Veeam: Why Rogue Agentic AI Is a CISO Responsibility

Enterprises rapidly plugging autonomous AI agents into their workflows are facing a crisis of trust – one that is rooted in weak data governance and fragmented accountability.

Research from Veeam Software puts in contrast the speed of adoption which has far outpaced the control frameworks needed to secure these systems.

According to the Data and AI Trust Gap report – which surveyed 600 senior executives across financial services, healthcare, manufacturing, retail and technology – 88% of organisations are already using or piloting AI agents.

Only 7% among these meet all three criteria for readiness: ambition, visibility and governance.

The study shows that 95% of respondents say that data-related security and compliance issues have already slowed their AI progress.

The gap between deployment pace and control maturity likely means that enterprises are building risk faster than they can contain it.

Leadership blind spots on risk

The glaring disconnection between executive perception and technical reality could undermine AI governance efforts.

Business leaders are shooting for the stars as they express confidence in AI, with 65% of CEOs believing that their organisation maintains a complete inventory of AI systems.

In contrast, just 48% of technical leaders share that view.

More than half of CEOs (52%) believe they lead on data strategy, while fewer CISOs and CIOs agree, at 38% and 41% respectively.

This misalignment can easily create blind spots in risk management. 

Fragmented ownership, should CISOs own AI risk?

Veeam's research identifies unclear ownership structures as a barrier to effective AI risk management.

Responsibilities for data, AI systems and governance are often distributed across multiple teams with no single point of control.

"When 'everyone owns it', no one can decisively set policy, enforce controls or prove outcomes," the company states.

Organisations with clearly defined ownership, where CISOs own agentic AI risks, are 24% more likely to detect rogue AI behaviour.

On the contrary, enterprises with shared ownership are 47% less likely to detect unauthorised activity.

When an AI agent makes a decision that results in a security incident or regulatory breach, accountability structures must be clear.

Shadow AI becomes mainstream threat

Unauthorised AI usage has moved from edge case to widespread risk.

According to Veeam, 95% of organisations report shadow AI within their workforce.

While 93% view shadow AI as a risk, only 25% provide employees with approved alternatives. 

Worryingly, most organisations deploying AI agents cannot quickly identify what data a system accessed, what actions it took or which decisions it influenced.

Only 40% of leaders expressed strong confidence in their ability to isolate and reverse an AI-related failure with precision.

The inability to trace AI actions creates compliance and forensic challenges, as incident response depends on understanding what happened, when and to which data.

Regulatory pressure intensifies requirements

This research comes along while compliance requirements are tightening, as regulators respond to AI deployment risks.

More than six in 10 organisations say the EU AI Act has influenced their investment decisions over the past year.

Maintaining audit trails for AI decisions has emerged as a compliance concern for 47% of organisations. 

"Most organisations don't have an AI adoption problem," says Anand Eswaran, CEO of Veeam. "They have an AI trust problem. The first phase of AI was defined by infrastructure investment, experimentation and acceleration.

"The next phase will be defined by trust. With the widespread adoption of autonomous AI agents operating at machine speed, the question transitions from whether you can use AI, to whether you can ensure all your data is secure, governed, compliant and resilient.

"And should something go wrong, can you recover with precision? That’s how you accelerate safe AI at scale without accelerating reputational and operational risk."

Recovery and resilience gaps

When an agent makes unauthorised changes to data or systems, organisations need granular recovery capabilities.

The research could show that organisations achieving success with AI are building control frameworks before scaling deployment.

Nearly half of CEOs believe trusted and compliant data could unlock more than 25% revenue growth.

This, while many organisations admit their data needs to be more accurate, accessible and up to date before AI benefits can be realised safely.

"The findings here leave no room for doubt. When 95% of executives say data challenges are already slowing their AI progress, the bottleneck isn't the model – it's trusted, governed, recoverable data," adds Anand.

"Veeam is building the Data and AI Trust layer to give enterprises the visibility, control and precision recovery needed to scale AI safely and deliver real business value."