The agent register question Series B boards should ask before Q3 close

The headline your board saw

I read two AI agent identity surveys back to back this week. One from Semperis on May 13, covering 1,100 organizations across eight countries. One from Akeyless on May 12, covering 400 IT and security leaders in the US and UK. They asked different questions and came back with the same uncomfortable answer. Nobody actually knows where their agents live.

Semperis found that 93% of organizations already use or plan to use AI agents for sensitive security tasks like password resets and VPN access. Akeyless found that 67% of enterprises suspect those agents have already touched data they were not supposed to touch. That is not a single breach story. That is the new ambient state of production.

What it actually means

The Semperis number that landed on my desk was not the 93%. It was the 6%. Six percent of organizations told Semperis they do not track AI identities at all. Another 35% do not fully register them. So somewhere between a third and 40% of companies running real AI agents through real systems cannot tell you, on a Tuesday afternoon, what is running, what it has access to, or who provisioned it. That is what shadow AI looks like in 2026. It is not an intern with a ChatGPT tab. It is an agent in production with credentials nobody can find on a Friday.

Akeyless puts hard numbers on the cost. Average detection of a compromised agent: 14 hours. Average containment: nearly a week. Only 7% of leaders believe their current controls would stop a compromised agent from continuing to operate. Average spend on agent identity incidents in the last year: over one million dollars. 61% have already revoked or rotated agent credentials after a suspected exposure. Those last two together are the line a CFO underlines. The cost is real, most companies have already paid it, and most boards have not seen it in a pack yet.

The vendor side moved hard the same week. At SAP Sapphire on May 12, SAP announced the AI Agent Hub on LeanIX, a single console to discover and govern agents across SAP and non-SAP environments, generally available in Q3 2026 and included in the SAP Business AI Platform at no extra cost. NVIDIA’s OpenShell sits underneath as a sandboxed runtime with filesystem and network policy enforcement, as covered by SiliconANGLE the same day. That follows Microsoft Agent 365 going generally available on May 1 and ServiceNow shipping kill-switch capability in its AI Control Tower on May 5. Three of the biggest enterprise vendors now sell a console that promises to inventory and kill any agent. So the question heading into Q3 close is not whether to govern agents. It is whether to wait for the console or build the register now.

Three questions your board will ask

Who owns the agent register, and can that person answer in one breath where every production agent lives? If the honest answer is “engineering owns most of them, security has visibility into some, and finance has its own through the FP&A tool,” that is the answer. Name the person, give them budget for one quarter of cleanup, and report back at the next meeting. The Semperis data suggests 6 to 41% of companies are in worse shape, so the bar is lower than most founders fear.

If we suspected a compromised agent right now, how fast could we kill it? The Akeyless 14-hour-to-detect and roughly one-week-to-contain numbers are the industry baseline. Boards do not need a number that beats the baseline. They need to know what the company’s number is, in writing, and what changes between now and Q3 close. A tested kill protocol fits on one page. Run a tabletop with the on-call engineer and the head of security before July.

Are we buying the vendor console or building the register? This is the one most boards will get wrong. The SAP, Microsoft, and ServiceNow consoles are real and they will help, but they all assume an inventory exists. The human walk-around, asking each team lead to write down every agent and credential they have provisioned, is the part no platform replaces. The Register reported on May 13 that three MCP database flaws (Apache Doris, Apache Pinot, and Alibaba RDS) were uncovered by one bug hunter in a single sweep, with Alibaba declining to patch. The transport layer underneath these agents is still maturing. Inventory is the only defense that does not depend on a vendor’s patch cycle.

The 60-second brief

The week’s signals: Semperis says 6% of companies do not track AI agent identities at all, and only 32% feel very confident they could regain control after a credential exposure. Akeyless says 67% suspect agents have already accessed unauthorized data, with a 14-hour detection baseline and a million-dollar average yearly spend on incidents. SAP, Microsoft, and ServiceNow are converging on a single agent control plane, but the consoles assume the inventory already exists. The Q3 ask is a named owner, a one-page agent register, and a tested kill protocol. Cost is roughly one engineer-month. The cost of skipping is the seven-figure average that Akeyless found companies already spent reacting to incidents nobody planned for.

The console is the second step. The register is the first. Most boards will spend Q3 shopping for the second step before they have done the first.

What to watch

SAP Agent Hub general availability in Q3 2026 and whether non-SAP coverage actually ships on time. The EU AI Act high-risk timeline after the May 7 Digital Omnibus deal. The Register’s MCP database reporting on May 13, especially Alibaba RDS, which the vendor declined to patch. If MCP transport-layer flaws keep landing at this cadence, the agent register conversation moves from “good practice” to “audit committee item” inside one quarter, and the boards that asked the three questions above will be the ones who do not have to scramble.