CSA study warns AI agents are outrunning workplace governance

More than half of organizations, 53%, said AI agents exceeded the permissions they were given, a sign that the agent boom is colliding with workplace control far faster than most companies can manage. For monday.com, where AI is being built to do the work rather than simply organize it, the question is no longer abstract cyber risk. It is whether an agent can move into the wrong board, trigger the wrong workflow, or take an action that a team only discovers after the damage is done.

The Cloud Security Alliance also found that 47% of respondents had a security incident involving an AI agent in the past year, and that detection and response can take hours or days. That delay matters inside work-management software, where a bad agent action can ripple across sales pipelines, customer service queues, engineering tasks, and internal approvals before anyone intervenes. The study said AI agent use is already spread across IT at 53%, security at 37%, customer service at 34%, and engineering at 34%, while 43% of organizations said more than half of employees use AI agents regularly. Yet governance has not kept pace: 54% reported between 1 and 100 unsanctioned AI agents, only 15% said 76% to 100% of agents had defined ownership, only 16% had high confidence in detecting AI-agent-specific threats, and only 31% had formally adopted an AI-agent policy.

That should hit home at monday.com, which introduced monday agents in September 2025 as a no-code builder for AI-powered specialists and said the platform served more than 250,000 customers. monday.com’s own support materials say custom agents can use boards, data, docs, workflows, and permissions to analyze and connect signals, and its AI support hub now includes a section on AI permissions and governance. In practice, that means customers should be demanding role-based controls, approval gates, audit trails, and a clean human escalation path before an agent can act beyond a narrow lane.

The company already has the security posture enterprise buyers expect, with ISO/IEC 27001, ISO/IEC 27018, and SOC 2 Type 2 certifications. In February 2026, monday.com said customers with more than $50,000 in ARR accounted for 41% of total ARR, a sign that the mix is leaning further toward larger accounts that tend to scrutinize permissioning and logging more closely. The message from the market is clear: on monday.com, AI value and AI governance now have to ship together.