Nobody knows how many AI agents they have. We're changing that.
David Baum 6 min read AI agent adoption is surging. According to KPMG’s Q4 AI Pulse Survey, agent deployment more than doubled in 2025, rising from 11% of organizations in Q1 to over 26% by Q4. Gartner predicts that 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from under 5% in 2025.
And governance? Barely off the starting line.
Deloitte’s State of AI in the Enterprise 2026 found that only one in five companies has a mature model for governing autonomous AI agents. A Cloud Security Alliance survey published in February reported that just 21% of organizations maintain a real-time registry of their agents. Only 28% can reliably trace an agent’s actions back to a responsible human across all environments. At RSA 2026 last week, Cisco presented survey data showing that 85% of organizations are adopting agents, but only 5% have scaled them to production. The blocker isn’t technology. It’s trust, security and governance.
This is the gap we’re setting out to measure.
Why existing research doesn’t go deep enough#
There’s no shortage of AI reports. KPMG, Deloitte, Gartner and the CSA have all published valuable data on AI adoption, security posture and agent identity. But none of them focus on the operational governance controls that enterprises are (or aren’t) putting in place for AI agents.
- KPMG’s Pulse Survey covers 130 US-based C-suite leaders at billion-dollar companies. It tracks broad AI investment trends, not agent-specific governance controls.
- Deloitte surveys 3,235 leaders across 24 countries, but governance is one section among many in a wide-ranging AI maturity report.
- The CSA/Strata study goes deep on identity and access management for agents (a critical piece) but doesn’t cover lifecycle management, policy enforcement, compliance certification or organizational governance structures.
None of them produce cross-tabulated data by agent estate size, governance maturity and region that practitioners can use to benchmark against their actual peers.
The Nordic blind spot#
Almost none of these surveys capture the Nordic and European perspective in meaningful detail.
EY’s Responsible AI Pulse Survey found that 74% of Nordic CxOs believe their AI controls are moderate to strong. But when measured against EY’s nine-principle responsible AI framework, organizations only demonstrate strong controls in three out of nine areas.
BCG’s Nordic AI report, published in March 2026, found that over half of Nordic companies operate with decentralized models that limit clear governance ownership. Only 4% report achieving strong returns on their AI investment.
Glass Lewis research shows Nordic board-level AI policy adoption is among the lowest in Europe:
- Finland: 0%
- Denmark: 9%
- Sweden: 10%
- Norway: 14%
The region that prides itself on transparency and responsible technology is flying blind on agent governance.
With the EU AI Act’s high-risk system requirements taking effect in August 2026, these gaps aren’t academic. They’re operational, financial and regulatory.
What this survey measures#
The State of AI Agent Governance 2026 is a 10-minute survey designed to produce the first practitioner-led benchmark focused entirely on how enterprises govern AI agents. Not AI broadly. Not models. Agents: the systems that reason, access tools and take autonomous action inside your infrastructure.
The survey covers six dimensions across 20 questions.
1. Agent adoption reality. How many agents are deployed? What types? What level of decision authority do they hold? And critically: how confident are you that those numbers are accurate?
2. Governance maturity. Does your organization have a formal agent-specific governance framework? Do you maintain a centralized registry? How do you classify agent risk? The survey measures adoption of 11 specific governance controls, from unique agent identity assignment through to decommissioning processes.
3. Incidents and near-misses. Has an agent accessed data it wasn’t authorized to access? Taken actions outside its intended scope? Has an orphaned agent been discovered running in production with no owner? These questions produce incident prevalence rates the industry currently lacks.
4. Regulatory readiness. Can you produce, on demand:
- A complete audit trail of an agent’s actions on a specific date?
- Evidence of compliance certification?
- A record of all human oversight interventions?
These are the questions the EU AI Act will require you to answer. We want to know how many organizations can answer them today.
5. Forward-looking intent. Are you scaling agents or pausing? Building governance before scaling, or scaling first? Planning to adopt a dedicated governance platform?
6. Organizational structure. Who owns agent governance in your organization? A dedicated team? An existing function? Nobody?
Every response is anonymized by default. You choose whether to opt in for attribution. The data feeds an aggregated, published report, not a sales pipeline.
What you get#
Participants receive:
- Early access to the published report before public release
- An invitation to a private briefing on the findings
- Benchmarks by industry, region and agent estate size so you can see how your governance posture compares to organizations that look like yours
If you’ve been in a board meeting unable to answer how many agents your organization has, or sat in a compliance review wondering whether your agent controls would survive scrutiny, your experience is exactly what this research needs.
The State of AI Agent Governance 2026 is a research initiative by Roval, the governance platform for AI agents. The survey is open to CTOs, CISOs, Heads of AI/ML, Compliance Officers and Platform Engineering leads. The published report will be freely available.
Sources#
| Source | Link |
|---|---|
| KPMG, Q4 AI Pulse Survey | kpmg.com |
| Gartner, 40% of Enterprise Apps Will Feature AI Agents by 2026 | gartner.com |
| Deloitte, State of AI in the Enterprise 2026 | deloitte.com |
| Cloud Security Alliance, The Visibility Gap in Autonomous AI Agents | cloudsecurityalliance.org |
| Cisco/USDM, Agents Without Owners: RSA 2026 | usdm.com |
| EY, How Nordic Leaders Can Drive Responsible AI | ey.com |
| BCG, Nordic AI: Value Creation or Bubble | bcg.com |
| Glass Lewis, Board AI Policies in Europe 2025 | glasslewis.com |
| Roval, The AI Agent Governance Framework (8 Pillars) | roval.ai |
| Roval, 10 Questions Every CTO Should Ask About AI Agents | roval.ai |