Our takeaways from the Gartner® Hype Cycle for Agentic AI report

In our view, The Gartner® Hype Cycle™ for Agentic AI, published in April 2026, contains a passage that we at 1Password feel should be a wakeup call for any organization building an agent program.

Gartner states, "In practice, fully autonomous agents are not ready for most enterprise use cases, and human oversight remains essential. Semiautonomous deployments, where there is some human supervision of the work of AI agents, are what enterprises must plan for."

That is a clear directive for organizations, and the gap between what it requires and what most current deployments provide should be driving every enterprise AI architecture conversation right now.

The Hype Cycle for Agentic AI report states that “Interest in AI agents is significant and accelerating. According to Gartner’s 2026 CIO and Technology Executive Survey, only 17% of organizations have deployed AI agents so far, but 42% expect to do so in the next 12 months, and another 22% within the following year. This is the most aggressive adoption curve among all emerging technologies in the survey.”

Later in the report, Gartner also states: “However, the supporting infrastructure and processes are still maturing. Integration, reliability, security, governance, and financial management for agents are all evolving, and organizations should be prepared for gaps and growing pains.”

Many of the organizations accelerating the AI agent adoption curve may be doing so without adequate governance in place. The question is how businesses can begin to build that infrastructure, and where they should put their focus when considering agent security governance.

Not all agents carry the same security risks

Agentic AI is not a monolithic category; distinct agentic innovations sit at different maturity stages with different architectural properties, and with distinct risks. We’ll focus on three commonly known agentic use-cases from the 2026 Hype Cycle, as representative examples to explore 1Password’s insights into some of the security risks involved in agent use.

Enterprise AI assistants

Gartner reports that in terms of market penetration, enterprise AI assistants represent more than 50% of the target audience. It’s our understanding at 1Password that these are the agents most employees will interact with through productivity tools. However, AI assistants can also represent significant risks. As Gartner states, “AI can amplify existing risks and introduce new threats like prompt injections or data poisoning. Many organizations are unprepared, and security and governance are the top blocker to wider AI deployment.”

They also cite agent sprawl as a risk, stating that “Too many agents shared too widely can cause data oversharing and compromise. Ease of no-code or low-code building increases this risk, if not managed.”

Agents for software engineering

In terms of overall agent adoption, Gartner states that “Most enterprises are still in the early stages, using agents primarily to automate existing workflows rather than reengineering processes for agentic AI. Software engineering is an exception and has experienced significant growth in agentic coding.”

Agents can represent significant productivity gains for coding and software engineering, but they also introduce new risks, including buggy, vulnerable, or low-quality code.” Gartner specifies that “Agents require access to repositories and CI/CD systems, creating credential, authorization and supply chain risks, including prompt and tool injection attacks.”

Agentic analytics

Many companies are hoping to use AI agents across data-to-insight workflows, streamlining analytics processes. However, Gartner points out that****“Lack of transparency in how insights and recommendations are generated creates a black box that hinders trust and adoption, particularly prohibitive in regulated industries where compliance risks emerge.”

Agentic AI governance should be a key priority

Another category that Gartner emphasizes is “Agentic AI governance.” They describe it this way: “Agentic AI governance extends AI governance to address specific ethics, security, and business risks in multi-agent orchestration, autonomous decision making, and agent-human dynamics.”

Gartner places the maturity of the agentic AI governance category at the “Embryonic” stage, and they go on to state that, “Successful agentic AI governance builds the trust and reliability essential for scaling autonomous agents and complex workflows. It reduces regulatory compliance costs — potentially by 70% by 2028 — allowing investment to shift toward strategic growth. It mitigates high-stakes risks such as collusion, insider threat, hallucinations, unethical behavior, and privacy violations.”

Their recommendations for agentic governance include:

• “Extend AI governance to agentic AI: establish a framework that spans all agentic artifacts for accountable decision making and visibility for agentic operations.”

• “Adopt solutions to observe, monitor and manage AI agents to streamline the development and optimization of agents.”

• Establish human-in-the-loop escalation triggers and decision-centric practices, such as decision modeling, decision monitoring and decision risk assessments.”

• “Define access policies for agentic access to resources, monitoring their activities and conducting regular audits.”

1Password’s recommendation: Three decisions to make before agents go live

Gartner states “Divergent approaches between AI tool providers and the identity and access management (IAM) industry create control challenges.”

At 1Password, we have been working to address the disconnect that arises when companies attempt to adapt access management strategies that were built for human users to AI agents with distinct needs and risks.

We believe that, as businesses build the infrastructure to manage AI agents, they first need to build in human oversight, particularly at the credential level. Semiautonomous deployments require deliberate governance decisions be made before the agent catalog is so large that retrofitting agent controls becomes operationally impractical.

The first three decisions that we at 1Password recommend IT and security teams make are:

1. What is the minimum set of permissions this agent needs for its specific purpose, and how can the credential issued to it reflect that? For the credential lifecycle: when is the credential issued, how long does it remain valid, and can it be revoked the moment the agent is retired or compromised?

2. What are the specific points of human oversight that must take place before the agent runs? For irreversible actions (like deploying code or modifying production data), pre-authorization is the only option that satisfies the semiautonomous model; post-monitoring only tells teams what happened without true governance.

3. When the original human authorization is passed through multiple agent layers, what mechanism preserves it? Most current architectures have no answer: the orchestrating agent acts with its own credentials, subagents act with theirs, and the chain of authorization from human to outcome is fragmented across identity contexts that were never recorded as a single sequence. But we consider auditability to be non-negotiable for agentic deployment.

Proactive management enables agent value

In 1Password’s view, the Gartner Hype Cycle is not only a snapshot of where technologies are today, but serves as a predictor of where failures will concentrate when technologies enter what Gartner refers to as the “Trough of Disillusionment, defined in the report as being the point when “Because the innovation does not live up to its overinflated expectations, it rapidly becomes unfashionable.”

Real-world complexity will always eventually catch up with the early pilots that generated the hype. For AI agents, 1Password anticipates that complexity will likely lead to governance gaps, agent sprawl, security fragmentation, and orchestration patterns that no existing identity framework was built to govern.

1Password believes that the organizations that navigate these complexities won’t be the ones that slow their deployments. Rather, they will be the businesses that made vital architectural decisions prior to deployment, before retrofitting governance becomes impractical, and before the first significant incident makes the security gaps visible.

As Gartner states, “Effective management is what turns agent deployment from pilot to enterprise-scale value.”

Source: Gartner Report, Hype Cycle for Agentic AI, 2026, By Rajesh Kandaswamy, Leinar Ramos, etc., April 2026.

Gartner and Hype Cycle are a trademark of Gartner, Inc. and/or its affiliates.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.