---
title: "10 questions every CTO should be able to answer about their AI agents"
date: 2026-03-27
updated: 2026-04-16
author: david
excerpt: "When a board member asks how many AI agents are running in your organization you should have a clear and immediate answer. Here are nine other high-stakes questions that often follow."
category: governance
tags: [governance, compliance, enterprise, ai-agents]
draft: false
tldr: "Most enterprises cannot answer basic governance questions about their AI agents: how many are running, who owns them, what data they access. These ten questions expose the gap between AI deployment speed and organizational readiness and they are exactly what boards, regulators and auditors are starting to ask."
seo:
  title: "10 questions every CTO should be able to answer about their AI agents"
  description: "From agent inventories to incident response plans: the ten governance questions every CTO will face in 2026 and what it means if you can't answer them."
faqs:
  - question: "How many AI agents should an enterprise expect to have running?"
    answer: "Most enterprises have between 30 and several hundred agents, though 82% of employees create agents faster than IT can govern them. The actual number is almost always higher than leadership thinks."
  - question: "What is an orphaned AI agent?"
    answer: "An orphaned agent is one whose original developer or owner has left the organization, leaving no one accountable for its operations, access permissions or data usage."
  - question: "Does the EU AI Act apply to AI agents?"
    answer: "Yes. The EU AI Act takes effect in August 2026 and applies to high-risk AI systems, including agents that make decisions affecting access to financial services, employment and essential services. Penalties reach EUR 35 million or 7% of global turnover."
  - question: "What is an agent registry?"
    answer: "An agent registry is a centralized system of record that tracks every AI agent's identity, owner, technical stack, [risk classification](/research/blog/ai-agent-risk-classification), compliance status and dependencies, similar to how a CMDB tracks servers."
  - question: "What should an AI agent incident response plan include?"
    answer: "A kill switch to halt agent operations immediately, severity levels, escalation paths, containment procedures, access revocation and post-incident review processes."
---

## The questions that silence the room

A board member asks: *"How many AI agents are running in our organization right now?"*

The CTO pauses. The honest answer is somewhere between 30 and 100, but nobody is entirely sure. A few teams deployed agents without telling IT. A developer who left last quarter built three that are probably still running. There's a spreadsheet somewhere, but it hasn't been updated in months.

This moment is happening in boardrooms across every industry. AI agents are no longer experimental. [87% of CIOs say AI agents are already embedded in critical operations](https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout), according to a 2026 Dataiku/Harris Poll survey of 600 CIOs. But only 25% report having full real-time visibility into all agents running in production. The gap between deployment and governance is widening at exactly the moment when boards, regulators and auditors are beginning to close it.

<figure>
<a href="https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout" target="_blank" rel="noopener"><img src="/images/blog/dataiku-cio-study-2026.png" alt="71% of CIOs say AI budgets will be cut if targets aren't met by mid-2026, Dataiku/Harris Poll survey of 600 CIOs" loading="lazy" decoding="async" /></a>
<figcaption>71% of CIOs say AI budgets will be cut if targets aren't met by mid-2026 (Dataiku/Harris Poll survey of 600 CIOs) | <a href="https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout" target="_blank" rel="noopener">BusinessWire</a></figcaption>
</figure>

Here are the ten questions every CTO should be able to answer, and what it means for your organization if you can't.

### 1. How many AI agents are running in your organization right now?

This is the foundation. Without a clear answer here, none of the other nine questions can be addressed.

The number is almost certainly higher than you think. [82% of employees are creating AI agents and applications faster than IT can govern them](https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout), according to the same Dataiku study. More than half of CIOs surveyed have already discovered unsanctioned shadow AI in their organizations. And [SailPoint's 2025 research](https://www.sailpoint.com/press-releases/sailpoint-ai-agent-adoption-report) found that while 82% of organizations already use AI agents, only 44% have policies in place to secure them.

:::fact
If you have a [centralized agent registry](/platform/agent-registry) (a system that tracks every agent's identity, owner, status and technical stack) you can answer this question in seconds. If you don't, start here. Everything else builds on this. The [hidden cost of agent sprawl](/research/blog/hidden-cost-ai-agent-sprawl) runs $500K-$5M annually for enterprises with 50-500 agents.
:::

### 2. Which agents have access to customer data?

Not all agents carry the same risk. The knowledge-base Q&A bot that searches public documentation is a different animal from the agent processing customer PII, financial records or protected health information.

[SailPoint found that 53% of AI agents access sensitive information daily](https://www.sailpoint.com/press-releases/sailpoint-ai-agent-adoption-report), yet 80% of companies report their agents have already taken unintended actions:

- Accessing unauthorized systems (39%)
- Sharing sensitive data (33%)
- Downloading content they shouldn't have (32%)

You need a [risk classification](/solutions/risk-classification) that tags every agent by data sensitivity: public, internal, confidential or restricted. If an agent touches customer data, it should carry a higher risk tier and a more frequent certification cadence.

<figure>
<a href="https://beam.ai/agentic-insights/ai-agent-sprawl-new-shadow-it" target="_blank" rel="noopener"><img src="/images/blog/beam-ai-agent-sprawl.png" alt="AI agent sprawl is the new shadow IT: most enterprises can't answer how many agents are running" loading="lazy" decoding="async" /></a>
<figcaption>AI agent sprawl is the new shadow IT: most enterprises can't answer how many agents are running | <a href="https://beam.ai/agentic-insights/ai-agent-sprawl-new-shadow-it" target="_blank" rel="noopener">Beam.ai</a></figcaption>
</figure>

### 3. Which agents can execute actions autonomously?

There's a fundamental difference between an agent that recommends and an agent that acts.

A recommendation agent generates a draft email for a human to review. An execution agent sends the email, books the meeting, updates the CRM record or processes the transaction before a human knows it happened.

The [OWASP Top 10 for Agentic Applications (2026)](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) identifies tool misuse and excessive agency as top-tier risks. Every agent in your estate needs a decision-authority classification:

- Read-only
- Recommend-only
- Act-with-approval
- Fully autonomous

The higher the autonomy, the more rigorous the oversight should be.

### 4. What's your process for retiring an agent?

Agents are born, but they're rarely retired.

A developer builds a proof of concept. It works. It stays running. The developer moves to another team or leaves the company entirely. The agent keeps calling APIs, consuming tokens and accessing data with nobody responsible for it.

[An AI agent's ownership typically changes hands four times during its first year](https://thehackernews.com/expert-insights/2025/11/governing-ai-agents-from-enterprise.html): from executive sponsor to AI team to cloud operations to security. At each handoff, the risk of an agent becoming orphaned grows.

Your organization needs a defined decommissioning process:

- Access revocation
- Data cleanup
- Dependency notification
- Archival

Without it, your agent estate only grows. Ungoverned agents accumulate like technical debt that accrues security risk.

### 5. Can you produce an audit trail for any agent's decisions?

When a regulator, auditor or customer asks "why did this agent make this decision on this date?", can you answer?

The [EU AI Act Article 12](https://artificialintelligenceact.eu/article/12/) requires automatic recording of events for high-risk AI systems, including inputs, outputs and decision logic, with sufficient detail to enable post-hoc assessment. [85% of CIOs report that traceability or explainability gaps have already delayed or stopped AI projects from reaching production](https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout).

The audit trail is not a nice-to-have. It's a production prerequisite. Every agent action, tool invocation, data access and decision point must be logged in an immutable, queryable record.

### 6. Which of your agents qualify as high-risk under EU AI rules?

The EU AI Act takes effect in August 2026. [Article 99](https://artificialintelligenceact.eu/article/99/) establishes penalties of up to EUR 35 million or 7% of global annual turnover for the most severe violations. High-risk AI systems (which include agents making decisions that affect individuals' access to financial services, employment and essential services) must meet requirements for risk management, technical documentation, human oversight, accuracy and robustness.

Can you identify, today, which of your agents fall under high-risk classification? If not, your compliance team is operating blind. Risk classification should happen at registration, not when the regulator sends a letter.

### 7. Who owns each agent when the developer leaves?

This is the orphaned-agent problem and it's more common than most CTOs admit. It's also one of the core reasons [MLOps doesn't work for agents](/research/blog/ai-agent-lifecycle-management-vs-mlops/). Models don't accumulate autonomously, but agents do. An engineer builds an agent, deploys it to production and moves on. Six months later, nobody knows what it does, what data it accesses or what model it runs on. The documentation is a README with four bullet points.

Microsoft's [Entra Agent ID](https://learn.microsoft.com/en-us/entra/id-governance/agent-id-governance-overview) framework introduces the concept of "sponsors": human users accountable for decisions about an agent's lifecycle and access. Every agent needs a designated owner, and your governance system needs to detect when that owner departs and escalate immediately. Orphaned agents with stale permissions are one of the most common vectors for security incidents. [23% of organizations report their AI agents have been tricked into revealing access credentials](https://www.sailpoint.com/press-releases/sailpoint-ai-agent-adoption-report).

<figure>
<a href="https://www.microsoft.com/en-us/security/blog/2026/02/10/80-of-fortune-500-use-active-ai-agents-observability-governance-and-security-shape-the-new-frontier/" target="_blank" rel="noopener"><img src="/images/blog/microsoft-security-ai-agents.png" alt="80% of Fortune 500 use active AI agents, but only 6% have advanced AI security strategies, per Microsoft Cyber Pulse" loading="lazy" decoding="async" /></a>
<figcaption>80% of Fortune 500 use active AI agents, but only 6% have advanced AI security strategies (Microsoft Cyber Pulse) | <a href="https://www.microsoft.com/en-us/security/blog/2026/02/10/80-of-fortune-500-use-active-ai-agents-observability-governance-and-security-shape-the-new-frontier/" target="_blank" rel="noopener">Microsoft Security Blog</a></figcaption>
</figure>

### 8. What's your incident response plan for a rogue agent?

In March 2026, [Amazon held a mandatory internal meeting after AI-assisted code changes caused production incidents](https://www.youtube.com/watch?v=vOpA5mZacJk) with what the company described as "a high blast radius." An internal AI tool called Curo made infrastructure changes that resulted in a 13-hour disruption to an AWS service after the system chose to delete and recreate an environment. Amazon responded by requiring junior and mid-level engineers to obtain senior approval before deploying AI-assisted changes.

When one of your agents goes rogue (sends incorrect data to a customer, triggers a cascading failure or accesses a system it shouldn't), what happens?

Who gets alerted? Who has the authority to stop it? How quickly?

If the answer is "we'd figure it out," you don't have an incident response plan. You have a hope.

:::fact{title="Fact: AI agent kill switch"}
Every agent estate needs a kill switch: the ability to immediately halt an agent's operations, revoke its access and preserve its state for investigation. The plan should define severity levels, escalation paths, containment procedures and post-incident review processes, just as you would for any production system.
:::

### 9. How do you prevent agent-to-agent cascading failures?

[Multi-agent systems](/research/blog/multi-agent-governance) (where agents collaborate, hand off tasks and consume each other's outputs) introduce failure modes that single-agent systems don't have. [Research documents failure rates of 41% to 86.7% in production multi-agent systems without proper orchestration](https://galileo.ai/blog/multi-agent-ai-failures-prevention). Specification failures account for roughly 42% of those cases: one agent misinterprets a task and downstream agents propagate the error through the chain.

Three questions reveal whether you're ready:

- Can you map which agents depend on which other agents?
- Do you know the blast radius if a specific agent fails?
- Do you have circuit breakers that isolate a failing agent before it takes down the workflow?

Dependency mapping and inter-agent [monitoring](/platform/observer) aren't optional in a multi-agent environment. They're the minimum requirement for production reliability.

<figure>
<div style="position:relative;padding-bottom:56.25%;height:0;overflow:hidden;border-radius:8px;border:1px solid var(--border)"><iframe src="https://www.youtube.com/embed/vOpA5mZacJk" title="Amazon AI coding incidents, March 2026" style="position:absolute;top:0;left:0;width:100%;height:100%;border:0" allow="accelerometer;autoplay;clipboard-write;encrypted-media;gyroscope;picture-in-picture" allowfullscreen loading="lazy"></iframe></div>
<figcaption>Amazon AI coding incidents, March 2026 | <a href="https://www.youtube.com/watch?v=vOpA5mZacJk" target="_blank" rel="noopener">YouTube</a></figcaption>
</figure>

### 10. What is your agent estate's total cost of ownership, and is it justified?

[71% of CIOs say their AI budget will be cut or frozen if targets aren't met by mid-2026](https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout). The tolerance for AI spending without measurable returns is collapsing. Yet most enterprises cannot attribute AI costs to specific agents, teams or business outcomes.

Total cost of ownership for agents includes:

- API and token spend
- Compute and infrastructure
- Human supervision and escalation overhead
- Error remediation
- Compliance costs

Without agent-level cost attribution, finance teams can't distinguish the agent generating $2 million in annual value from the test agent burning $40,000/month that nobody remembers deploying. The real question is not "how much are we spending on AI?" but "how much is each agent returning relative to its cost?"

## Why these questions are trivial for servers and impossible for agents

Every one of these questions has a direct analog in traditional IT infrastructure.

How many servers do you have? Your CMDB answers instantly. Which servers access customer data? Network segmentation and data classification tell you.

What's your incident response plan? It's a documented runbook tested quarterly. Who owns each server? Every CI in the CMDB has an assigned owner.

The reason enterprises can't answer these questions for agents is not complexity. It's the absence of a system of record.

Your CMDB gives you these answers for servers because you invested in building and maintaining it. Your AI agent estate deserves the same investment.

## What mature agent governance looks like

Organizations that can answer all ten questions share three characteristics.

**They have a centralized agent registry.** Every agent is registered with its identity, owner, technical stack, risk classification, compliance status and dependencies. New agents are discovered automatically. Orphaned agents are flagged immediately. The registry is the single source of truth. We've written in depth about [why AI agents need a CMDB](/research/blog/why-ai-agents-need-a-cmdb) and what that system of record must track.

**They enforce [policy as code](/research/blog/policy-as-code-ai-agents).** Governance is not a document. It's a technical enforcement layer. High-risk agents can't reach production without active certification. Agents that exceed violation thresholds are automatically halted. Certification expiry triggers re-review. The system doesn't trust humans to remember; it enforces the rules.

**They monitor continuously.** Agent behavior is observed in real-time: every tool invocation, every LLM request, every data access. Drift detection runs on a cadence measured in minutes, not months. Anomalies surface as alerts, not as surprises in the quarterly review.

:::cta{title="See what AI agent governance looks like in practice" description="No prep needed. We'll walk through your stack and show you how Roval maps to your agent estate in 30 minutes. No commitment, no sales pitch on the first call." cta="Book a demo" href="/demo"}
:::

## Sources and further reading

| Source | Date | URL |
|---|---|---|
| Dataiku/Harris Poll, CIO AI Accountability Study 2026 | Feb 2026 | [businesswire.com](https://www.businesswire.com/news/home/20260212994335/en/71-of-CIOs-Say-They-Have-Until-Mid-2026-to-Prove-AI-Value-or-Risk-Budgets-and-Job-Fallout) |
| SailPoint, AI Agent Adoption and Security Report | Jan 2025 | [sailpoint.com](https://www.sailpoint.com/press-releases/sailpoint-ai-agent-adoption-report) |
| OWASP Top 10 for Agentic Applications (2026) | Jan 2026 | [owasp.org](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) |
| Microsoft Entra Agent ID Governance | Mar 2026 | [microsoft.com](https://learn.microsoft.com/en-us/entra/id-governance/agent-id-governance-overview) |
| EU AI Act, Article 12 (Record-keeping) | Jun 2024 | [artificialintelligenceact.eu](https://artificialintelligenceact.eu/article/12/) |
| EU AI Act, Article 99 (Penalties) | Jun 2024 | [artificialintelligenceact.eu](https://artificialintelligenceact.eu/article/99/) |
| The Hacker News, Governing AI Agents | Nov 2025 | [thehackernews.com](https://thehackernews.com/expert-insights/2025/11/governing-ai-agents-from-enterprise.html) |
| Amazon AI Coding Incidents (March 2026) | Mar 2026 | [youtube.com](https://www.youtube.com/watch?v=vOpA5mZacJk) |
| Galileo, Why Multi-Agent AI Systems Fail | Dec 2025 | [galileo.ai](https://galileo.ai/blog/multi-agent-ai-failures-prevention) |