AI Agents Are Everywhere. Visibility Into Them Is Not.
AI isn’t optional anymore. It’s one of the biggest board-level initiatives at every enterprise, and it’s showing up in every budget conversation, every strategy offsite, and every quarterly review.
The numbers make that clear. According to PwC’s AI Agent Survey (May 2025, 308 U.S. executives), 79% of organizations have adopted AI agents in some form. KPMG’s U.S. AI Quarterly Pulse Survey (Q1 2026, 237 U.S. C-suite leaders at $1B+ companies) tracked agent deployment surging from 11% in early 2024 to 54% by Q1 2026. Gartner predicts 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5% in 2025. And KPMG’s same Q1 2026 survey found U.S. enterprises projecting an average of $207 million in AI spend over the next 12 months, nearly double year-earlier figures.
But here’s the gap that keeps CISOs and CIOs up at night: agent adoption is accelerating while visibility into how those agents are actually behaving across the organization is not keeping pace.
We hear it in nearly every conversation with enterprise security and IT leaders: “We suspect 80-90% of our engineering workforce is using a functional agent daily, but we know very little about what they are doing.” These are large organizations with mature security programs acknowledging a fundamental blind spot. Their engineers are using coding copilots, terminal agents, and autonomous development assistants every day with almost no visibility into which agents are active, what data they’re touching, or whether any of it aligns with corporate policy. And even when companies know an agent exists in their environment, they still have no idea what it’s actually doing. Knowing an agent is installed is not the same as understanding its behavior at runtime.
The research confirms this gap is widespread. Deloitte’s State of AI in the Enterprise report (2026, 3,235 leaders surveyed) found that only 1 in 5 companies has a mature governance model for agentic AI. KPMG’s Q4 2025 Pulse Survey (130 U.S. C-suite leaders at $1B+ companies) reports that 80% of leaders now say cybersecurity is the single greatest barrier to achieving their AI strategy goals, and 75% say security, compliance, and auditability are the most critical requirements for agent deployment.
That spread between agent adoption and runtime assurance is where the real risk lives. And it’s where the real opportunity lives too.
The visibility problem
Most organizations today can tell you how much they’re spending on AI. Few can tell you how agents are being used, by whom, through which tools, and whether those patterns align with policy.
Some AI platforms and agent frameworks do surface usage data within their own products. But every vendor does it differently: different metrics, different formats, different levels of depth. If your teams are running agents across multiple platforms (and most are), you’re left stitching together a fragmented picture from inconsistent sources.
In our conversations with enterprises, one pattern comes up again and again: the agents running on employee desktops represent the most immediate and least understood risk. These are the AI assistants, coding copilots, and productivity agents that employees are downloading, configuring, and using every day. Many organizations don’t even know which agents are running on their endpoints, let alone what those agents are doing, what data they’re accessing, or which external tools and APIs they’re calling. That blind spot is the glaring gap. And as agents take on more autonomous work, it only widens.
Governance frameworks and policies are necessary, but they don’t close that gap on their own. You need the ability to see what’s on the endpoint, observe what agents are doing at runtime, and enforce rules in the moment.
Runtime assurance isn’t just about security. It’s about adoption.
Runtime assurance is a newer concept for most people, and the instinct is to assume it’s just about security. Security is a critical piece of it, but runtime assurance for AI agents covers much more. It’s how you answer: Is the agent doing what it was intended to do? Has its behavior drifted from its original scope over time? Are its outputs aligned with your organization’s policies, standards, and values? Is it calling tools and accessing data in ways that are consistent and predictable? And beyond dependability, runtime assurance gives you the ability to track which agents you have, how often and how much they’re being used, and what it’s costing you. That visibility across agent types helps you understand where you’re getting real adoption and value and where you’re not.
These questions matter just as much to the CIO driving adoption as they do to the CISO managing risk.
Here’s what gets lost in the security conversation: runtime visibility into AI agent behavior isn’t just a defensive play. It’s how you drive better adoption.
Governance policies tell you what should happen. Runtime assurance tells you what is happening and lets you act on it. When you have that runtime view, you can answer the questions that actually matter for adoption:
Who are your primary AI agent users? Which teams and roles are actively engaging with agents, and which are falling behind?
Where is AI being used? Which endpoints, departments, and workflows have agent activity, and where are the blind spots?
How is it being used? What tools are agents calling, what data are they accessing, and do those patterns align with your policies?
What are they trying to do? Are agents being used for the high-value workflows you intended, or are usage patterns drifting somewhere else entirely?
What does it cost? Can you map actual agent consumption back to teams and workflows so you understand where your spend is going and whether you’re getting value from it?
These aren’t abstract questions. They’re the foundation for every decision you make about training, tool selection, policy, and where to invest next. You can enforce guardrails in the moment rather than discovering violations in a quarterly audit. And you can adapt your consumption strategy based on actual usage patterns, not assumptions.
KPMG’s Q1 2026 U.S. Pulse Survey reinforces this: 65% of leaders cite difficulty scaling AI use cases as their primary ROI barrier, up from 33% just one quarter earlier. And as agent deployment surges, the skills gap is compounding the problem. The same survey found 87% of leaders are prioritizing upskilling and reskilling to build an AI-ready organization, but you can’t train effectively if you don’t know how agents are being used on the ground.
The organizations closing the gap between investment and value are the ones that treat runtime visibility and assurance as a prerequisite, not an afterthought.
How Certiv helps
Certiv gives you a single runtime layer across all of it.
See what’s running
Our lightweight endpoint agent, Scout, discovers and observes AI agent activity across your environment regardless of which platform or framework those agents run on. It gives you a single, consistent view of which agents are running, what tools they’re calling, and how sessions unfold. Scout also summarizes each agent session, so you can quickly understand the types of tasks agents are being used for across your organization without digging through raw logs.
Enforce in the moment
Our Policy Engine lets you define and enforce rules against that behavior as it happens. Because Scout captures rich context around every agent session, the Policy Engine can go beyond traditional rule-based approaches. It uses that context for reasoning-based behavior analysis, evaluating agent intent rather than just matching patterns against specific strings or actions. That means you can write policies that understand what an agent is trying to accomplish and whether that intent aligns with what’s expected. Block an agent from exfiltrating sensitive data regardless of the method it uses. Flag sessions where an agent’s behavior drifts outside its intended scope. Detect when an agent’s intent shifts mid-session in ways that don’t match the original task. Surface findings mapped to the OWASP Top 10 for Agentic Applications. This isn’t governance on paper. It’s runtime assurance: observe, understand, and act in the moment.
Drive adoption forward
The value isn’t just in enforcement. It’s in the complete picture Certiv gives you of how AI is actually being adopted across your organization. That picture lets you see what’s working, identify which teams need support, and use real usage data to raise adoption across the rest of the org.
We built Certiv for the CISO who needs runtime security for AI agents and the CIO who needs to know whether the investment is landing and what it takes to lift everyone else up.
Learn more
If you’re navigating this space and want to see how runtime assurance changes the conversation, we’d love to connect.
- Visit certiv.ai to learn about the platform
- Book a conversation with our team to see how Certiv fits your environment
— Tai, VP of Product, Certiv