AI Agents Are Running in Production. Nobody Can See What They're Doing.
A look at where the AI industry stands today, why the current generation of security and observability tools falls short, and why the execution layer is the critical gap nobody has filled.
Something changed in the last twelve months that a lot of organizations are still catching up to.
AI agents stopped being a demo. They went to work.
Not chatbots answering FAQs. Actual agents: software that wakes up, authenticates against your systems, reads files, calls APIs, writes to databases, sends messages, and makes decisions on behalf of your users. The same LLM technology that impressed everyone in 2023 is now embedded in workflows that touch real data, real credentials, and real consequences.
That shift is exciting. It is also creating a problem the industry has not figured out how to solve yet.
The stack is growing faster than the tooling
Every week, more organizations are deploying AI agents into production. The numbers reflect it: AI security funding nearly tripled year-over-year to $6.34B in 2025, and Q1 2026 alone saw $4.9B flow into the space. Over 80% of AI applications have already experienced some form of unintended data access. The average cost of an AI-related breach now exceeds $4.8M.
The market response has been significant. Major acquisitions, new platforms, new frameworks. Palo Alto Networks acquired Protect AI. Check Point acquired Lakera. Cisco acquired Robust Intelligence. More than $1.4B in acquisitions in the last year, all targeting AI security.
And yet, the thing that is actually getting attacked is still largely invisible.
What is the execution layer?
To understand the gap, it helps to think about what AI agents actually do when they run.
When you send a prompt to an agent, a lot more happens than a response coming back. The agent might check a calendar, pull a record from a database, authenticate against an API, read a configuration file, and write a result somewhere. Each of those steps is a tool call, and each tool call involves credentials, permissions, data, and risk.
That middle part, between the prompt going in and the response coming out, is the execution layer. It is where the agent stops talking and starts doing.
This is where real-world AI incidents land. OWASP released its first Top 10 for Agentic Applications in 2026, and every single risk on that list happens at the execution layer: tool misuse, credential abuse, goal hijacking, cascading failures, unauthorized data access. Not at the model level. Not in the prompt. In the execution.
For most organizations, that layer is completely invisible.
Three categories of tools, all missing the same thing
The market has produced useful technology in the last two years. But the existing tools, taken together, still leave a significant gap.
Security tools focus on the model layer: prompt injection defense, guardrails, red teaming, adversarial testing. These are valuable. But they protect the input and output, not what the agent does in between. They cannot tell you which credentials an agent used, which files it read, or whether a tool call sent data somewhere it should not have gone.
Observability tools like LangSmith and Langfuse are designed for developers debugging their agents. They log LLM calls, track token usage, and help you understand why an agent produced a given output. That is useful for engineering, but it is not a security product. There is no concept of a credential, a risk score, or a compliance event. A debugging trace and a security audit are not the same thing, even if they look similar on the surface.
Governance tools help you set policies: what agents are allowed to do, which permissions they should have, what compliance frameworks apply. This is important work. But setting a rule and proving the rule was followed are two different problems. Governance tools define the policy. They cannot show you the audit trail of what actually happened at runtime.
The result is a structural gap: organizations are deploying agents that interact with real systems, using real credentials, making real decisions, with no reliable way to trace what happened after the fact. No credential ledger. No execution timeline. No risk scoring based on what the agent actually did.
A recent example
In April 2026, Vercel experienced a breach traced back to an AI analytics integration. An attacker compromised an OAuth token belonging to Context.ai via malware, then pivoted through broad “Allow All” permissions into Vercel’s internal systems. Environment variables for customer projects were exposed. The attacker was inside for roughly two months before detection.
Traditional security tools never saw it. The agent’s execution was invisible. The credentials it held were not tracked. The permissions it had were not audited in real time.
This will not be the last incident like this. AI and LLM adoption is accelerating faster than the guardrails around it, and the pattern is predictable: agents get deployed, permissions get over-provisioned, and nobody finds out until something goes wrong publicly. The organizations that build visibility into their execution layer now are the ones that get to respond to incidents on their own terms, rather than auditing their stack in the middle of one.
The regulatory clock is also running
Beyond the operational risk, there is a compliance dimension that is moving faster than most teams realize. The EU AI Act, SOC 2 updates, and several emerging sector-specific frameworks are all converging on the same requirement: AI systems need to be auditable. Not just monitored. Auditable, meaning you need to be able to reconstruct what happened, when, and why.
Adoption is outpacing regulation right now, but that gap is closing. Governments are already seeking pre-release access to models to test and audit them before general availability. The auditability requirements that feel distant today will feel very close once the first enforcement actions land.
Most organizations cannot meet them today. The agents are running. The records are not.
What we are building
Omnodex is designed to fill this gap. It intercepts every tool call, every credential use, every API invocation, and every file access in AI agent execution, without adding overhead and without requiring changes to agent code. The result is a complete picture of what your agents are doing: a connection graph of every MCP server invoked, a credential ledger tracking every secret used, an event timeline you can step through, and automated risk scoring that flags patterns like credential exposure and data exfiltration.
The execution layer should not be a black box. Your security team should have the same visibility into what your AI agents are doing that they have into every other system in your stack.
We will be writing more here about how this works, what we are seeing in production, and how the industry is evolving. If you are working through any of this, whether you have agents deployed today or are thinking through what deployment means for your security posture, reach out at hello@omnodex.com.
Sources
- Crunchbase, “Cybersecurity Funding Holds Up At Robust Levels,” Q1 2026, 2026.
- Software Strategies Blog, “AI Security Market 2025 Funding Data,” December 2025.
- IBM, X-Force Threat Intelligence Index 2024, 2024.
- IBM, Cost of a Data Breach Report 2024, 2024.
- Palo Alto Networks, “Completes Acquisition of Protect AI”, July 2025.
- Check Point Software, “To Acquire Lakera to Deliver End-to-End AI Security”, September 2025.
- Cisco, “To Acquire Robust Intelligence”, August 2024.
- OWASP, Top 10 for Large Language Model & Generative AI Applications, 2026.
- Trend Micro, “The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables”, April 2026.