New research reveals a structural flaw in enterprise security that could undermine the next wave of autonomous threat detection. The 2026 Axonius Actionability Report, conducted with the Ponemon Institute and based on a survey of 662 IT and security professionals, found that across the Axonius customer base, 12.7% of devices are missing their expected security agent. For a median device inventory of 298,000, that represents tens of thousands of blind spots.
These gaps are invisible to the very systems meant to close them. An endpoint agent cannot report its own absence, so no management console flags a device lacking one. Stale CMDB records and software installed outside procurement — such as an employee deploying Claude Enterprise without approval — create SaaS workspaces, identity surfaces, and API-token footprints that endpoint telemetry alone cannot inventory. The coverage percentage on any EDR dashboard is structurally incomplete because the reporting mechanism cannot see what it does not cover.
The timing makes this particularly dangerous. SOC and XDR vendors are increasingly pushing autonomous investigation and remediation tools into production environments. These agents query the same dashboards, trust the same coverage percentages, and act on the same blind spots that human analysts learned to work around. A human analyst might second-guess a 98% coverage number. An autonomous agent treats it as ground truth.
For security teams deploying AI-driven response systems, this means autonomous agents may execute actions based on incomplete data, potentially missing active threats on unmonitored devices. The report suggests organizations need to audit not just their agent coverage but also the data quality feeding their autonomous systems.
A counterargument holds that autonomous agents, if properly configured, can still provide net security gains even with imperfect coverage — and that the efficiency gains from automation outweigh the risks of edge cases involving unmonitored devices.