An endpoint agent cannot report its absence. The 2026 Axonius Activity Reportconducted with Ponemon Institute and surveyed 662 IT and security professionals, putting a number on the gap SOC teams have been working on for years. Across the Axonius customer baseIn a median inventory of 298,000 devices, 12.7% of devices are missing the expected security agent.
If a device does not have an agent, no management console will show it. If a CMDB record is old, no reconciliation records it. Outside of procurement, the Claude Enterprise installer created a SaaS workspace, authentication surface, and API-token footprint that endpoint telemetry alone would not reliably inventory. The coverage percentage in the EDR dashboard is structurally incomplete because the reporting engine cannot see what it does not cover.
This gap is more important than it was six months ago. SOC and XDR vendors bring more autonomous investigation and recovery to production. These agents will query the same dashboards, rely on the same coverage percentages, and navigate the same blind spots that human analysts have learned to work around. The human analyst estimates a second coverage number of 98%. An autonomous agent accepts this as ground truth and acts at machine speed.
Three independent signals merged into the same space
Gravitee’s 2026 survey 88% of more than 900 administrators reported confirmed or suspected AI incidents, and only 14.4% of deployed agents live with full security clearance. The Axonius/Ponemon report found that 52% of respondents would allow autonomous agents to act on recommendations, while 63% said key data was not important information. CSA’s Agency Trust Framework agents require verified data management before acting on any findings.
Mike Riemer, Field CISO at IvantiKnown vulnerabilities in Azure’s honeypot networks can now be attacked in less than 90 seconds, he said. “Traditional security measures continue to work,” Riemer told VentureBeat.
The caveat is that these measures only protect what you can see. An EDR agent deployed on 87.3% of device inventory leaves the remaining 12.7% outside of that agent’s telemetry, policy enforcement, and detection logic.
Exclusive placement data quantifies scale
Axonius CEO Joe Diamond told VentureBeat that the average CISO sees about 50% of what’s on the network. “Say 50% of their environment is sitting in dark matter,” Diamond said. “They don’t know what it is, where it is or who has access to it, if it’s safe or not.”
Deployment data from more than 900 Axonius customers backs up these numbers. Endpoint coverage increased from 70% to 99% after TransUnion out-of-band verification. Western Union dropped from 85% to 99% By combining data from 38 instruments and cutting the manual workload in half. Lumen discovered 1.1 million assets, of which CMDB showed 17,000. That translates into roughly 37,000 unmanaged endpoints per organization sitting outside of every policy, every patch cycle, and every detection rule.
Diamond pointed mythAnthropic’s frontier reasoning model is a sign that the ability to attack at machine speed will make any unknown asset riskier than it is today. “People are prone to shiny object syndrome,” he said. “If you don’t understand what 50% of your environment looks like from a traditional endpoint perspective, and you think you’re going to sprint to the granular control and management of AI, your program will fail.” Diamond called the broader AI shift “as big, if not bigger, than the internet.”
Three approaches compete to close the gap
Today, no architecture solves the vision problem. Three approaches compete, each of which security groups should evaluate before purchasing.
Special integration layer uses bidirectional API adapters to create an always-available inventory. Axonius runs over 1400 adapters and now detects shadow Claude Enterprise devices through the Anthropic adapter (GA June 15). “We built a two-way API integration with all the IT systems and all the security controls to create an always-up-to-date inventory of what the environment looks like,” Diamond told VentureBeat.
Native EDR and XDR intelligence of the platform builds richer asset context within the agent footprint. Depth within agent footprint preferred. The constraint is structural. Platform native intelligence is limited to what the agent can see, and the gap identified in the Ponemon report resides where that visibility ends.
CMDB modernization requires continuous reconciliation against three or more independent telemetry sources. Only 13% of organizations reconcile daily Axonius/Ponemon data. The remaining 87% are running on outdated logs that provide incorrect prioritization to any automated remediation pipeline.
EDR data preparation: Five gates before autonomous repair
Before you allow autonomous SOC agents to close tickets or quarantine assets, this checklist tells you whether your EDR and asset data are robust enough to trust. It’s vendor-agnostic, works with any EDR and CMDB, and gives you five pass/fail ports you can work with in a single session.
|
Area of risk |
What the data shows |
Readiness limit |
Actions to be taken now |
|
Active inventory delta |
Ponemon: only 45% combine in one view. Forrester TEI: 150% more active than previously defined. Lumen: 17K, 1.1M detected in CMDB. |
Delta ≤10% between discovery, CMDB and EDR agent number. Delta above 10% blocks automated remediation until reconciled. |
Run API-based discovery against all segments. Difference between CMDB and EDR console count. Adjust the quarterly minimum. |
|
Unmanaged AI services |
Gravitee: 88% confirmed or suspected AI cases. Only 14.4% with full security approval. Anthropic adapter (GA June 15) detects unmanaged Claude Enterprise installations. |
No high-risk AI services outside of approved purchase. Weekly SaaS discovery scans. Unmanaged high-risk samples trigger IR triage before exception review. |
Deploy SaaS discovery or protocol-level adapters for AI service discovery. Automate weekly scans. Redirect unmanaged instances to the IR queue. |
|
CMDB record accuracy |
Ponemon: only 13% reconcile every day (RSAC 2026). Brooks Running: 20% server mismatch between console and standalone discovery. Key adjustment barriers: unclear prioritization, unclear ownership, inconsistent data. |
≥85% of records Validated against 3+ independent telemetry sources. There are no stale or orphaned entries in the active recovery queue. |
Cross-reference CMDB against cloud inventory, EDR telemetry, and IdP catalog. Continuous reconciliation replaces annual audit cycles. |
|
Endpoint agent coverage gap |
Ponemon: an agent cannot report its absence (p. 8). TransUnion: 70% to 99% after out-of-range verification. RSAC 2026: 12.7% of 298K median devices have no expected agent. |
≥95% agent coverage checked through out-of-range discovery. Many CISOs set this as a minimum before allowing autonomous maintenance. Board reports do not contain only self-reported measures. |
Run network-based or API-based discovery against a managed device list. Coverage below 95% blocks automated remediation coverage. |
|
Active property map |
Ponemon: 32% apply tags consistently. Only 51% assign ownership to new risks (pp. 9, 16). TransUnion: 12K to 190K assets, ownership mapped. |
The owner is appointed within 24 hours. Consistent tags between Cloud, EDR, CMDB. Three systems showing three owners = failure. |
Automate ownership through cloud tags, IdP group membership, or CMDB metadata. Map asset, remediation, and business owner as separate fields. |
Five questions to ask before authorizing autonomous SOC operation
-
What independently checks endpoint-agent coverage outside the EDR console?
-
How does SOC reconcile conflicts between EDR, CMDB, cloud inventory, IdP and discovery tools?
-
Can AI agents act on assets with unknown or disputed ownership?
-
Can the system distinguish the “insensitive” from the “invisible”?
-
Which data quality gate blocks autonomous repair when coverage or ownership drops below a threshold?
A ready-made risk framework for the board
IEEE Senior Member Kayne McGladrey confirmed the pattern in multiple published VentureBeat interviews. The structural gap in self-reported coverage is not new. What is new is that autonomous agents will act at machine speed without the institutional solutions that human analysts have developed over years of experience. Diamond board has clearly laid out the level stakes April 2026 press release: “Findings multiply because data is not trusted, ownership is unclear and not all asset classes are even in the picture.”
The CSA’s Agency Trust Framework requires that any agent promoted to a higher level of autonomy must pass through five gates, including a demonstrated accuracy and security audit. The transparency obligations of Article 50 of the EU AI Act come into force on 2 August 2026. In May 2026, the Digital Omnibus pushed high-risk system obligations to December 2027, but organizations deploying agent SOCs on incomplete asset data face immediate operational risk that exceeds any regulatory timeframe.
Ready sentence for the board: Our EDR coverage reports are structurally incomplete because an endpoint agent cannot report its own absence, and we verify coverage through out-of-band discovery before placing autonomous agents in these reports that will run at machine speed.
Security director playbook
-
End this week’s out-of-range asset discovery. Compare results with CMDB export and EDR console count. If the delta exceeds 10%, stop automated remediation coverage until the gap is corrected.
-
Deploy SaaS discovery for AI services. Employees install AI before purchase, before security. Weekly scans are minimal. Route any unmanaged high-risk instances to the incident response queue for testing before exception review.
-
Align asset ownership with recovery responsibility. Ponemon found that only 32% of organizations applied the labels consistently. If three systems show three different owners for the same asset, automated remediation has no routing target. Fix the ownership layer before deploying the agents that depend on it.
-
Kill only self-reporting coverage indicators. Any risk calculation or board report based on coverage reported by the EDR console alone is based on data that the reporting system cannot verify. Require an out-of-range check for each coverage number that informs the risk decision.
