An endpoint agent cannot report its own absence. The 2026 Axonius Actionability Report, conducted with the Ponemon Institute and surveying 662 IT and security professionals, put a number on the gaps that SOC teams have worked on over the years. In the Axonius customer base, 12.7% of devices in the 298,000-device average list do not have their expected security agents.
If a device does not have an agent, no management console shows it. If the CMDB record is out of date, none of the solutions mark it. An employee who set up the cloud enterprise outside of procurement created a SaaS workspace, identity surface, and API-token footprint that endpoint telemetry alone wouldn’t reliably inventory. The coverage percentage on the EDR dashboard is structurally incomplete because the reporting mechanism cannot see what it does not cover.
That difference matters more now than it did six months ago. SOC and XDR vendors are pushing for more autonomous testing and improvement in production. Those agents will query the same dashboards, rely on the same coverage percentages, and operate on the same blind spots that human analysts have learned to work around. A human analyst makes a second estimate of the 98% coverage number. An autonomous agent takes this as ground truth and moves at the speed of the machine.
Three independent signals collected at the same interval
Gravity’s 2026 survey of more than 900 executives found that 88% reported confirmed or suspected AI-related incidents, and only 14.4% of dispatched agents remain with full security approval. The Axonius/Ponemon report found that 52% of respondents let autonomous agents act on recommendations – while 63% said the underlying data lacked important information. CSA’s Agentic Trust Framework requires verified data governance before agents can act on any conclusions.
Mike Reimer, field CISO at Ivanti, said known vulnerabilities on Azure’s honeypot network are now attacked in less than 90 seconds. “Traditional security measures continue to work,” Reimer told VentureBeat.
The caveat is that those measures only protect what they can see. An EDR agent deployed on 87.3% of the device inventory leaves the remaining 12.7% outside of that agent’s telemetry, policy enforcement, and detection logic.
Typical deployment data determines the amount of scale
Axonius CEO Joe Diamond told VentureBeat that the average CISO actually sees about 50% of what’s on the network. “Let’s say 50% of their environment is dark matter,” Diamond said. “They don’t know what it is, or where it is, or who has access to it, whether it’s safe, whether it’s not safe.”
Deployment data from more than 900 Axonius customers confirms those numbers. TransUnion reached 70% to 99% endpoint coverage after out-of-band verification. Western Union went from 85% to 99% by consolidating data from 38 devices and halving the manual workload. Lumen searched 1.1 million properties, where CMDB showed 17,000. This means there are approximately 37,000 unmanaged endpoints per organization outside of each policy, each patch cycle, and each identity rule.
Diamond pointed to Anthropic’s Frontier Reasoning Model mythos as a sign that machine-speed offensive capabilities will make any idiosyncratic asset much riskier than it is today. “People have shiny object syndrome,” he said. “If you don’t understand what 50% of your environment looks like from a traditional endpoint perspective, and you think you’re moving quickly to granular control and governance of AI, your program will fail.” Diamond called the broader AI transformation “as big, if not bigger, than the Internet.”
Three approaches compete to bridge the gap
No single architecture today solves the visibility problem. Three approaches compete, each naming tradeoffs security teams must evaluate before purchase.
a dedicated integration layer Uses bidirectional API adapters to create always-on inventory. Axonius runs more than 1,400 adapters and now discovers shadow cloud enterprise installations through its Anthropic Adapter (GA June 15). “We built a bidirectional API integration with all the IT systems and all the security controls to create an always-updated inventory of what the environment looks like,” Diamond told VentureBeat.
Platform-native EDR and XDR intelligence Creates rich asset context inside the agent footprint. There is a depth advantage within the agent footprint. The limitation is structural. Platform-native intelligence is tied to what the agent can see, and the gap identified in the Ponemon report is exactly where that visibility ends.
CMDB Modernization Requires consistent resolution against three or more independent telemetry sources. According to Axonius/Ponemon data, only 13% of organizations perform daily reconciliation. The remaining 87% work on old records that enter the wrong priority in any automated remediation pipeline.
EDR Data Preparation: Five Gates Before Autonomous Treatment
Before you let autonomous SOC agents close tickets or quarantine assets, this checklist lets you know whether your EDR and asset data is solid enough to trust. It’s vendor-agnostic, works with any EDR and CMDB, and gives you five pass/fail gates that you can run in a single job session.
| risk area |
what the data shows |
threshold of readiness |
action will be taken now |
|
asset list delta |
Ponemon: Only 45% consolidates into a single scene. Forrester TEI: 150% more assets than previously identified. Lumens: 17K vs 1.1M discovered in CMDB. |
delta ≤10% Between Discovery, CMDB and EDR agent counts. Delta above 10% blocks automated treatment until resolved. |
Run an API-based search against all segments. Difference against CMDB and EDR console counts. Reconcile at least quarterly. |
|
Unmanaged AI Services |
Severity: 88% of confirmed or suspected AI incidents. Only 14.4% with full safety approval. Anthropic Adapter (GA June 15) Discovers unmanaged cloud enterprise installations. |
No high-risk AI services outside of approved purchases. Weekly SaaS Discovery Scan. Unmanaged high-risk instances trigger IR triage before exception review. |
Deploy SaaS discovery or protocol-level adapters to locate an AI service. Automate weekly scans. Route unmanaged instances to the IR queue. |
|
CMDB record accuracy |
Ponemon: Only 13% reconcile daily (RSAC 2026). Brooks Running: 20% server discrepancy between console and free quest. Top troubleshooting barriers: Unclear priority, unclear ownership, inconsistent data. |
≥85% records Validated against 3+ independent telemetry sources. No old or orphan records in the active repair queue. |
Cross-reference CMDB against cloud inventory, EDR telemetry, and IDP directory. Continuous reconciliation replaces annual audit cycles. |
|
endpoint agent coverage gap |
Ponemon: An agent cannot report his absence (p. 8). TransUnion: 70% to 99% after out-of-band verification. RSAC 2026: 12.7% of 298K mean devices missing expected agent. |
≥95% agent coverage Verified via out-of-band discovery. Many CISOs set this as the minimum before allowing autonomous improvement. No self-reported-only metrics in board reports. |
Run network-based or API-driven searches against the managed device list. Coverage below 95% blocks the automated healing scope. |
|
asset ownership mapping |
Ponemon: 32% apply tags consistently. Only 51% assign ownership of new exposures (pp. 9, 16). TransUnion: 12K to 190K assets with ownership maps. |
Handed over to owner within 24 hours. Consistent tags across cloud, EDR, CMDB. Three systems showing three owners = failure. |
Automate ownership through cloud tags, IdP group membership, or CMDB metadata. Map property, improvements, and business owner as separate fields. |
Five questions to ask before allowing autonomous SOC action
-
Who independently verifies endpoint-agent coverage outside of the EDR console?
-
How does the SOC resolve conflicts between EDR, CMDB, cloud inventory, IDP, and discovery tools?
-
Can AI agents take action on assets with unknown or disputed ownership?
-
Can the system distinguish “not unsafe” from “not visible”?
-
Which data-quality gate blocks autonomous treatment when coverage or ownership falls below a threshold?
Board-Ready Risk Assessment
Kayne McGladrey, a senior member of the IEEE, has confirmed the pattern in several published VentureBeat interviews. Structural differences in self-reported coverage are nothing new. What is new is that autonomous agents will act at machine speed without the institutional workarounds of human analysts developed over years of experience. Diamond laid out the board-level stakes clearly in an April 2026 press statement: “The findings are stacked because the data is not trusted, ownership is not clear, and the entire asset class is not even in the picture.”
CSA’s Agentic Trust Framework requires that any agent promoted to a higher autonomy level must pass five gates, including demonstrated accuracy and security audits. Article 50 transparency obligations of the EU AI Act will come into effect on August 2, 2026. The May 2026 Digital Omnibus extends high-risk systems obligations to December 2027, but organizations deploying SOC agents on incomplete asset data face immediate operational risks that transcend any regulatory timelines.
Board-ready sentence: Our EDR coverage reports are structurally incomplete because an endpoint agent cannot report its absence, and we are verifying coverage through out-of-band discovery before deploying autonomous agents that will act on those reports at machine speed.
Security Director Playbook
- Run an out-of-band asset search this week. Compare the results against your CMDB export and EDR console calculations. If delta exceeds 10%, stop automatic corrective scoping until the difference is resolved.
-
Deploy SaaS search for AI services. Employees install AI before procurement, before security. Weekly scans are the minimum. Route any unmanaged high-risk instances to your incident response queue for triage prior to exception review.
-
Link asset ownership to remediation accountability. Ponemon found that only 32% of organizations consistently implement tags. If three systems show three different owners for the same asset, there is no routing target for automated correction. Fix the ownership layer before deploying the agents that depend on it.
-
Eliminate self-reported coverage metrics. Any risk calculation or board report that relies on EDR console-reported coverage alone is built on data that the reporting system cannot verify. Out-of-band verification is required for each coverage number informing a risk decision.
<a href