Microsoft has released new research revealing that the deployment of autonomous AI agents across UK organizations has exploded over the past year, bringing with it a wave of productivity gains and a growing security challenge.
The study, which surveyed 1,000 senior UK decision-makers, found that while businesses are embracing AI agents at remarkable speed, the governance frameworks meant to keep them in check are not keeping pace.
Jo Miller, National Security Officer at Microsoft UK, highlighted the importance of this discrepancy:
“AI agents introduce a new category of identity that must be secured with the same rigor as human or machine identities. Double agents emerge when governance does not keep pace with adoption.”
A Surge in Adoption Matched by a Surge in Risk
According to the research, the share of UK organizations actively deploying AI agents has nearly tripled in just twelve months, jumping from 22% to 62%, with 68% expecting AI agents to be fully integrated across their entire organization within the next 12 months.
However, as deployment scales, so does the emergence of what the report calls “double agents”: AI agents introduced into business environments without formal IT or security oversight, carrying excessive permissions, unknown origins, or insufficient governance. Eighty-four percent of senior leaders flagged these unsanctioned agents as a growing security risk.
The concern is not hypothetical. Eighty-six percent of leaders acknowledge that AI agents introduce security and compliance challenges that existing frameworks were never designed to handle. Eighty-five percent believe deployment is moving faster than traditional oversight approaches can support, and 80% say they are worried about the sheer complexity of managing agents at scale.
Despite these concerns, 87% of leaders say they are confident their organization can prevent unauthorized AI agents from being created or used today.
Microsoft compares this contrast to the last major rise of shadow IT, where employees adopted unsanctioned tools faster than security teams could detect them, creating blind spots that took years to address. The concern is that AI agents are following the same pattern, only faster.
The problem is not limited to the UK. Microsoft’s wider Cyber Pulse AI Security Report found that more than 80% of Fortune 500 companies are already using AI agents, underscoring how quickly autonomous systems are becoming a fixture of global enterprise operations.
What Should Businesses Do About It
Alongside highlighting the security concerns brought about by agent growth, Microsoft is offering advice to organizations on how to address the growing challenge.
The core message from Miller is that AI agents must be treated with the same rigor applied to any other identity in a business environment, whether human or machine:
“By treating AI agents as managed identities and applying robust zero trust principles, with least-privilege access, defined permissions, and full auditability, businesses can manage risk while continuing to innovate with confidence.”
Applying zero trust principles to AI agents means granting least-privilege access, defining clear permissions, and ensuring full auditability of agent activity. The goal is to give security teams the visibility they need to understand what agents exist, what they can access, and what they are doing.
Security teams themselves identified three immediate priorities as adoption accelerates: maintaining visibility over where agents are operating, integrating them safely into existing systems, and meeting compliance and audit requirements as autonomous activity expands. Each of these points to the same underlying challenge: organizations need to bring AI agents into their governance frameworks before the gap becomes unmanageable.
Keeping Innovation in Tow with Security
Microsoft’s research arrives at a moment when the business case for AI agents is growing, and adoption is following.
Yet the security infrastructure to support them is still catching up. The risk is that the speed of adoption, without equivalent investment in governance, creates blind spots that are difficult and costly to close after the fact.
What this research ultimately reflects is a broader pattern that will only intensify. As AI becomes more capable and more embedded in how businesses operate, the security challenges it introduces will grow with it. The arrival of autonomous agents is unlikely to be the last time the adoption of technology outpaces the frameworks meant to govern it.
