We love bespoke agentic AI…
The analyst who built a pipeline agent that reads sales data, cross-references CRM notes, and ranks deals most likely to slip. The operations lead who automated the weekly reporting workflow in a weekend. The finance team member who connected an AI tool to the accounting system and eliminated three hours of manual reconciliation from every month-end close. The HR coordinator who built a screening agent that triages resumes against job requirements before a human ever opens a folder.
Well, maybe not that last one.
These aren't anomalies, they're the leading edge of something genuinely transformative. And they're happening right now, in your organization, built by people who identified a real problem, had access to capable tools, and used them.
That's exactly the instinct every organization has been trying to cultivate for years.
The argument I make in Jailbreak is playing out in real time. That argument: three tectonic shifts have collapsed the barriers to building AI-native software, and organizations should respond by building precisely what they need rather than renting an approximate version from a vendor. Fifty-four percent of organizations are actively deploying AI agents across core operations, up from eleven percent two years ago. Gartner expects forty percent of enterprise applications to integrate task-specific AI agents by the end of 2026, up from less than five percent in 2025.
The jailbreak is working. The vibe coder who shipped something useful on a Friday afternoon is exactly the kind of person organizations need more of. The capability is there, the instinct is right, the productivity gains are real and compounding.
We want more of this. More agents, more builders, more organizations reclaiming their data, their architecture, their competitive advantage. That's the context for everything that follows, because nothing that follows is an argument against building.
… But there are very real dangers.
88%
confirmed or suspected AI agent security incidents in the past year
82%
of executives believe existing policies protect against unauthorized agent actions
14%
actually send agents to production with full security or IT approval
Sit with that gap for a moment. It's not a margin of error, it's the delta between what organizations believe is happening and what is actually happening. The executives believe the fleet is governed, the fleet disagrees.
The Cloud Security Alliance published a companion finding in April 2026: eighty-two percent of enterprises have unknown AI agents running in their IT infrastructure. Nearly two in three have experienced AI agent-related incidents in the past twelve months: data exposure, operational disruption, financial losses. The average shadow AI breach costs $670,000 more than a standard security incident, driven by delayed detection and the difficulty of scoping what the agent actually touched.
These aren't future risks. They have case numbers.
The regulatory clock. The EU AI Act's high-risk provisions enter enforcement in August 2026. What the Act requires isn't a policy document, it's evidence: that AI systems were assessed, documented, monitored, and subject to human oversight. That evidence has to be collected at runtime, continuously, as a byproduct of normal operation. You can't assemble it before an audit. A governance policy written before deployment isn't evidence of post-market monitoring, it's evidence that you knew what post-market monitoring was supposed to look like.
NIST AI RMF says the same thing in different language: Govern, Map, Measure, Manage. Three of those four functions require continuous operation, not one-time assessment. The CAISI AI Agent Standards Initiative, launched in February 2026, is the first US federal framework specifically targeting agentic architectures, built on the same premise.
The security stack is flying blind. Every major security tool in the enterprise (the SIEM, the CASB, the EDR, the partridge in the pear tree) operates on the same principle: detect anomalies by comparing observed activity against known baselines. For AI agents, there are no baselines, because there's no registry.1 These tools can't tell you whether an agent-shaped thing calling your model API at 2am is a legitimate governed agent, or a shadow agent deployed last month by someone who has since left the company.
The governance approaches that seem obvious don't work. Banning the tools drives the fleet underground. Same agents, less visibility. Requiring IT approval before development creates a queue that becomes the Department of No, and people route around it. GRC platforms are built for a stable, catalogued software estate reviewed on a quarterly cycle; an agent can be built in an afternoon, and the GRC platform won't know it exists until the next audit preparation, by which point it's been running for six months. Issuing a policy document is the most common response and the least effective: the EU AI Act examiner doesn't want your policy. They want your records.
None of these approaches are wrong on their own terms. They're wrong for this problem. The invisible fleet isn't the result of bad intent or inadequate policy. It's the direct consequence of the good thing succeeding faster than the governance infrastructure could follow. The jailbreak worked. The governance didn't keep up.
The new cadre of developers are coming fresh-faced onto a forty-year-old battlefield
Here's the thing that doesn't get said often enough.
The "vibe coder"2 isn't reckless. They're competent, motivated, genuinely capable, and profoundly unequipped for a set of problems that the software industry spent forty years developing hard-won intuition about. That isn't their fault.
Those forty years produced practices. Not all of them are written down, most were transmitted the way useful knowledge usually gets transmitted: through apprenticeship, through watching someone more experienced wince at a decision, through being in the room when a production system failed in a way that could have been prevented, through the stories that circulate in engineering teams about the time someone forgot to validate the model output before it hit the billing system, or the time the credentials were in the prompt template and ended up in a log file, or that time nobody pinned the model version and a provider update silently changed the agent's behavior for three weeks before anyone noticed.
That knowledge isn't in any LLM training set. It's in the heads of senior engineers who built systems before LLMs existed. And the LLM collapsed the apprenticeship.
The new agentic AI developer doesn't need to have served years learning the trade before they can build something useful. That's genuinely good news. The barrier's down, the capability is accessible, the thing they built on Friday actually works. What they don't have is the forty years of scar tissue that tells a seasoned engineer: yes, but have you thought about what happens when the model is down at 2am and this thing is running a billing process? Have you thought about what happens when the output is plausible but wrong, and the downstream system accepts it? Have you thought about who owns this when you leave? Have you thought about whether you're logging PII into a system that isn't cleared to hold it? Have you thought about whether the model provider is retaining your inputs for training? Have you thought about what "the model got updated" actually means for an agent that's been running in production for four months?
These aren't exotic failure modes. They're the normal failure modes of production software. Senior engineers know them not because they're smarter but because they've been burned by them, or watched someone else get burned. The new builder hasn't been burned yet, and we don't want them to.
The standard we describe in this paper exists to hand them the war stories before the incident. The industry has a responsibility here. The tools got cheap, the access opened up, the instinct to build was correctly validated and encouraged. But nobody handed the new builders the field guide for the environment they were walking into. That's the gap the Crow Blue Agent Readiness Standard (CBARS) is designed to close.
What production-ready agentic AI actually requires
CBARS is a practical punchlist: not a regulatory framework, not a compliance checklist, but the questions a grumpy senior developer would ask about an agent before signing off on it going anywhere near production.
Ten domains. Some items are required before a governance credential is issued. Most are advisory: things you should have done that the standard will surface and encourage. All of them are things that get skipped.
What data is the agent actually touching? Is it logging PII somewhere it shouldn't? Is it passing sensitive information to a model whose data retention terms haven't been reviewed? Does the output get classified at least as high as the most sensitive input? Every data source the agent accesses should be documented and classified. The developer who skips this step isn't being careless, they're just not thinking about the data residency regulation that'll matter when a customer asks where their information went.
What happens when the model is unavailable? Does the agent fail loudly or silently? Does it retry with backoff or hammer the API until something breaks? For agents that write to external systems: are operations idempotent, or does a retry create a duplicate record, a duplicate charge, a duplicate message? There's an entire category of production incident that happens because an agent encountered a timeout, retried without idempotency controls, and wrote the same transaction four times. The senior engineer knows to check for this. The vibe coder doesn't know to ask.
The oversight model needs to be declared before deployment and demonstrated in operation. Always reviewed, sampled, exception-only, fully automated. Each is a legitimate choice for the right use case and risk level. The choice needs to be documented, and the agent needs to actually operate the way the documentation says it does. An agent that claims human review but has no escalation path isn't governed. It's governance theater, and it won't survive an audit.
Model output is probabilistic. Treating it as deterministic is how production systems produce confident nonsense at scale. Schema validation before the output reaches a downstream system. Plausibility checks on numerical outputs. An evaluation suite of known-good inputs and expected outputs that runs before any significant change to prompts or model versions. The vibe coder trusts the model, the senior engineer validates the output. Both can be right that the model is good. Only one of them has thought about what happens when it's wrong.
Prompt injection isn't an exotic attack, it's OWASP's top LLM vulnerability for the second year running. An agent that processes user text, retrieved documents, or external API responses without structural separation between instructions and data is vulnerable by design. Least privilege: the agent has access to exactly what it needs and nothing more. Credentials in a secrets manager, not hardcoded in the prompt template. These aren't advanced security requirements. They're the baseline, the things senior engineers learned to do as a matter of reflex, and that new builders skip because nobody explained why.
For agents that make or influence decisions about people: has anyone assessed whether the outputs vary systematically by demographic group? Has the training data appropriateness been considered? The EU AI Act requires answers to these questions for high-risk systems. More importantly, the people affected by these agents deserve answers to them regardless of what the regulation requires. This is the domain where the consequences of skipping aren't technical. They're human.
People who interact with or are significantly affected by an agent's outputs should know that AI is involved. An agent that interacts with humans in real time should identify itself as AI when directly asked. It shouldn't claim to be human. Decisions that affect individuals should be explainable in plain language. These aren't aspirational standards, they're reasonable expectations, and increasingly legal requirements.
The system prompt is documented. The logic is commented. The dependencies are in version control with pinned versions. Unit tests cover the core logic. Someone other than the original builder can understand how this works. This domain is where vibe-coded agents die in slow motion: they work fine until the builder leaves, and then nobody can modify them, and then they run unchanged for two years accumulating technical debt and behavioral drift that nobody notices until a regulator asks for the change log.
The model version is pinned, not floating. A model provider update doesn't silently change the agent's behavior. Prompt changes go through the same process as code changes: version control, testing against the evaluation suite, documented rationale. A rollback path exists. A model version update isn't a software patch, it can fundamentally change what an agent does. Treating it as invisible maintenance is how organizations discover, six months after the fact, that their contract review agent has been producing different summaries since February.
Someone knows what this agent costs to run. A spend limit is defined and enforced. If the agent starts calling the model ten thousand times a day instead of one hundred, someone finds out before the bill arrives. Idle agents are identified and deprecated. This domain has no regulatory mandate. It's just the thing that surprises organizations who've been building quickly without tracking the fleet.
The governance model: default-allow
Every governance approach that tries to stop what can't be stopped produces the same outcome: more shadow agents.
The right model for governing agentic AI is default-allow. Register your agent, carry a passport, build in the open. The governance happens around the builder, not in front of them.
If someone's existing access controls permit them to read the CRM, their agent is provisionally permitted to read the CRM. Registration isn't a new security decision. It's a documentation event.
01
What does it do?
02
What data does it access?
03
What model does it call?
04
Does a human review the output?
Answer those and the organization has a record. The agent carries a credential. The security stack can verify it. The regulator can see it.
The governance process runs alongside the development. Not before it. A provisional credential is issued immediately on approval. The full credential is earned through instrumentation. The builder doesn't wait in a queue. The organization gains visibility. Nobody loses a Friday afternoon.
The same logic applies to the shadow fleet. When an ungoverned agent breaks (and they do break, because the forty-year-old battlefield has mines), the builder raises their hand. That's the registration opportunity: not a security incident, not an interrogation, but a help desk. Here's your credential. Here's the punchlist. Let's get this ready for the organization to depend on.
The standard is a call for comments
Version 0.1 of CBARS is published at crow.blue/standard.
It's a call for comments, because Crow Blue shouldn't be the final word on what production-ready agentic AI requires. The standard should be shaped by the people building these systems and living with the consequences: the senior engineers with the scar tissue, the security teams responding to the incidents, the governance teams trying to answer regulators with evidence rather than policy documents.
Submit comments at crow.blue/standard. The standard will be updated on a regular cadence as feedback arrives and the technology evolves. All substantive comments will be acknowledged and addressed in the public change log.
The goal is a standard that's genuinely useful to the people who build agents. Something that closes the distance between "I built something useful" and "the organization can depend on this." Without three weeks lost to a review queue. Without six months lost to an incident that could have been prevented if someone had handed them the field guide on day one.
The jailbreak isn't complete until the fleet is visible
Jailbreak ends with a vision: your data, your AI, your people. Stop renting problems.
The invisible fleet is what happens when that vision reaches the execution layer before the governance infrastructure does. It's not evidence that the vision was wrong. It's the next problem the vision creates, which is how progress actually works.
The jailbreak isn't complete when the agents are running. It's complete when the agents are visible: registered, credentialed, continuously monitored, accountable to the organization that depends on them and to the regulators who will demand records.
That accountability shouldn't slow the building. The governance model exists to make building safer, not harder. CBARS exists to hand the new builders the forty years of scar tissue they didn't get through apprenticeship.
More agents. Better governed. That's the complete sentence.
About Crow Blue
Crow Blue builds Signet, the registry and identity authority for enterprise agentic AI. Signet governs agents by default-allow: register your agent, receive a passport, build in the open. CBARS ships with every Signet provisioning event.
Jailbreak: The New Digital Transformation by David Habib is available on Amazon and at crow.blue.
Submit comments on CBARS at crow.blue/standard.
1 Unless, of course, you use ours: crow.blue/signet
2 I really dislike this term.
Sources
Gravitee State of AI Agent Security 2026 (n=900+)
Cloud Security Alliance, Autonomous but Not Controlled, April 2026
KPMG Q1 2026 AI Pulse Survey
Gartner, August 2025
OWASP LLM Top 10 2025
© 2026 Crow Blue · Freely reproducible with attribution