A study by MIT researchers found that agentic AI developers rarely publish detailed information about how the security of these tools has been tested.

AI agents are certainly having a moment. Between the recent virality of Open Claw, Shedding book and OpenAI plans to take its agent functionalities at the next level, it may just be the agent’s year.
For what? Well they can plan, write codebrowse the web and execute multi-step tasks with little or no supervision. Some even promise to manage your workflow. Others coordinate with the tools and systems on your desktop.
The appeal is obvious. These systems don’t just respond. They act — for you and on your behalf. But when the researchers behind the MIT AI Agent Index cataloged 67 deployed agentic systems, they discovered something troubling.
The developers are eager to describe what their agents can TO DO. They are much less keen to describe whether these agents are on.
“Leading AI developers and startups are increasingly deploying agentic AI systems capable of planning and executing complex tasks with limited human involvement,” the researchers write in the paper. “However, there is currently no structured framework for documenting…the security characteristics of agent systems.”
This gap is evident in the numbers: around 70% of indexed agents provide documentation and almost half publish code. But only about 19% disclose a formal security policy and less than 10% report external security assessments.
The research highlights that while developers are quick to tout the capabilities and practical applications of agent systems, they are also quick to provide limited information about security and risks. The result is a kind of unbalanced transparency.
What matters as an AI agent
The researchers thought about what made the cut, and not all chatbots qualify. To be included, a system had to operate with underspecified goals and pursue goals over time. He also had to take actions that affect an environment where human mediation is limited. These are systems that decide on intermediate steps themselves. They can divide a general instruction into subtasks, use tools, plan, complete and repeat.
This autonomy is what makes them powerful. This is also what raises the stakes.
When a model simply outputs text, its failures are usually limited to that output alone. When an AI agent can access files, send emails, make purchases, or modify documents, errors and exploits can be damaging and propagate multiple steps. Yet researchers found that most developers don’t publicly detail how they test these scenarios.
Capacity is public, guardrails are not
The study’s most striking pattern isn’t hidden at the bottom of a table: it repeats throughout the paper.
Developers are comfortable sharing demos, benchmark tests, and usability of these AI agents, but they are much less consistent when it comes to sharing security assessments, internal testing procedures, or third-party risk audits.
This imbalance becomes more pronounced as agents move from prototypes to digital actors integrated into real-world workflows. Many indexed systems operate in fields such as software engineering and computer usage, environments that often involve sensitive data and significant control.
The MIT AI Agent Index does not claim that agentic AI is completely dangerous, but it does show that as autonomy increases, structured security transparency has not kept pace.
Technology is accelerating. The safeguards, at least publicly, remain harder to see.
























