The problem

Companies deployed AI agents before they deployed control.

Enterprises put AI agents into production with real access to customers, data, and credentials before putting controls around them. The results are now public record. In every case the fix came after the damage: a disclaimer, an emergency token revocation, a same-day shutdown. Veryl exists to move the fix before the damage.

The pattern in numbers

The largest unmanaged risk surface of the decade.

82% run agents. 44% have policies.

82% of organizations already run AI agents. Only 44% have policies to secure them, in a survey of technology leaders.

SAILPOINT, 2025

80% saw unintended actions.

80% report their agents have taken unintended actions in production, including accessing unauthorized systems and sharing sensitive data.

SAILPOINT, 2025

97% of AI breaches lacked controls.

Among organizations that reported a breach involving AI, 97% lacked AI access controls. A subset, but inside it the pattern is nearly universal.

IBM AND PONEMON INSTITUTE, 2025

$670,000 per breach.

Unsanctioned "shadow AI" added an average of $670,000 to the cost of a breach.

IBM AND PONEMON INSTITUTE, 2025

The gap between adoption and control is not a rounding error. It is the largest unmanaged risk surface most companies have added this decade.

A note on the numbers: SailPoint sells identity security and IBM sells security services, so both studies come from interested vendors. We cite them anyway because they are the best-documented measurements of this gap, and we tell you where they come from so you can weigh them yourself.

Case one

The agent that gave illegal advice for 22 months.

What happened

New York City launched its MyCity business chatbot in October 2023. In March 2024, reporters at The Markup documented it telling business owners they could take a cut of workers' tips, refuse Section 8 vouchers, and refuse cash. All three are illegal. Follow-up testing by the Associated Press found worse. The city's response was a disclaimer, not a fix. The bot stayed in production another 22 months and was finally shut down in January 2026, with the roughly $500,000 system publicly called functionally unusable.

How Veryl is designed to catch this

In Veryl Agent Registry, an agent cannot be invoked by the public until a version passes verification. Verification for a civic-advice agent means scoring against a held-out set of legal questions for groundedness and calibrated abstention: the agent must cite the actual rule and must say "I do not know" rather than guess. An agent that tells ten out of ten testers the wrong answer on housing law does not verify, so it never reaches the public. And when the first bad answer surfaced anyway, quarantine is one click: the agent goes red on every surface at once, is fixed, re-verifies, and returns.

What prevention would have been worth

The $500,000 build survives instead of being written off. Twenty-two months of legal exposure from advice that violated federal and city law never accrues. The program continues under a new administration instead of becoming the example everyone cites. Estimated saving: the full system cost, plus liability exposure that was never priced.

Case two

The agent credentials that breached 700 companies.

What happened

In August 2025, attackers compromised the OAuth tokens of the Salesloft Drift chat agent and used them to export data from the Salesforce instances of more than 700 organizations, including Cloudflare, Zscaler, and Palo Alto Networks. Google's threat intelligence team found the real goal was credential harvesting: the stolen data was mined for AWS keys, passwords, and Snowflake tokens. Cloudflare alone rotated 104 exposed API tokens. The only remediation available was blunt: every Drift token revoked, the product pulled from the marketplace, and the blast radius still widened to Google Workspace a week later.

How Veryl is designed to catch this

Honestly: Drift was a vendor's agent, and it would not have been running inside Veryl. That is exactly the lesson. It was an agent whose credentials nobody governed, and 700 organizations paid for it. For agents that live in Veryl, the design answers this failure directly: credentials sit in a vault instead of long-lived tokens, access is scoped inside Rooms to exactly what the job requires, a mass export of customer databases lands in the append-only audit log as it happens, and revocation is one precise click instead of killing an ecosystem. For agents you don't host, this incident is why the Agent Passport exists: a signed, checkable credential with live status, so trust in someone else's agent is something you verify, not something you assume.

What prevention would have been worth

For any single victim, the incident response, credential rotation, forensics, and disclosure costs of a breach. IBM and Ponemon put the premium for exactly this failure mode on record: organizations breached through AI lacked access controls 97% of the time, and shadow AI alone added $670,000 to average breach costs. We won't put our own number on incidents we didn't prevent; the per-incident figures are IBM's, not ours. What we will say: for any single organization, one avoided breach response costs more than most companies spend on governance in a decade.

Case three

The update that deleted the guardrails.

What happened

In January 2024, a system update to DPD's customer service chatbot silently weakened its guardrails. The first customer who tried got it to swear at him, write a poem about its own uselessness, and call DPD the worst delivery firm in the world. The exchange went viral. DPD disabled the AI the same day and lost its support automation while it rebuilt.

How Veryl is designed to catch this

In Veryl Agent Registry, a new version is a new verification. Every change, whether to instructions, knowledge, tools, or the underlying model, produces a version that must pass its checks, including jailbreak and regression tests, before it can serve anyone. The verified prior version keeps working until its successor earns its place. A guardrail regression fails verification in a test environment, quietly, instead of failing in front of a customer with a screenshot button.

What prevention would have been worth

No viral moment, no same-day shutdown, no gap in support coverage while the bot was rebuilt. The cost of the control is one verification run per release, measured in minutes. Estimated saving: the brand damage is hard to price, but the operational math is not. Preventing one such incident costs less than the incident's first hour.

The shape of the fix

Every failure above shares one shape: the control that was missing is ordinary, and it was missing because no system made it the default.

Veryl makes it the default. Verification before an agent can act. A verified identity with scoped, vaulted credentials. Re-verification on every change. An audit trail that is always on, and a quarantine that takes one click.

One number to keep: unsanctioned AI added $670,000 to the average breach. Veryl's entry tier costs $1,000 a month. Preventing a single incident pays for the governance layer many times over, and the first verified agent usually ships in under a week.

Set the rules once. Carry them everywhere.

Veryl Agent Registry opens to beta users in September 2026. Waitlist members get their invites first.

Sources: The Markup (Mar 2024, Jan 2026) · Associated Press (Apr 2024) · Google Threat Intelligence Group (Aug 2025) · Time and ITV quoting DPD (Jan 2024) · SailPoint agent security survey (May 2025) · IBM/Ponemon Cost of a Data Breach (2025)

You may notice widely shared incidents missing from this page. We left out every case we could not verify to our own standard. If we can't show it, we don't say it.