A new report finds that 99.4 percent of 500 US CISOs surveyed experienced at least one SaaS or AI ecosystem security incident in 2025, with only three of the 500 reporting zero incidents. At the same time, 89.2 percent claim strong or comprehensive OAuth token governance, while 77 percent report comprehensive behavioral monitoring.
The study, from security platform Vorlon, finds that organizations deploy an average of 13 dedicated security tools across their SaaS and AI environments.
“Every CISO we surveyed understands the risk. Most are increasing their budgets to address it,” says Amir Khayat, co-founder and CEO of Vorlon. “But the security architecture most organizations have was built for the front door: application configurations, user logins, permission settings. The threat has moved to the engine room, the runtime layer where AI agents move sensitive data between systems, where OAuth tokens grant persistent cross-platform access, where a single compromised integration cascades silently across an entire SaaS supply chain. Most organizations are running this ecosystem without the ability to see what’s happening, investigate when something goes wrong, or contain it before the damage spreads. Vorlon exists to change that.”
One in three enterprises experienced a security incident involving AI agents in 2025. 75.4 percent characterize AI agents as a critical or significant data security risk, with 31.4 percent calling them a major new attack surface. 30.4 percent say they experienced suspicious activity involving AI agents in 2025, while 30.8 percent experienced unauthorized data exfiltration through SaaS-to-AI integrations. 83.4 percent say distinguishing between human and non-human behaviors is a limitation of their current tools.
CISOs report 80-85 percent confidence in understanding what data their deployed named-AI tools — ChatGPT, Claude, Copilot, Gemini — can access. However, when asked about other AI tools beyond the big names, that confidence drops to 65.4 percent, with 25 percent reporting no confidence at all.
There are worries about supply chain risks too, 46.6 percent of those surveyed call these a top priority risk, while only 0.8 percent feel adequately protected. 30 percent have experienced a supply chain attack involving a SaaS vendor or integration partner in 2025.
You can get the full report and read more on the Vorlon blog. Vorlon is also launching two new products, AI Agent Flight Recorder and AI Agent Action Center to bring forensics and coordinated response to an enterprise’s agentic ecosystem, you can learn more on the company’s site.
Image credit: Tongsupatman/Dreamstime.com
