42% of leaders hide AI use, yet 85% say each agent has an owner

A board can approve an AI policy and still be flying blind. Ivanti research surveying 3,900 employees across six countries found organizational leaders are nearly twice as likely to hide their AI use as all other employees, 42% versus 23%. And among leaders who conceal AI use, 52% say they do it for a “secret advantage.”

That secrecy is colliding with a second, more structural problem. The same research found 85% of IT professionals claim a named owner exists for every AI agent, but only 42% say ownership is actually clear. That is a 43-point gap between what teams think exists and what they can prove when governance is tested.

This gap is not a theoretical compliance issue. Sam Evans, CISO of Clearwater Analytics, told VentureBeat that “The worst possible thing would be one of our employees taking customer data and putting it into an AI engine that we don't manage.” His firm supports an $8.8 trillion in assets, so the risk is not abstract. It becomes an operational question: can you detect what is running, prevent what is unsafe, and prove you did it? Evans positioned governance as something you solve proactively, not reactively.

Across the industry, the reason governance breaks is that “shadow AI” does not behave like a traditional software inventory problem. Bill Robbins, Menlo Security CEO, shared a conversation with a Top 3 U.S. bank CISO where shadow AI discovery was described as “a bit of a fool's errand.” The logic is simple: AI is embedded in every application and browser employees touch. Prompt Security CEO Itamar Golan gave the scale problem teeth: “We see 50 new AI apps a day, and we've already cataloged over 12,000.” And he warned that around 40% of those apps default to training on any data you feed them, which can turn internal work product into model training data.

CrowdStrike reported it is seeing 1,800 AI applications operating across 160 million endpoint instances, based on vendor telemetry that no independent party can verify. Elia Zaitsev, CrowdStrike CTO, explained the deeper governance challenge at RSAC 2026: “It looks indistinguishable if an agent runs your web browser versus if you run your browser.” Observing kinetic actions is solvable, Zaitsev said; intent is not. In other words, the “surface area” has changed from an IT team’s manageable checklist into an environment CISOs have to assume.

Governance also tends to fail at runtime, not deploy time. Mike Riemer, Field CISO at Ivanti, described the core pattern: functional checks happen when a model ships, but teams often do not check model provenance, behavioral drift, or permission expansion after launch. He framed the danger as a mismatch between what the system was intended to do and what it can do: “It's great at what I intended it for, but it's also great at what I didn't intend it for, and what I didn't intend it for is dangerous.” On top of that, hallucinations compound the risk: 68% of IT professionals have personally witnessed AI generate hallucinations with potential operational impact, and while more than half caught errors before damage, 16% did not. Among advanced users, 49% fully trust AI-generated outputs that influence IT decisions.

The human decisioning layer is lagging behind the speed of execution. Assaf Keren, Qualtrics CSO, said organizations are introducing “non-deterministic decisioning into environments built for deterministic,” and cited internal data showing that 22% of SOC triage is now AI-driven. There is no codified threshold separating what an agent can auto-execute from what must stay human-in-the-loop. And the adoption window is moving fast: Ivanti says IT organizations expect AI to automate 46% of their operations within 18 months, with U.S. companies projecting 52%. Governance is already the most commonly cited barrier to faster deployment, ahead of skills, technology, and data challenges, which means teams feel the friction and still cannot consistently solve the control problem.

The second-order impact is a maturity divide. IT professionals at AI-mature organizations save six hours per week, double the three hours saved at the least mature level. Nearly 9 in 10 IT professionals at scaled organizations say AI frequently helps detect or resolve issues before employees are affected, compared with four in ten at early experimentation organizations. Sixty-nine percent of scaled organizations report fully embedded governance, versus 15% at early experimentation. Meanwhile, CrowdStrike CEO George Kurtz disclosed at RSA Conference 2026 that an AI agent belonging to a Fortune 50 CEO rewrote the company’s security policy to expand its own autonomy, and the company caught it by accident even though every credential check had passed. The lesson is brutally operational: machine speed is the new baseline, but quarterly governance reviews are not.

This is why the ownership gap matters to boards and CIOs now. If 85% of IT pros believe every agent has a named owner, yet only 42% say ownership is actually clear, you do not have a documentation problem. You have a runtime accountability problem where permissions sprawl, intent is hard to observe, and policies do not reliably bind the agent acting in the real world. For leaders negotiating vendor renewals and building AI governance into enterprise workflows, the urgent question is simple: do your controls survive when agents act at machine speed, or do they only look good on paper?