You Can’t Audit What You Can’t Attribute
The Cloud Security Alliance just confirmed what a lot of security teams already suspected: most organizations have no reliable way to tell a regulator what their AI agents actually did.
The Cloud Security Alliance study released in March 2026 lands a number that should make every CISO uncomfortable: more than two-thirds of organizations cannot clearly distinguish AI agent actions from human actions in their audit and access logs. Not “struggle to.” Cannot. The logs don’t support it.
That’s not a monitoring problem. That’s an AI agent audit trail compliance problem -- and it’s a different animal entirely.
What the data actually says
The CSA finding is damning on its own. Pair it with the access side of the picture and it gets worse. Most organizations have granted AI agents broader permissions than any individual human employee receives. There is no systematic process for reviewing those permissions, scoping them, or revoking them.
So you have agents operating at elevated privilege, and logs that can’t tell you what they did.
The EY survey on AI governance found that 99% of organizations reported financial losses from AI-related risks, with 64% suffering losses over $1M. A lot of those losses trace back to exactly this gap -- not a breach in the traditional sense, but an agent doing something nobody authorized, or something nobody can now prove was authorized.
The question regulators will ask
Here is the question that matters. Not “do you have AI governance?” Not “did you do a pre-deployment risk assessment?” The question is: “Show me exactly what that AI agent accessed, when, under what authorization, and who approved it.”
If your logs mix agent actions and human actions -- or worse, only capture human actions -- you cannot answer that question. You fail the audit.
This is not a hypothetical. HIPAA, SEC, CMMC, and the EU AI Act all require attribution-grade records. The EU AI Act’s high-risk AI system requirements -- which take effect August 2, 2026 -- mandate detailed documentation and audit trails for AI decision-making. SEC Regulation S-K and its emerging enforcement posture in financial services require trails that attribute actions to specific systems or humans.
If your audit log says “file accessed at 2:17am” with no indication of whether that was a human or an agent, and no policy reference for why access was granted, you do not have an audit trail. You have a timestamp log.
Why pre-deployment reviews don’t close this gap
A lot of security teams treat AI governance as a pre-deployment activity. You assess the model, you scope the permissions, you sign off, you ship. The problem is that what happens after deployment -- the actual runtime behavior of agents in production, against real data, on real schedules -- generates no attribution-quality record in most environments.
NIST’s AI Agent Standards Initiative, announced in February 2026, identifies agent identity, authorization, and security as priority areas precisely because the field has not solved these problems. Agent identity at runtime -- meaning the ability to say “this action was performed by Agent X acting under Policy Y delegated by User Z” -- is not yet standard practice.
The WEF Global Cybersecurity Outlook 2026 flags the same risk: without governance that operates at runtime, agents accumulate excessive privileges or propagate errors at scale. “At scale” is the part that matters. A human employee making a bad access decision affects one incident. An agent making the same bad decision can affect thousands of records before anyone notices.
The Kiteworks 2026 data makes the operational picture concrete
Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found that 63% of enterprises cannot enforce purpose limitations on AI agents -- meaning an agent authorized for one task can perform others -- and 60% cannot quickly terminate a misbehaving agent. These aren’t edge cases. They describe the majority of enterprise AI deployments right now.
The organizations that can answer a regulator’s attribution question share a common architecture: they have a logging layer that records every agent operation with the agent’s identity, the policy that authorized or denied the request, the data involved, and a timestamp -- meaning what happened and why it was allowed to happen.
Kiteworks builds this into the platform at the infrastructure level. The tamper-evident audit trail records every file access, transfer, and AI agent operation with the identity of the requestor, the policy that authorized or denied the request, the data involved, and the timestamp. The ABAC Data Policy Engine evaluates access on every operation, and AI agents inherit the rights of the delegating human without the ability to escalate. That is the architecture the CSA study identifies as absent in most enterprise environments -- a constraint enforced at every operation, not bolted on afterward.
What closing the gap actually requires
Attribution-quality logging requires three things that most current implementations don’t have. First, a persistent identity for each agent that travels with every operation -- meaning an agent-specific identity that maps to a specific deployment, authorization context, and delegating human -- a service account is not enough. Second, a policy reference captured at the time of access, not reconstructed after the fact. Third, tamper evidence -- logs that can’t be altered after the fact, because a regulator will ask whether the log itself is trustworthy.
None of this requires ripping out existing infrastructure. It does require making the attribution question -- “which agent, under what authority, touching what data” -- a first-class logging requirement rather than an afterthought.
The liability math is simple
You cannot retroactively create an audit trail. When the SEC asks for records of AI-driven decisions in a financial services audit, or when HHS asks for an access log under HIPAA, or when a CMMC assessor asks for evidence that controlled unclassified information was only accessed by authorized systems -- the log either has the record or it doesn’t.
Two-thirds of organizations are currently operating AI agents with logs that don’t have those records. The EU AI Act deadline is August 2, 2026. That gap between current state and regulatory requirement is not a future risk. It is a present liability, accruing with every agent operation that runs without attribution.
The organizations that will clear these audits already built the attribution layer before the audit arrived.