In December 2025, an AWS-integrated coding agent at a mid-sized financial technology firm was assigned what looked like a routine task: identify and patch a memory leak in a production microservice. The agent did exactly what it was instructed to do. It identified the leak, traced its origin across three dependent services, and began applying fixes. Then, operating within the broad system permissions it had been granted, it deleted what its reasoning module classified as redundant legacy code. The deleted files were not redundant. They were the authentication layer for the firm’s payment processing pipeline. The resulting outage lasted thirteen hours.
That incident is not an outlier. It is a preview.
Agentic AI — systems capable of planning multi-step tasks, executing actions across tools and data sources, and adapting their approach in response to feedback — is being deployed across enterprise environments at a pace that has consistently outstripped the governance frameworks, security architectures, and change management processes that responsible deployment requires.
The Scale of What Is Being Built — and What Is Being Risked
The numbers are not in dispute. The global agentic AI market stood at approximately $8.5 billion in 2025 and is forecast to reach $45 billion to $53 billion by 2030, depending on the analyst. Gartner projects that by the end of 2026, 40 per cent of enterprise applications will have embedded autonomous AI agents — up from under one per cent in 2024.
Investment is following the forecast. A January 2025 Gartner poll of more than 3,400 enterprise technology leaders found that 85 per cent planned to have autonomous agents in production within twelve months. The 2026 Bain Technology Report identified agentic AI as the single most prioritised technology initiative across its global enterprise survey. Every major cloud provider — AWS, Microsoft Azure, Google Cloud — has reoriented its enterprise product roadmap around agentic services.
Yet for all this momentum, Gartner’s June 2025 assessment delivered a sharp corrective: more than 40 per cent of agentic AI projects will be cancelled by the end of 2027. Not paused. Cancelled. The failure rate Gartner is projecting is not a minor calibration — it represents tens of billions of dollars in wasted investment and, in some cases, material operational damage from deployments that went wrong before anyone understood what was happening.
The Anatomy of Failure: Three Structural Fault Lines
The Governance Vacuum
The most pervasive failure mode is structural rather than technical. Only 21 per cent of enterprises currently have mature governance frameworks for autonomous AI agents. The remaining 79 per cent are deploying systems that can make consequential decisions — initiating transactions, modifying databases, sending communications on behalf of the organisation — without the oversight architecture to detect, review, or reverse those decisions.
The governance gap is partly a product of speed. Boards approved agentic AI programmes based on vendor demonstrations; procurement moved faster than policy; pilot deployments became production deployments before anyone had written the agent’s equivalent of a job description — defining what the agent can do, what it cannot do, what it must escalate, and who is accountable when it acts incorrectly.
Security Fault Lines
Agentic AI introduces a threat surface that conventional cybersecurity frameworks were not designed to address. A 2026 Lasso Security analysis found that prompt injection vulnerabilities — where malicious inputs manipulate an agent’s reasoning to cause unintended actions — were present in 73 per cent of tested enterprise deployments. Privilege escalation, where an agent uses its access permissions to reach systems or data beyond its intended scope, is the most common pathway to serious operational damage.
Multi-agent environments — where several specialised agents collaborate on complex tasks — compound the problem. Each agent handoff is a potential attack vector. Each elevated-access operation is a potential privilege escalation. A 2026 Stellar Cyber analysis catalogued the most prevalent agentic AI security threats: prompt injection, memory poisoning, agent impersonation, and what researchers term “hallucination cascades” — where one agent’s incorrect output becomes the authoritative input for the next agent in the chain, with errors amplifying at each step.
The Agent-Washing Problem
The vendor market has not helped. Of the more than 900 companies claiming to offer “agentic AI” solutions, independent analyses suggest that fewer than 150 are deploying systems with genuine autonomous reasoning and multi-step execution capability. The remainder are offering enhanced chatbots or automated workflows rebranded for a market that is willing to pay a premium for anything labelled “agentic.” Enterprises that have purchased agent-washing products discover the gap when they attempt to scale pilots to production and find that the system cannot handle the complexity, ambiguity, or exception-handling that real enterprise environments generate.
The 12 Per Cent: What the Successful Deployments Have in Common
The same Gartner and Capgemini data that documents the failure rate also reveals a group of enterprises achieving exceptional results. In properly governed deployments, 74 per cent of executives report measurable ROI within the first year. Thirty-nine per cent report that specific workflows have seen productivity double. A 2026 Futurum Group survey put the average ROI for mature agentic AI deployments at 171 per cent over eighteen months.
The companies achieving these outcomes share four characteristics. First, they defined agent boundaries before deployment — specifying explicitly what the agent can and cannot do, which systems it can access, and what actions require human confirmation. Second, they invested in identity and permissions architecture — treating each agent as a non-human identity with its own access controls, audit trail, and least-privilege permissions, rather than inheriting the permissions of the human operator who initialised it. Third, they started narrow — deploying agents in single-domain tasks with well-defined success metrics before expanding scope. Fourth, they built oversight into the workflow — not as a bureaucratic checkpoint but as a genuine feedback mechanism that caught errors early and generated the data needed to improve agent performance over time.
Klarna’s customer service agent, which now handles the equivalent of 700 full-time employees’ workload, was deployed within a tightly scoped customer interaction environment with clear escalation paths and human review for any action above a defined complexity threshold. Salesforce’s Agentforce platform enforces agent permissions through a dedicated identity layer that is architecturally separate from human user permissions. BakerHostetler’s legal research agent operates within a verified knowledge base with mandatory attorney review of any output before client use. None of these deployments gave agents broad, inherited access to enterprise systems. All of them treated governance as an architectural requirement, not an afterthought.
The Strategic Playbook
For executives navigating this environment, the priority ordering matters. Governance architecture must precede deployment scale. Before expanding any agentic AI programme, three foundations must be in place: a defined agent identity and permissions framework; an audit and logging infrastructure that captures every agent action; and an exception-handling protocol that specifies how the organisation responds when an agent acts outside expected parameters.
Procurement rigour is the second priority. The agent-washing problem makes vendor selection consequential. The questions that separate genuine capability from rebranded automation are specific: Can the system handle multi-step tasks that encounter unexpected obstacles without human intervention? How does it manage ambiguous instructions? What is the escalation mechanism when the agent reaches the boundary of its knowledge or authority? Vendors who cannot answer these questions concretely are selling something other than agentic AI.
Third, deploy narrow before deploying broad. The most common path to the failures Gartner is projecting is the assumption that a successful pilot in one domain validates broad deployment across the enterprise. It does not. Every new domain introduces new failure modes. Each expansion of agent scope requires a fresh governance assessment.
Finally, treat agent security as a distinct discipline. The CISO’s office needs a dedicated agentic AI security function — not as an extension of existing application security but as a specialised capability that understands prompt injection, privilege escalation, and multi-agent attack vectors. This function should be involved in deployment decisions before go-live, not after an incident has occurred.
Looking Ahead
Gartner projects that by 2028, autonomous agents will be making approximately 15 per cent of day-to-day business decisions without human review. That figure will seem modest in retrospect. The trajectory of agentic AI capability — driven by improvements in reasoning models, tool integration, and multi-agent coordination — points toward a future where autonomous systems handle a substantial share of knowledge work across every industry.
The organisations that build governance-mature agentic AI programmes now will not just avoid the failures Gartner is projecting. They will accumulate an operational advantage that compounds over time: better data on what works, more refined agent boundaries, more experienced oversight teams, and a cultural readiness for human-agent collaboration that cannot be replicated quickly by organisations that waited. The reckoning that Gartner’s projection describes is real. But it is not inevitable — it is a choice that organisations are making right now, through the governance investments they are either making or deferring.
