Nearly one-third of employees use unsanctioned AI agents for work tasks, creating security vulnerabilities most organisations cannot address, a new Microsoft report reveals.

The Cyber Pulse AI Security Report, reveals 29% of employees use unauthorised AI agents. Only 47% of organisations implement specific generative AI security controls.

Microsoft's research shows over 80% of Fortune 500 companies now deploy active agents built with low-code and no-code tools. However, rapid deployment is outpacing security and compliance frameworks, creating what Microsoft terms "shadow AI" risks.

"The dual nature of AI has arrived: extraordinary innovation paired with unprecedented risks," the report states.

Microsoft's Defender team recently identified a fraudulent campaign exploiting "memory poisoning" - an attack technique that manipulates AI assistants' memory to persistently steer responses. The company's AI Red Team documented how agents were misled by deceptive interface elements embedded in everyday content.

"We need to treat agents like humans and apply Zero Trust principles," said Vasu Jakkal, corporate vice president at Microsoft Security.

The report highlights that AI agent adoption spans all regions and industries globally. Financial services represents 11% of active agents worldwide, manufacturing accounts for 13%, and retail comprises 9% of global agent usage.

Microsoft warns that unsupervised or ungoverned AI agents threaten security, business continuity and reputation. Agents with excessive access or incorrect instructions become vulnerabilities. Bad actors can exploit these as "double agents."

The company recommends organisations establish observability through centralised registries, identity-based access controls and real-time monitoring dashboards. This includes cross-platform governance and built-in security protections.

Microsoft's seven-point governance checklist includes documenting each agent's purpose with least-privilege access. It also recommends applying data protection rules to AI channels and offering secure alternatives to curb shadow AI. Organisations should update business continuity playbooks and elevate AI risk to board-level visibility.

The report introduces Agent 365, Microsoft's unified control plane for managing AI agents across organisations. The platform provides centralised registration, governance, security observation and operation for agents built on Microsoft platforms, open-source frameworks or third-party systems.

Microsoft emphasises that organisations succeeding with AI agents prioritise observability, governance and security. This requires collaboration across IT, security, AI teams and developers through unified control platforms.

The full report is available HERE.