Enterprises are deploying AI agents at pace, but without the governance foundations needed to trust them. That is the central finding of AvePoint’s third annual State of AI Report, published today, which paints a stark picture of widening visibility gaps, misplaced confidence, and compounding data risk as agentic AI embeds itself into everyday working life.
The report, conducted in partnership with Osterman Research and drawing on responses from 750 enterprise leaders across the Americas, EMEA, and APAC, finds that almost half of global employees – 46.9% – now rely on AI agents daily or weekly. Yet 88.4% of organisations experienced at least one agent-related security incident in the past twelve months. The disconnect between adoption and readiness has rarely been so stark.
A Visibility Crisis in the Making
Perhaps the most alarming finding in the report is how quickly organisations are losing sight of what their employees are doing with AI. One in five organisations – 21.1% – now cannot determine whether employees are using unsanctioned tools to create AI agents. For generative AI more broadly, the equivalent figure has nearly tripled in a single year, rising from 6.3% in 2025 to 17.6% in 2026.
The implications are significant. Without visibility, governance is impossible. And without governance, the confidence many organisations express about their AI security posture is, at best, misplaced.
The data makes this uncomfortably clear. More than four in five organisations – 82.7% – report being “very” or “extremely” confident in their ability to prevent unauthorised AI-related data access. Yet 72% of the “very confident” group and 62% of the “extremely confident” group experienced an unauthorised access incident in the past twelve months. Confidence, it turns out, is not the same as control.
Breaches Are Becoming the Norm
The scale of AI-related security failures has reached a point where breaches can no longer be considered isolated incidents. In 2025, 75.1% of organisations reported at least one generative AI-related security breach. In 2026, that figure has risen to 89.5% – a level that points to systemic governance failure rather than individual lapses.
“These days, everyone talks about how powerful AI has become, which is of course true, but this discourse has largely distracted from the fact that many organisations face basic data protection and governance issues that are exposing them to serious risks,” said Chris Shaw, Channel Director for UK and Ireland at AvePoint. “The acceleration of AI has exposed and amplified gaps in existing data protection frameworks that organizations need to fix urgently, before they adopt these new tools. Almost 9 in 10 organizations have experienced an AI-related breach in the last year, according to our research. That’s a startling figure that really shows you the scope of the problem.”
Deployment Delays Signal a Deeper Problem
The governance gap is not only creating security incidents, it is slowing AI programmes down. 86.9% of organisations delayed generative AI deployments by an average of nearly six months due to data security and management concerns. For AI agents, the figure is almost identical at 86%.
For organisations under pressure to demonstrate AI value, this is a significant finding. The constraint on enterprise AI is no longer model capability — it is trust. As AvePoint CEO and Co-Founder Dr. Tianyi Jiang (TJ) put it: “The constraint on enterprise AI is no longer model capability, but whether organisations have built a trust layer: the data readiness, visibility, governance, and enforceable control required to scale AI with confidence. Without it, speed of deployment becomes speed of exposure.”
AI Is Now Creating Its Own Data Problem
Compounding the governance challenge is a structural shift in how enterprise data is being generated. On average, 35.5% of enterprise data is now created by AI assistants — a figure expected to reach 42.1% within twelve months. At the same time, 84.1% of organisations are managing at least one petabyte of data, up from 79.2% last year, and 78.1% report that at least half of their data is more than five years old.
When AI systems consume and act on AI-generated content — including redundant, outdated, or low-quality data – governance failures compound at scale. The problem is not simply one of volume; it is one of provenance, quality, and control.
The Market Is Responding. But Is It Fast Enough?
There are signs that organisations are beginning to take the challenge seriously. The percentage doing nothing to address AI security concerns has fallen from 8.3% in 2025 to just 2.5% in 2026. Securing data used for AI training is now the top-rated future investment priority, cited by 79.5% of respondents. Third-party governance tools that monitor agent actions for policy alignment top the planned investment list for the next twelve months — capabilities at the core of what Gartner has defined as the emerging AI Agent Management Platform (AMP) category.
Yet investment intent and operational readiness remain two different things. As AvePoint CTO John Peluso observed: “Trust in AI cannot be measured by confidence alone. It requires operational foundations: visibility into what AI systems are doing, enforceable governance over the data they consume and create, and the ability to audit and correct outcomes when something goes wrong. This is what distinguishes a trust layer from a trust score.”
The Bottom Line
Three years of AvePoint’s research point to the same conclusion: the organisations that will win with AI are not those with the most capable models, but those that have built the governance foundations to deploy them safely. As agent adoption accelerates and AI-generated data multiplies, the gap between the confident and the controlled is becoming the defining fault line in enterprise AI strategy.
The full report is available at: https://www.avepoint.com/
