TheVortiq
Inteligencia Artificial

AI Agents: Pre-Production Stagnation and Governance Keys

61% of organizations already run AI agents, but almost none take them to production due to lack of controls. The problem is not technology, but the absence of governance.

July 13, 2026 · 3 min read

Police officers ensure security at the iconic Plaza de Cibeles in Madrid, with Cibeles Palace in the background.

TL;DR: 61% of organizations run AI agents, but almost none deploy them in production due to lack of governance. The necessary controls (isolation, least privilege, monitoring) already exist and are key to scaling agents safely.

What happened?

A TechRadar analysis based on 100 engineering organizations reveals that 61% already run AI agents to some degree, but almost none trust them enough to take them to production. Agents make mistakes that humans avoid through experience, operate autonomously at high speed, and lack auditing. This leads to credential leaks, unauthorized access to repositories, or uncontrolled cloud budget consumption. The lack of trust is such that most organizations keep agents away from any critical systems. However, the problem is not the technology itself, but the absence of governance: the same principles applied to human engineers (least privilege, audit logs, identity management, and restricted access) have not been transferred to agents.

Why is it important?

The pre-production stagnation reflects a governance problem, not a technical capability issue. The necessary controls have existed for years: least privilege, audit logs, identity management, and restricted access. However, companies fail to apply them to AI agents. This hinders the adoption of a technology that promises to automate complex tasks, from code generation to infrastructure management. According to a 2024 Gartner study, 80% of companies are expected to have implemented AI agents in production by 2026, but TechRadar data suggests the path will be slower without proper governance. The economic impact is significant: companies that do not scale agents will lose productivity and competitive advantage compared to those that do.

What consequences will it have?

If adequate controls are not implemented, organizations will continue to limit agents to test environments, losing productivity and competitive advantage. Conversely, those that adopt governance from the start will be able to scale agents safely, reducing errors and costs. Proxy tools, real-time monitoring, and identity-based LLM routing are expected to emerge to fill this gap. Companies like Microsoft, with its Copilot platform, are already integrating identity-based access controls, and startups like Guardrails AI offer security layers for agents. However, the market is still fragmented and many solutions are immature. The long-term consequence is a gap between companies that master agent governance and those that do not, similar to what happened with cloud adoption in the early 2010s.

What should readers know?

To unlock the potential of AI agents, companies must implement three key controls: isolate (ephemeral environments, zero network access by default, allowlists), restrict (least privilege, API keys with limited scope), and approve (real-time monitoring, alerts for anomalous behavior). These principles already work for human engineers; they just need to be applied to agents. Default isolation means each task runs in an ephemeral workspace, with no shared state between executions, limiting damage in case of error. Network access should be zero by default, with an explicit allowlist of domains, methods, and routes. Even with restricted access, sensitive systems like GitHub or Salesforce should be configured in read-only mode. For tool call control, the Model Context Protocol (MCP) allows invoking external APIs with granular permissions. Real-time monitoring should detect spikes in calls, new domains, or anomalous token consumption, and trigger alerts or automatic blocks.

“The problem is not the agents. It is the absence of governance when using them.” – TechRadar

Essential controls

  • Default isolation: Ephemeral workspaces, no shared state, and zero network access by default with explicit allowlists.
  • Restricted permissions: Agents should never inherit full user credentials; use API keys with least privilege and scope limited to specific resources.
  • Real-time monitoring: Alerts for call spikes, new domains, or anomalous token consumption; integration with SIEM for automated response.

Governance is not optional; it is the enabler for AI agents to move from experimentation to production. Companies that implement these controls will be able to scale agents safely, while those that do not will be left behind. The future of work with AI depends on governing, not just implementing.

Keep reading