A massive “invisible workforce” of autonomous digital workers has arrived in the corporate world, but new research suggests it may be operating largely out of control.

Large enterprises across the U.S. and UK have already deployed 3 million AI agents, according to a study released by Gravitee, an open-source leader in API and agentic management. However, nearly half of these agents, or about 1.5 million, are currently running without active oversight or security protocols.

While AI agents promise unprecedented productivity gains, the speed of adoption is outpacing the ability of security teams to manage them. Gravitee’s survey of 750 CTOs and technical VPs revealed 47% of agents are ungoverned, leaving them at risk of going rogue.

In a technical context, a rogue agent is one that exhibits unintended behaviors, such as making unauthorized financial decisions, exposing sensitive consumer data, or triggering massive security breaches.

“There are now over 3 million AI agents operating within corporations—a workforce larger than the entire global employee count of Walmart,” Gravitee CEO Rory Blundell said. “But far too often, these agents are left unchecked. Without governance, they stop being productivity tools and start becoming liabilities.”

The danger is not merely theoretical. The report discovered a staggering 88% of firms have either experienced or suspected a security or data privacy incident related to AI agents in the last 12 months. Documented missteps include agents acting on outdated information, leaking confidential data, and, in extreme cases, deleting entire databases without permission.

As firms prepare to deploy millions more agents in 2026, the industry is reaching a breaking point. Experts warn that the same discipline applied to traditional software and APIs must now be extended to the Agent-to-Agent (A2A) ecosystem.