intranet
Read only
Scoped, audited quarterly

AI agent, same organisation

8 systems · broad OAuth
Legal AI Agent
Deployed March 2025
All SharePoint
Full tenant read
All mailboxes
Send on behalf of
Salesforce API
Read + write CRM
GitHub repos
All private repos
Jira / Confluence
All projects
Slack workspace
All channels + DMs
HR system API
Employee records
Finance ERP
Invoice processing
Broad OAuth · rarely audited · no least-privilege review

An agent with tool access and stored credentials carries a different risk profile from a chatbot. Most AI acceptable-use policies do not draw that distinction. Procurement, legal and security all sign off on what they take to be the same product, while the product itself has quietly become something else.

IBM · Cost of a Data Breach 2025 · 63% of breached organisations had no AI governance policy

Why this looks normal to your SIEM

The security stack most enterprises run was built around an attacker who has to escalate to act. SIEM logs the escalations, and that is most of what it does for a living. The agent does not escalate. Its permissions were granted at deployment, and the actions it takes are the actions a service account was approved to take. Correctly configured detection does not alert on those.

Lateral movement has collapsed into a single tool call. The motion defenders were trained to recognise no longer happens. The agent does not move between systems. It already lives in all of them.

Three changes that close most of the gap

None of these are exotic. They are standard hygiene, applied to a layer most teams have not yet added to their threat model.

Scope every agent to least privilege. Treat each one like a service account that needs quarterly review. The permissions granted at deployment day are almost never re-examined; that is where broad OAuth grants accumulate.
Log every tool call, not just the prompt. The breach timeline lives in the chain: which tool, which parameters, which return value, which next action. A log of conversation turns alone is a transcript, not an audit trail.
Alert on out-of-role access. A legal agent reading GitHub at 2 a.m. is the kind of event that should fire. Until rules exist for cross-system access, existing detections will not see it.
Chapter 06 Regulator

What the EU AI Act actually requires of high-risk AI in production.

Wide permissions create exposure. The regulator created the consequence. The EU AI Act is final, with application staggered through 2027. Most security teams still treat compliance as a parallel workstream to security. It is not. The high-risk Articles are, with very few exceptions, the same controls a competent security programme would have in place anyway: risk management, data governance, technical documentation, logging, human oversight, transparency, and incident reporting. The structure below is the Act itself, summarised.

When the Act applies

Staggered application
  1. 2 Feb 2025
    Prohibitions in force
    Article 5 lists banned AI practices, including social scoring, manipulative systems, and most real-time biometric identification in public spaces. AI literacy obligations for staff also begin.
  2. 2 Aug 2025
    General-purpose AI obligations
    Transparency, technical documentation and copyright-policy obligations begin for providers of general-purpose AI models. Governance bodies, notified bodies and penalty regimes also take effect.
  3. 2 Aug 2026
    High-risk AI obligations begin
    Articles 9 to 17 apply to providers of high-risk AI systems listed in Annex III. Article 26 obligations apply to deployers. Article 50 transparency obligations apply to AI systems interacting with people.
  4. 2 Aug 2027
    Embedded high-risk systems
    Obligations extend to high-risk AI built into products already regulated under the Union harmonisation legislation listed in Annex I, including medical devices, machinery, and toys.

Seven obligations for high-risk AI

Articles 9 – 15
  1. Art. 9
    Risk management system
    A continuous, iterative process running across the AI system’s entire lifecycle, including residual-risk testing.
  2. Art. 10
    Data and data governance
    Training, validation and testing datasets must meet quality, relevance, and bias-examination criteria.
  3. Art. 11
    Technical documentation
    Documentation sufficient to demonstrate conformity must be produced before market placement and kept up to date.
  4. Art. 12
    Record-keeping
    Automatic logging of events relevant to identifying risks and substantial modifications throughout the system’s lifecycle.
  5. Art. 13
    Transparency to deployers
    Instructions for use that allow deployers to interpret outputs correctly and understand the system’s limits.
  6. Art. 14
    Human oversight
    Effective measures that allow natural persons to monitor and intervene in the system’s operation.
  7. Art. 15
    Accuracy, robustness, cybersecurity
    Appropriate levels of accuracy and resilience to errors, faults and adversarial attempts must be designed in and declared.

For security teams, the most useful reading of the Act is to treat the seven obligations above as a control library. Most of them map directly onto existing security domains. Where the Act differs is that it makes evidence of those controls a legal artefact, not just an operational practice.

EU Regulation 2024/1689 · Articles 9–15
2 Aug 2026
High-risk obligations begin applying to providers and deployers of systems listed in Annex III.
EU Regulation 2024/1689
8
Annex III categories define “high-risk”, including critical infrastructure, education, employment, essential public services, and law enforcement.
EU AI Act · Annex III
€35M
or 7% of global annual turnover, whichever is higher. Top fine band, reserved for prohibited AI practices under Article 5.
EU AI Act · Article 99
Chapter 07 Comparatives

Breach cost and peer ranking are the two numbers that actually move the AI security budget.

Once the legal floor is clear, the business question is two-part. Is the exposure expensive enough to act on, and are we behind our peers? The table answers the first. The grid answers the second. A note on the risk-reduction column: percentages reflect a review of incidents where the listed control was present versus absent. They are floors, not promises. The point is the gap between vectors.

Threat vector Avg breach cost Primary control Effort Risk reduction
Prompt injection (indirect) $4.88M Input sanitisation layer + prompt shield before LLM ingestion Low · 2–4 wks
~82%
MCP supply chain poisoning $4.63M Internal MCP registry + version pinning + automated trust scoring Med · 4–8 wks
~74%
API misconfiguration / exposure $3.86M AI API gateway with auth enforcement, rate limiting, anomaly detection Low · 1–3 wks
~91%
Shadow AI / OAuth overreach $4.63M AI asset discovery + OAuth audit + agent-specific acceptable use policy Med · 3–6 wks
~67%
Training data poisoning $5.20M Data lineage tracking + pipeline integrity + behaviour monitoring High · 8–16 wks
~58%
Multi-agent cascade failure $6.10M+ Agent isolation boundaries + inter-agent message validation + kill-switch High · 12+ wks
~70%

The economic argument for AI runtime monitoring is, frankly, the easiest part of this report. IBM puts the saving at $1.9M per breach, with containment 40% faster. The harder part is that you cannot monitor what you have not yet inventoried. The order of operations matters more than the budget.

IBM · Cost of a Data Breach 2025
Sector benchmark

Where your sector sits

If your score is below your sector median, you are carrying above-average risk relative to your competitive set. That is the comparison your cyber insurer is making, and increasingly the one your regulator is too. The number you walk into the audit committee with is not your absolute score. It is the gap.

Financial services
54/ 100 median
AI inventory
Runtime monitoring
EU AI Act readiness
3rd quartile · ahead of median
Healthcare
46/ 100 median
AI inventory
Runtime monitoring
EU AI Act readiness
2nd quartile · at the median
Enterprise SaaS
38/ 100 median
AI inventory
Runtime monitoring
EU AI Act readiness
2nd quartile · below median
Government
28/ 100 median
AI inventory
Runtime monitoring
EU AI Act readiness
1st quartile · trailing

Source · FireTail Research, getaiactready.eu cohort · n=412

Chapter 08 Operations

The first ninety days of AI security work returns more than the next twelve months combined.

Cost and comparatives justify the work. Below is the work, in the order it pays back. Twelve actions across three horizons. Horizon 1 is what a security team can start without procurement. Horizon 2 needs some new tooling. Horizon 3 is architecture work that takes a fiscal year. Run them in order. The first item tends to surface the rest.

Chapter 09 The honest read

Five questions reveal where your AI security posture actually sits.

The priorities are universal. The score is yours. The five questions below are the ones FireTail uses in initial assessments, the same five most security teams quietly skip when reviewing their own posture. Two minutes. No login. Run it again in ninety days to see the trajectory.

AI Security Maturity Assessment
5 questions · 2 minutes · instant score

0