An endpoint agent cannot identify its own absence. The 2026 Axonius Actionability Report, in collaboration with the Ponemon Institute, surveyed 662 IT and security experts to quantify a longstanding issue that SOC teams have been managing. According to the report, 12.7% of devices in a typical 298,000-device inventory across Axonius customers lack the necessary security agent.
When a device lacks an agent, it remains invisible to management consoles. Stale CMDB records go unflagged, and unauthorized installations, like an employee setting up Claude Enterprise outside official channels, create traces that endpoint telemetry cannot track accurately. The EDR dashboard’s coverage metrics are inherently flawed because they fail to account for unseen elements.
This issue has become more significant than it was six months ago. As SOC and XDR vendors introduce more autonomous investigation and remediation capabilities, these systems will rely on the same dashboards and coverage metrics, overlooking the blind spots that human analysts have learned to navigate. While a human analyst might question a 98% coverage rate, an autonomous agent accepts it as fact and acts swiftly.
Three Independent Indicators Highlight the Same Issue
Gravitee’s 2026 survey of over 900 executives revealed that 88% reported AI-related incidents, with only 14.4% having fully secured agent deployments. The Axonius/Ponemon report noted that 52% of participants would allow autonomous agents to act on suggestions, though 63% felt the data was missing critical information. The CSA’s Agentic Trust Framework mandates data governance verification before agents act on findings.
Mike Riemer, Field CISO at Ivanti, mentioned that known vulnerabilities on Azure’s honeypot networks are now attacked in less than 90 seconds. “Traditional security measures continue to work,” Riemer told VentureBeat, but they only protect what is visible. With EDR agents covering 87.3% of the inventory, 12.7% of devices remain outside its monitoring and control.
Deployment Data Highlights the Scope
Joe Diamond, CEO of Axonius, explained to VentureBeat that CISOs typically see only about 50% of their network. “Half of their environment is in the dark,” Diamond said. Deployment data from over 900 Axonius clients supports this. TransUnion improved endpoint coverage from 70% to 99% through external verification. Western Union raised coverage from 85% to 99% by integrating data from 38 tools, reducing manual workloads by 50%. Lumen discovered 1.1 million assets versus the CMDB’s 17,000, equating to about 37,000 unmanaged endpoints per organization.
Diamond cited Mythos, Anthropic’s reasoning model, as evidence that rapid offensive capabilities make unknown assets increasingly risky. “People tend to get distracted by shiny objects,” he noted, warning that without a clear understanding of their network, organizations might fail in managing AI. He described the AI shift as potentially more impactful than the internet.
Three Strategies to Bridge the Visibility Gap
Currently, no single framework completely resolves visibility issues. Three strategies are competing, each presenting trade-offs that security teams must consider before procurement.
A dedicated integration layer employs bidirectional API adapters to maintain an up-to-date inventory. Axonius, using over 1,400 adapters, can now identify unauthorized Claude Enterprise installations with its Anthropic adapter. “We’ve integrated with all IT systems and security controls to keep the inventory current,” Diamond explained to VentureBeat.
Platform-native EDR and XDR intelligence provides richer asset context within the agent’s scope. While it offers depth, it is structurally limited, as the Ponemon report indicates, where visibility ends.
CMDB modernization requires ongoing reconciliation with three or more telemetry sources. Only 13% of organizations reconcile daily, while the rest rely on outdated records that lead to incorrect remediation.
EDR Data Readiness: Five Criteria Before Automation
Before deploying autonomous SOC agents for tasks like ticket closure or asset quarantine, ensure your EDR and asset data is reliable. This checklist, applicable across vendors, includes five essential criteria to evaluate in a single session.
|
Risk Area |
Data Insights |
Readiness Criteria |
Immediate Actions |
|
Asset inventory delta |
Ponemon: only 45% consolidate into a single view. Forrester TEI: 150% more assets than previously identified. Lumen: 17K in CMDB vs. 1.1M discovered. |
Delta ≤10% between discovery, CMDB, and EDR agent count. Reconciliation is required if the delta exceeds 10%. |
Conduct API-based discovery across segments. Compare with CMDB and EDR console counts. Reconcile at least quarterly. |
|
Unmanaged AI services |
Gravitee: 88% confirmed or suspected AI incidents. Only 14.4% with full security approval. Anthropic adapter (GA June 15) discovers unmanaged Claude Enterprise installations. |
No high-risk AI services outside approved procurement. Weekly SaaS discovery scans. Unmanaged high-risk instances trigger IR triage before exception review. |
Implement SaaS discovery or protocol-level adapters for AI service detection. Automate weekly scans. Route unmanaged instances to IR queue. |
|
CMDB record accuracy |
Ponemon: only 13% reconcile daily (RSAC 2026). Brooks Running: 20% server discrepancy between console and independent discovery. Top remediation barriers: unclear prioritization, unclear ownership, inconsistent data. |
≥85% of records verified against three or more independent telemetry sources. Avoid stale or orphaned records in remediation. |
Validate CMDB with cloud inventory, EDR telemetry, and IdP directory. Replace annual audits with continuous reconciliation. |
|
Endpoint agent coverage gap |
Ponemon: an agent cannot report its own absence (p. 8). TransUnion: 70% to 99% after out-of-band verification. RSAC 2026: 12.7% of 298K median devices missing expected agent. |
≥95% agent coverage verified through external discovery. Many CISOs require this threshold for autonomous remediation. |
Utilize network-based or API-driven discovery on managed devices. Coverage below 95% halts automated remediation. |
|
Asset ownership mapping |
Ponemon: 32% apply tags consistently. Only 51% assign ownership on new exposures (pp. 9, 16). TransUnion: 12K to 190K assets with ownership mapped. |
Owner assigned within 24 hours. Consistent tagging across cloud, EDR, CMDB. Inconsistent ownership across systems indicates failure. |
Automate ownership using cloud tags, IdP groups, or CMDB metadata. Separate asset, remediation, and business ownership fields. |
Five Questions Before Allowing Autonomous SOC Actions
-
What independently verifies endpoint-agent coverage outside the EDR console?
-
How does the SOC reconcile conflicts between EDR, CMDB, cloud inventory, IdP, and discovery tools?
-
Can AI agents act on assets with unknown or disputed ownership?
-
Can the system distinguish “not vulnerable” from “not visible”?
-
What data-quality gate blocks autonomous remediation when coverage or ownership falls below threshold?
Board-Ready Risk Assessment
Kayne McGladrey, IEEE Senior Member, has noted through various interviews with VentureBeat that the gap in self-reported coverage isn’t new. The novelty lies in autonomous agents acting on this information at machine speed, bypassing the workarounds developed by human analysts. In an April 2026 press statement, Diamond highlighted the stakes: “Findings accumulate because the data isn’t trusted, ownership is unclear, and entire asset categories are overlooked.”
The CSA’s Agentic Trust Framework stipulates that agents achieving higher autonomy must meet five criteria, including accuracy and security audits. The EU AI Act’s transparency obligations will be enforced from August 2, 2026. The May 2026 Digital Omnibus has deferred high-risk system obligations to December 2027, yet organizations using incomplete asset data for SOC agents face immediate risks that surpass regulatory deadlines.
Board-ready summary: Our EDR coverage reports are inherently incomplete as an endpoint agent cannot report its own absence. We are conducting out-of-band discovery to verify coverage before deploying autonomous agents that would act on these reports at machine speed.
Security Director Action Plan
-
Conduct out-of-band asset discovery this week. Compare findings against your CMDB export and EDR console count. If the discrepancy is greater than 10%, pause automated remediation until resolved.
-
Deploy SaaS discovery for AI services. AI installations often precede procurement and security. Weekly scans are essential. Direct unmanaged high-risk instances to your incident response queue for evaluation before exception review.
-
Align asset ownership with remediation duties. Ponemon reports only 32% of organizations consistently apply tags. If three systems identify different owners for the same asset, automated remediation lacks a target. Correct the ownership structure before deploying reliant agents.
-
Eliminate self-reported-only coverage metrics. Any risk analysis or board report based solely on EDR console-reported coverage is founded on unverifiable data. Mandate external verification for any coverage figure used in risk assessment.
