The share of organisations unable to tell whether employees are using unsanctioned AI tools has nearly tripled in a year, rising from 6.3 per cent to 17.6 per cent. For AI agents the blind spot is larger still, with 21.1 per cent of organisations unable to account for unsanctioned agent activity.
The findings come from AvePoint's third annual State of AI Report: Scaling Trust, Control, and Readiness in the Agentic Era. The study, conducted with Osterman Research, surveyed 750 enterprise leaders with direct responsibility for information management, data security or AI programs across the Americas, EMEA and APAC.
The report found a stark gap between confidence and outcomes. While 82.7 per cent of respondents said they were 'very' or 'extremely' confident in their ability to prevent unauthorised AI-related data access, 72 per cent of the 'very confident' group experienced an unauthorised access incident in the past 12 months. Among the 'extremely confident', the figure was 62 per cent.
Security incidents are widespread. In 2026, 89.5 per cent of organisations reported at least one generative AI-related security breach, up from 75.1 per cent the previous year. For AI agents, 88.4 per cent experienced at least one breach in the past 12 months.
The governance gaps are delaying deployments. Nearly nine in 10 organisations (86.9 per cent) delayed generative AI deployments by an average of almost six months, citing data security and governance concerns. The figure for AI agents was almost identical at 86 per cent.
"Nearly half of global employees are already relying on AI agents weekly or daily, and organizations are deploying agents faster than they are building the foundations required to trust them," said Dr Tianyi Jiang, CEO and Co-Founder of AvePoint.
"The constraint on enterprise AI is no longer model capability, but whether organizations have built a trust layer: the data visibility, governance, and enforceable control required to scale AI with confidence. Without it, speed of deployment becomes speed of exposure."
AI is also reshaping the data that governance must cover. On average, 35.5 per cent of enterprise data is now generated by AI assistants, a figure expected to reach 42.1 per cent within 12 months. Meanwhile, 84.1 per cent of organisations manage at least one petabyte of data, and 78.1 per cent report at least half their data is more than five years old.
Adoption continues to accelerate. Some 46.9 per cent of employees rely on AI agents daily or weekly, and organisations anticipate agents will replace more than a quarter of human work within 12 months. Reducing headcount ranked last among reasons for adopting agents, with return on investment measured instead through reduced manual effort and faster processes.
Investment is following the gaps. Securing data used for AI training was the top-rated future priority at 79.5 per cent. Third-party governance tools that monitor agent actions topped the planned investment list for the next 12 months, capabilities at the core of the emerging AI Agent Management Platform category defined by Gartner.
"Trust in AI cannot be measured by confidence alone," said John Peluso, Chief Technology Officer at AvePoint. "It requires operational foundations: visibility into what AI systems are doing, enforceable governance over the data they consume and create, and the ability to audit and correct outcomes when something goes wrong."