69% of enterprises share API keys across AI agents, and attribution dies with them
VentureBeat research finds credential sharing is widespread, incidents are common, and isolation is the missing control.

VentureBeat’s June 2026 Pulse Research wave of 107 enterprises found 69% flagged credential sharing across AI agents, including shared API keys. For decision-makers, that means one compromised agent can inherit permissions, and audit trails can go credential-level blind.
A single compromised AI agent can inherit the permissions of multiple other agents if enterprises share API keys, and new VentureBeat research pegs credential sharing at 69% of organizations.
In VentureBeat’s June 2026 Pulse Research wave of 107 enterprises, 74 organizations, or 69%, flagged credential sharing in at least one answer. The survey ties that behavior to something security directors feel in their bones: 54% of respondents already had an agent security incident or near-incident, with 18% confirming an incident and 36% catching a near-miss before a breach.
So why is the industry obsessing over this specific plumbing layer right now? Because the failure mode is brutally scalable. When multiple agents run under shared credentials, an attacker does not just “use one bot.” They gain the combined reach of every workflow those keys touch. And because the forensic trail collapses at the credential level, it becomes much harder to answer the question boards love to ask after something goes wrong: which agent did what, when, and under whose permissions? Five agents on one account can leave little signal to separate actions by agent identity.
VentureBeat’s data paints a messy middle where “better than nothing” still leaves the core risk untouched. Only 32% of enterprises give every AI agent its own scoped, managed identity. Nearly half (48%) report that some agents have scoped identities, while many still share credentials. Another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. The question allowed more than one selection, so the categories add to 112% because 24 of the 107 respondents chose multiple options.
This is also why so much capital has rushed toward identity and authorization products that sit underneath agent actions. Palo Alto Networks, CrowdStrike, and Cisco have collectively bet more than $22 billion on targeting exactly the layer many enterprises in this survey have not finished building. Palo Alto Networks completed its acquisition of CyberArk on February 11 for $21.1 billion in total consideration at close, after announcing it last July at roughly $25 billion, and calling it the largest deal in the company’s history. CrowdStrike closed its $740 million acquisition of runtime authorization platform SGNL and, by June 15, shipped the first product from the deal, Continuous Identity for AI Agents. Cisco announced its intent to acquire non-human identity specialist Astrix Security on May 4 for a reported $400 million.
The core argument from the research is simple: scoped identities and isolation matter because they restore attribution and contain blast radius when something is wrong. For context, CyberArk research puts machine identities at 82 for every human in organizations worldwide, with agents as the fastest-growing category of that ratio. Cisco’s announcement describes credentials AI agents are “using (and abusing)” to execute work at scale, and CrowdStrike’s Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, described the mechanism in an interview with VentureBeat: in some cases systems have their own identities, but in other cases “people give their identity to the AI to take action on their behalf,” which “murkies the water.” The murk is the point, because when the identity is shared, attribution dies with it.
Containment is the second missing piece, and it gets more alarming as organizations get bigger. VentureBeat reports that 49% of enterprises enforce scoped permissions at runtime, and 47% monitor and log agent activity, which can help reduce incidents. Only 30% sandbox their highest-risk agents, the control that limits blast radius when the first two fail. The survey suggests that detection and resistance spending is more common than the “box around the bot” engineering that actually stops a credential breach from turning into deployment-wide fallout.
The incident data sharpens the threat picture by company size. Incident rate is 49% for companies with 101 to 1,000 employees, but it jumps to 63% for companies with more than 1,000 employees. Sandbox isolation moves the other way, falling from 35% to 20% at the larger companies. VentureBeat notes the top band pools the two largest size groups and holds only 15 respondents, so the figure is directional, but the direction matches the story: larger enterprises run more agents across more systems, which drives incidents up while sandboxing does not keep pace. The enterprises with the most agents have the least isolation around them, which is exactly the customer profile the deals target.
This is also where model-provider “guardrails” can lull teams into a false sense of coverage. The research lists the model providers as the security layer, with OpenAI’s built-in guardrails leading at 51%. Google Cloud reaches 36%, Microsoft Azure’s Purview and Copilot Studio DLP 35%, and Anthropic’s managed-agent controls 29%. Purpose-built specialists are in single digits: Palo Alto Networks’ Prisma AIRS at 7%, CrowdStrike at 6%, and Okta for AI Agents at 4%. Zenity and dedicated non-human identity platforms are at 3% each. Microsoft Entra Agent ID is the highest-penetration identity-specific control in the dataset at 13%, but it still falls outside the top four.
Prompt-and-output filters evaluate whether a call looks malicious, and the survey argues that this intent problem cannot be solved at the language layer. CrowdStrike CTO Elia Zaitsev drew that line in an interview at RSAC 2026, saying: “Observing actual kinetic actions is a structured, solvable problem,” and “Intent is not.” The implication for executives is straightforward: if you can’t attach actions to identities and enforce boundaries around agents, you cannot reliably answer the question of what went wrong. For boards and CISOs, the play is not choosing between guardrails and security controls. The play is realizing the default stack often ships filters, not identity and isolation. And when those last-mile controls are missing, the credential layer becomes the single point of failure for agent operations at enterprise scale.
That is the strategic stake. Agent adoption is moving fast, incident and near-incident rates are already high, and the biggest gap in the data is not awareness, it is containment. If you are a security director, CIO, or investor underwriting the next wave of agent tooling, VentureBeat’s findings read like a warning: shared credentials turn AI programs into shared risk, and attribution gaps are where post-incident accountability goes to die.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business
AstraZeneca $27B wipeout as Wainua late trial misses cardiovascular target
A failed late-stage heart study triggered a swift market punishment, forcing investors and boards to reset timelines and risk.

Comcast shares jump 25% as it plans to split NBCUniversal and Sky
The tax-free spin-off could reshape focus, funding, and competition across media and tech for years.

Bungie cuts most Destiny 2 staff as Sony says Marathon still matters
Herman Hulst confirms layoffs affecting most Destiny and some Marathon teams after Bungie admits Destiny fell short.

