Many CIOs seem confident in their AI security. Yet new research found a more complicated reality.
Seventy-seven percent of CIOs said they were confident in their ability to manage AI risk, according to an upcoming survey conducted by Palo Alto Networks, in partnership with CIO Dive. Yet only 30% reported having full visibility into where AI was used across their organization.
One of the biggest blind spots is agentic AI, where actions happen without clear visibility or control. Sixty-two percent of CIOs said they were most concerned about rogue AI agents, and 54% said they had seen unauthorized actions — yet only 47% planned to secure them in the next 24 months.
“You don’t want to repeat the same mistakes that the world made in the era of cloud,” explained Jaimin Patel, vice president of product management for Prisma AIRS at Palo Alto Networks. “We have an opportunity with AI to do something better — to secure it by design and follow that principle from the get-go,” he said.
The risks agentic AI introduces
Agentic AI presents a new class of threats, especially as humans are no longer in the loop for every step of execution; the agent acts autonomously between the prompt and the outcome.
Autonomy is a core part of what makes agentic AI useful and risky. Agents are designed to act on behalf of users, but large language models are nondeterministic, and execution can go wrong in very real ways.
Consider this: A sales rep asks an agent to tidy up their CRM. The agent deletes the pipeline instead because it can’t tell the difference between tidying up and erasing.
Remote access through agent hijacking is another significant concern. Agents can be manipulated into acting on behalf of an attacker, and in some cases, consumer agentic browsers have been compromised using nothing more than a well-crafted email.
“That’s also why many organizations describe their AI security approach as reactive,” said Yonatan Gotlib, vice president of product management for Prisma Browser at Palo Alto Networks. “You often only see the outcome, not the intent — and the intent is where the real risk lies.”
The gap between confidence and visibility
For Patel, the confidence numbers aren’t necessarily surprising — but they warrant a closer look. Patel regularly meets with CIOs and CISOs across the U.S., Europe and Asia, and he said the real measure of AI security readiness came down to two questions.
Do organizations have full visibility into where AI is being used across their enterprise — by employees and developers and across every system? And have they assessed the risk tied to each AI tool or service their teams are accessing or building on?
Patel put it simply: “You can’t protect what you can’t see. If they don’t have that visibility, the protection simply isn’t there.”
What’s changing the risk model
Part of the challenge is that AI has fundamentally changed the threat landscape in ways that traditional security tools weren’t built for.
Gotlib said the shift started with how broadly AI was now embedded across organizations.
“In many cases, confidence comes from a strong security posture built around human threats. But AI fundamentally changes the risk model,” Gotlib said. “Shadow AI is widespread, as employees use their preferred tools and share sensitive data with unsanctioned platforms. AI has also made it easy to build and publish apps, creating a nearly infinite SaaS surface that’s hard to govern.”
Why organizations aren’t acting faster
If the risks are already showing up, why aren’t organizations moving more quickly to address them? Part of the answer is structural.
Traditional security tools were built for human-driven interactions, not autonomous agents acting on behalf of users. When an agent inherits an active session, most security layers have no visibility or control over what’s happening.
Many organizations also feel caught between two options: Block AI entirely or accept the risk. Since the former is no longer realistic, that perception creates paralysis. AI is increasingly embedded into business tools and workflows, and adding security controls can create friction that organizations are reluctant to introduce.
Patel said the gap between awareness and action also came from treating security as a one-time exercise rather than a continuous one.
“New employees access new tools every day. Developers modify agents and connect to new services. The AI environment never stops changing. You can only be proactive if you know what’s going on,” he explained. “Otherwise, it’s blind protection — you’re putting something in place without knowing whether that’s even a risk. Discovery, assessment, and protection need to happen continuously.”
What needs to change
Today, most security tools are removed from where AI decisions are made. But agents don’t just access data — they act on it. That means the control point needs to move inside the interaction itself.
In practice, that starts with identity and accountability: knowing when an action is performed by a human versus an agent, with full audit trails of what the agent did, on whose behalf, and across which systems. It also requires real-time guardrails — the ability to pause or approve high-risk actions before they happen, such as deleting large amounts of data or transferring sensitive information, rather than detecting issues after the fact.
“Ultimately, confidence comes from making AI actions visible, controllable, and accountable in real time — without slowing down the business,” Gotlib added.
Getting there: A phased approach
End-to-end AI security doesn’t happen all at once. Instead, a phased path helps organizations make progress as maturity grows.
As Patel recommended, start with visibility and governance to understand where AI is used and what the risks are, then move to real-time protection against prompt injections and unauthorized agent actions, and finally advance to full guardrails, including data protection and human-in-the-loop approvals for sensitive actions.
Beyond technology, clear governance matters just as much. Rather than simply allowing or blocking tools, organizations need to define what actions are acceptable — distinguishing between reading data and modifying or deleting it, and specifying when human approval is required. Because AI is evolving quickly, that guidance needs to be reinforced continuously, ideally at the point of use.
Patel said the stakes echoed the early days of cloud adoption, when organizations rushed to migrate without thinking through security and paid the price.
Learn how Palo Alto Networks helps organizations deploy AI bravely by providing complete visibility, real-time control and security of agents. Keep an eye out for other findings in the upcoming Palo Alto Networks survey report, in partnership with CIO Dive, “The Great AI Visibility Gap: CIOs Are Confident Yet Exposed.”
