Ask any South African CISO how many AI agents are running in their environment right now and most will be hard pressed to answer.
This is the uncomfortable truth behind the local rush to deploy agentic AI, and it is happening while many of the same organisations are still battling the basics of phishing and business email compromise (BEC).
With 81% of Fortune 500 companies already running active AI agents but only 14% having full security approval, local security leaders can no longer afford to treat agentic AI as a future problem.
“The most serious threat to South African organisations, by some distance, is the shadow AI agent gap. We have a well-documented skills shortage in IT and cybersecurity, and many organisations are already battling just to maintain a basic IT asset inventory,” says Heino Gevers, vice-president: global customer success at Mimecast.
“An AI agent inventory is almost unheard of. Most companies simply do not know which agents exist in their environment, who created them, what systems they’re plugged into, or which data they can reach.”
The urgency of the problem is becoming more apparent as organisations rush to deploy AI agents. According to the IDC, more than 1 billion agents are projected to be deployed in the enterprise by 2029, 40 times higher than today.
These agents will be making 217-billion actions per day, including reading emails, summarising financial records, and executing workflows across every system employees touch. And, while the agentic AI security market is responding, Gevers says most of the conversation remains focused on the agent itself, rather than on the person giving the instructions.
Growing regulatory exposure
The second gap is the inability to map agents to data, adding to existing compliance pressure.
“Many local organisations can’t map what agents have access to what type of personal information, which is resulting in unquantified regulatory exposure. At the end of the day South Africa’s Protection of Personal Information Act (POPIA), doesn’t distinguish between data exposed by humans or data exposed by an agent. From the Information Regulator’s perspective, harm is harm, and the duty of care is the same regardless of whether a person or an AI agent caused the incident,” Gevers warns.
Agents using email as an attack vector
The third gap centres around leaders failing to recognise email as an attack vector for AI agents, not just humans.
“Most security strategies still treat email as a human-centric problem. But attackers are using email as a delivery mechanism for prompt injections and malicious payloads aimed at agents that read, process or act on those messages. The inbox hasn’t changed, but the target has. It’s no longer only the person behind the screen that’s a threat, it’s the autonomous or semi-autonomous systems acting on their behalf. Traditional email security and data loss prevention (DLP) were not designed with that in mind,” he explains.
Human risk management remains the foundation
Gevers is quick to point out that AI doesn’t create new risks. It industrialises the ones CISOs already have.
“Two employees can deploy identical agents with identical permissions, but the actual risk depends on the person, their behavioural history, access patterns, and insider risk signals. Security strategies need to connect agent activity back to the human who authorised it. Ignoring that and looking only at agent configuration is a recipe for blind spots,” he says.
Treat agents like employees, or they’ll behave like contractors with no accountability
In response to these challenges, Gevers says security leaders should take a unified approach to detect, govern, and remediate data exposure, in real-time, irrespective if the action comes from an employee or an agent acting on their behalf.
“Traditional DLP waits at the edge and asks, ‘Should I let this go out?’ That model is already too late for AI agents acting at machine speed. Runtime data security sits inside the workflow and watches the full life of a document in real time, so you can nudge people at the moment of the mistake rather than discovering the breach after the fact,” he explains. “Instead of treating AI as something separate, extend the principles of human risk management – behavioural baselining, anomaly detection, real-time nudges, governance of data access – to cover agents as part of the workforce.”
Gevers says the key takeout for CISOs is that they must extend their control and visibility into who is using what, and that policies must extend the same rules to machines that apply to people.
“What you need is detection that correlates agent behaviour with the risk profile of the person who deployed it and the insight that drives it. The 8% of your users who cause 80% of your security incidents are likely the same 8% whose agents pose the greatest risk. If you don’t know who those people are, you don’t know your AI risk – full stop.”