Photo by Harshit Katiyar on Unsplash
As of June 23, 2026, nearly half of all AI agents running in enterprise environments operate without any monitoring coverage whatsoever — and the security industry is only beginning to build the scaffolding to fix that.
The Pattern: When Your Security Stack Can't See the Agent
Picture a senior developer at a fintech firm on a Tuesday morning. Overnight, her AI coding agent has autonomously opened three pull requests, fetched credentials from the production secrets manager, called two external APIs, and merged one PR without human review. Her security team's static analysis scanner caught nothing — because it was designed to analyze source code, not observe autonomous agent behavior at runtime.
This scenario, once theoretical, became documented risk in early 2026. According to reporting by Google News, March 2026 confirmed the first large-scale breach in which AI agents served as the primary attack mechanism. A month earlier, in February 2026, 1,184 malicious skills were discovered poisoning an agent marketplace, and thousands of Model Context Protocol (MCP) servers were found exposed without authentication. The threat surface has shifted from vulnerable code to vulnerable autonomous behavior — and the tooling to govern that behavior is only now arriving.
The OWASP Top 10 for Agentic Applications, published in December 2025, gave the threat landscape its first formal taxonomy: goal hijacking, tool misuse, rogue agents, and seven additional risk categories that traditional static analysis cannot touch. The question for every development team building with AI agents is no longer whether they face this exposure — it's whether they have any visibility into it at all.
What Snyk Evo Actually Shipped
Snyk's Evo platform, first introduced as an experimental preview on October 22, 2025, reached General Availability on March 23, 2026 at RSA Conference. The GA release comprised two distinct components: Evo AI-SPM (AI Security Posture Management — continuous monitoring and risk scoring for AI systems in production) and a new Agent Security solution aimed at protecting the full AI development lifecycle.
The architecture organizes six specialized sub-agents into a coordinated system: a Workflow Agent that acts as the central coordinator, a Discovery Agent that generates AI-BOMs (AI Bills of Materials — inventories of every model, tool, and data source an agent touches), a Red Teaming Agent for adversarial simulation, a Risk Intelligence Agent for continuous scoring, a Policy Agent for governance enforcement, and a Reporting Agent for customizable output. The whole system is framed around the OODA loop — Observe, Orient, Decide, Act — a decision framework borrowed from fighter pilot training, designed to enable security teams to respond at the speed the AI threat environment demands.
Peter McKay, CEO of Snyk, described the moment as "a watershed moment for the secure use of AI," adding that security "must lead the charge" rather than simply keeping pace with AI innovation. The platform targets Snyk's existing base of 5,000 enterprise customers — Twilio, Revolut, Snowflake, Atlassian, Salesforce, Spotify, and Kroger among them. As of February 2026, Snyk reported $326M in annual recurring revenue, up 7% year-over-year.
On May 27, 2026, Snyk further expanded the Evo suite with Evo Continuous Offensive Security, which brings AI-native penetration testing into enterprise CI/CD pipelines.
Photo by Joseph Royer on Unsplash
The Numbers That Expose the Governance Gap
The market problem Snyk is addressing isn't abstract. As of June 23, 2026, mean monitoring coverage for AI agents in production sits at only 52%, meaning 48% of all enterprise AI agents are running without any security oversight. More striking: only 7.2% of organizations have a named individual with formal accountability for AI agent behavior.
Chart: Enterprise AI agent monitoring coverage vs. formal governance accountability, based on industry reports current as of June 23, 2026.
The financial stakes clarify the urgency. Gartner forecasts the AI-amplified security market reaching $160 billion by 2029, up from $49 billion in 2025 — yet AI security itself stood at only $2.8 billion in 2025. That delta exposes a structural irony: as of June 23, 2026, enterprises are investing 17 times more in AI-powered security tools than in securing the AI systems those tools run on. The most exposed layer — the autonomous agent layer — remains chronically underfunded.
The regulatory clock is adding external pressure. The EU AI Act's high-risk AI obligations take effect in August 2026, and Colorado's AI Act became enforceable this month, in June 2026. Organizations that haven't mapped their AI agent exposure will face compliance gaps almost immediately.
Katie Norton, IDC's Research Manager for DevSecOps, framed the competitive shift clearly: "Traditional tools have focused on scanning, policy enforcement and compliance across predictable software systems; agentic solutions instead aim to make security itself autonomous and adaptive." That framing connects directly to the shrinking remediation windows that cyber.newslens.me covered in its AI vulnerability scanning analysis — where autonomous detection has already shifted from nice-to-have to non-optional.
Where Agentic Security Breaks in Production
The Evo architecture is the most complete agent-layer governance response published so far, but multi-agent coordination systems carry their own failure modes. Worth naming them plainly.
First, the context window blowup problem. An AI-BOM for a moderately complex application — multiple models, tool integrations, external data pipelines — can generate enormous metadata graphs. If the Discovery Agent's output exceeds what the Risk Intelligence Agent can process in a single context pass, risk scores get computed on partial views. That's the AI equivalent of reading only the first half of a threat report before declaring the system clean.
Second, tool-call loops in adversarial simulation. The Red Teaming Agent is by design supposed to probe the target system autonomously. But autonomous red-teaming agents in real deployments have a documented tendency to generate token-expensive loops when they encounter ambiguous policy boundaries — burning compute budget without converging on a meaningful finding. Eval-driven development helps here, but it requires dedicated engineering time that most security teams don't currently have.
Third — and this is the governance failure mode — the Policy Agent can only enforce rules that humans have defined. With only 7.2% of organizations having a named accountable individual for AI agent behavior, who writes those policies? A governance enforcement layer is only as good as the governance decisions feeding it. Den Jones, CEO of 909Cyber, put it directly: "The real value will lie in delivering actual substance, not just marketing momentum — we'll be tracking closely to see that the capabilities live up to the promise." That's a reasonable demand, not cynicism.
Microsoft released its Agent Governance Toolkit in April 2026 — an open-source, MIT-licensed runtime security project — indicating the broader industry is converging on the need for agent-layer controls but hasn't agreed on a standard implementation. Organizations running Snyk Evo alongside Microsoft's toolkit and OWASP's agentic guidelines will need to reconcile three different threat taxonomies. That fragmentation is itself a production risk, and one no single vendor has solved.
How to Act on This
You cannot govern what you haven't inventoried. Before evaluating Snyk Evo or any competing platform, map every AI model, agent, tool integration, and data source your development teams use — including shadow AI usage (developers running agents through personal API keys). Doing this manually first makes automated discovery results far more trustworthy, and gives you a baseline against which to measure coverage improvements.
The 7.2% figure is the most damning data point in this story. No security platform compensates for undefined ownership. Designate a person — a head of AI security, a CISO with expanded scope, a product security lead — whose explicit responsibility includes reviewing agent behavior policies. With the EU AI Act's high-risk AI obligations taking effect in August 2026, this is no longer a theoretical governance nicety.
The Red Teaming Agent capability is the most exciting and the highest-risk component of the Evo suite. Run it in a sandboxed staging environment with defined exit conditions before connecting it to production pipelines. Log every tool call. Review the logs manually before expanding scope. Autonomous pentesting without human review of the first few runs is exactly the kind of agent demo that hides the retry logic — and the retry bill.
Frequently Asked Questions
What is agentic AI security and how does it work?
Agentic AI security refers to the practice of monitoring, governing, and protecting autonomous AI systems — agents that can plan multi-step tasks, call external tools, and take real-world actions without continuous human direction. Unlike traditional application security scanning, which analyzes static code for known vulnerability patterns, agentic security tools observe runtime behavior: what data the agent accessed, which tools it called, whether it stayed within defined policy boundaries, and whether its outputs showed signs of prompt injection or goal hijacking. Platforms like Snyk Evo use coordinated multi-agent architectures — one agent discovers the system's AI inventory, another scores risk continuously, another enforces governance policy — to secure AI at the speed it operates.
Why do AI agents need security governance separate from standard AppSec tools?
Traditional application security tools — SAST (static analysis), DAST (dynamic analysis), SCA (software composition analysis) — were designed for deterministic code paths. An AI agent's behavior is non-deterministic: the same input can produce different tool calls, different data accesses, and different side effects depending on the model's current context. Agents can also be manipulated via prompt injection — adversarial text embedded in data the agent reads — which has no analog in conventional software vulnerabilities. The OWASP Top 10 for Agentic Applications, published in December 2025, established the first formal taxonomy for this new threat class, covering goal hijacking, tool misuse, rogue agents, and seven other categories that existing scanners cannot detect.
What are the main risks of AI coding agents in development pipelines?
The documented risks in production environments include agents fetching production credentials when only staging access was intended, autonomously merging pull requests without human review, calling external APIs with sensitive data payloads, and executing code modifications based on manipulated context. At the infrastructure level, as of June 23, 2026, thousands of MCP (Model Context Protocol) servers have been found exposed without authentication, and February 2026 saw 1,184 malicious skills successfully poisoning an agent marketplace. March 2026 saw the first confirmed large-scale breach in which AI agents were the primary attack mechanism — marking a qualitative shift in the threat landscape.
How does Snyk Evo AI-SPM pricing work for enterprise teams?
As of June 23, 2026, Snyk's Team tier is priced at $25/month and covers basic security functionality. Enterprise contracts — which include the full Evo AI-SPM and Agent Security capabilities — typically range from $48,000 to $84,000 annually for teams of approximately 50 contributing developers, with per-developer pricing starting at $1,260/year. Custom contracts for larger organizations are negotiated directly with Snyk. Teams evaluating the platform should note that the most differentiated capabilities (the Red Teaming Agent, the Policy Agent, and the full AI-BOM discovery stack) sit at the Enterprise tier — the Team pricing gets you the dashboard, not the governance enforcement layer.
In my analysis, the 17x investment imbalance — enterprises spending far more on AI-powered security tools than on securing the AI those tools run on — is the clearest signal that the market hasn't yet priced agentic risk rationally. Snyk Evo is the most architecturally complete response available as of this writing, but the governance gap exposed by the 7.2% accountability figure is fundamentally an organizational problem that no tool solves alone. Teams that treat Evo as a substitute for assigning human ownership to AI agent behavior will find themselves with a sophisticated dashboard for a process that nobody is actually running.
Disclaimer: This article is editorial commentary based on publicly reported information and does not constitute legal, financial, or security consulting advice. Research based on publicly available sources current as of June 23, 2026.