88% of organizations deploying AI agents have experienced confirmed or suspected security incidents in the past year.
That's not a projection from a vendor whitepaper — it's survey data from Gravitee's State of AI Agent Security 2026 report, covering 900+ respondents across industries. In healthcare, the number is 92.7%.
The most striking finding isn't the incident rate. It's the gap that makes it inevitable: 81% of teams are deploying agents, but only 14.4% have full security approval gates in place.
More than half of all AI agents in production operate without any security oversight or logging.
The Confidence Paradox
82% of executives surveyed said they were confident their organization's AI agent security was adequate.
Their own technical teams disagreed. The data shows:
- 47.1% of deployed agents are actively monitored or secured
- 52.9% operate with no security oversight or logging
- 14.4% of deployments have full approval workflows before agents go live
- 85.6% of agents reach production without a complete security review
This is the confidence paradox: leadership believes the problem is handled because agents are shipping. Engineering knows the problem isn't handled because nothing checked those agents before they shipped.
Where the Gap Lives
The approval gap isn't about missing policies. Most organizations have security policies for software deployment. The gap is that AI agent skills, MCP servers, and plugins bypass those policies because they don't look like traditional software deployments.
A developer adding an MCP server to their agent stack isn't filing a deployment ticket. They're running npm install or pasting a URL into a config file. The skill fetches tools, reads files, makes API calls — all with the permissions of the agent that loaded it.
No security review. No approval gate. No scan.
This is how 88% of organizations end up with incidents:
- Agent frameworks make it easy to add capabilities (skills, tools, MCP servers)
- Adding capabilities doesn't trigger existing security review workflows
- Some percentage of those capabilities are malicious, over-permissioned, or vulnerable
- The malicious ones operate undetected because there's no monitoring
The fix isn't slowing down agent deployment. It's adding a check at the moment a skill is installed — before it has access to anything.
The Numbers That Should Change Your Process
From Gravitee's 2026 report and HiddenLayer's AI Threat Landscape Report:
| Metric | Value | Source |
|---|---|---|
| Orgs with AI agent security incidents | 88% | Gravitee 2026 (900+ respondents) |
| Healthcare incident rate | 92.7% | Gravitee 2026 |
| Agents with full approval gates | 14.4% | Gravitee 2026 |
| Agents with any security monitoring | 47.1% | Gravitee 2026 |
| AI breaches from supply chain compromise | 35% | HiddenLayer 2026 |
| Executives confident in their coverage | 82% | Gravitee 2026 |
| Confirmed malicious skills on ClawHub | 341 | Koi Security / ClawHavoc |
The supply chain vector is particularly relevant: 35% of AI breaches trace to compromised components in the agent's tool chain. That's not prompt injection, not user input manipulation — it's the skill itself being malicious.
Closing the Gap: Pre-Deployment Scanning
The 14.4% of organizations with full approval gates have something the other 85.6% don't: a check that runs before an agent skill reaches production.
That check needs to cover:
Supply Chain Verification (OWASP ASI04)
Is this skill from a trusted source? Does it match known malicious signatures? Is the package name a typosquat of something legitimate? Has it been scanned for credential harvesters?
Permission Scope Review (OWASP ASI02)
Does this skill request more access than its stated function requires? A text formatter shouldn't need filesystem write access. A calendar integration shouldn't read environment variables.
Secrets Detection (OWASP ASI03)
Are there hard-coded API keys, tokens, or credentials in the skill definition? These are both a direct vulnerability and an indicator of poor security practices by the skill author.
Prompt Injection Testing (OWASP ASI01)
Do the tool descriptions contain hidden instructions that could redirect agent behavior? This is the supply chain delivery mechanism for goal hijacking — the attack comes through the skill's metadata, not through user input.
How SkillShield Fills the Approval Gap
SkillShield provides the pre-deployment scanning layer that closes the gap between "agent ships" and "agent is vetted."
For individual developers:
npm install -g skillshield
skillshield scan ./SKILL.mdScan any skill definition before installing it. Results include specific findings with severity ratings and remediation guidance.
For teams:
The scored directory provides pre-scanned results for 33,746 AI extensions across six registries. Check before you install — if the skill is in the directory, its security status is already available.
For MCP servers:
The MCP scanner checks MCP servers specifically for tool poisoning, over-permissioned access, prompt injection, and supply chain risks. Free, instant.
The numbers after scanning:
| Metric | Value |
|---|---|
| Extensions scanned | 33,746 |
| Malicious entries blocked | 533 |
| Detection rate | 99.8% |
| Registries covered | 6 |
| Cost | Free |
From 14.4% to Standard Practice
The 88% incident rate isn't a technology failure. It's a process gap — agents reaching production without a security check.
The check doesn't need to be complex. It doesn't need to be a full OWASP audit (though we've written that guide too). It needs to happen before the skill gets access to your filesystem, your API keys, and your production environment.
One scan. Before install. That's the approval gate 85.6% of teams are missing.