[Abstract placeholder.] The AI agent market has entered a phase where raw capability is outpacing security investment. Ten distinct classes of agent — from browser drivers and autonomous coding agents to enterprise workflow engines — moved from demo to deployment faster than any previous class of enterprise software, and the attack surface is moving just as fast.

This AI Risk Quadrant organises the landscape into 10 agent classes and plots 168 sample agents across two axes (Compromise and Harm), partitions them into four quadrants, and rolls the results back against the class taxonomy. The intent is simple: give enterprise buyers, vendors, and security teams a shared map of the risk landscape — and a shared vocabulary to compare agents only where the comparison is structurally meaningful.

1 Executive Summary

[Lede placeholder.] The agent market moved faster than its security story. This section gives you the one-page version: what we measured, what we found, what to do about it.

[Opening paragraph.] Across the 10 agent classes and 168 sample agents plotted in this edition, a clear market-wide pattern emerges: capability and attack surface tend to move together. The same vendors shipping the most capable agents are the same vendors shipping the widest attack surface — a structural feature of the market, not a handful of outliers. The four quadrants partition the cohort into distinct risk profiles, and the ten-class taxonomy explains why agents within a quadrant still differ by several SAC points: the class attack model changes what “defense” has to mean.

[Closing paragraph of the lede.] This report is readable cover-to-cover, but it is also designed as a reference. The four figures in Section 2 are the map. The ten class sections in Section 3 are the territory. Use the filter row in Section 2 to scope every figure at once.

1.1 Key Findings

Key findings

Capability tracks attackability. Vendors with the most capable agents are, at the market level, also the most attack-surface exposed. “More agent” nearly always means “more injection vectors”.
Q4 Reckless Powerhouses is the most populated quadrant. High capability paired with shallow defenses — coding agents, automation platforms, computer-use agents.
Configuration-file injection is the signature attack on Coding Agents. .cursorrules, .clinerules, .windsurfrules, copilot-instructions.md, AGENTS.md, .roo — one poisoned repository, one zero-click RCE.
Enterprise platforms dominate the SAC top. ServiceNow, Amazon Bedrock, SAP Joule, Amazon Q Developer, Salesforce Agentforce — governance inherited from host platforms translates directly into security-adjusted capability.
AIRQ-02 (external data) is the universal attack surface. Indirect prompt injection via retrieved content is nearly universal. If you fix one thing across your agent portfolio, fix ingestion.
Open-source agents without isolation carry the highest structural blast radius. OpenClaw (10+ CVEs, ~30K exposed instances) and AutoGPT continuous mode are the worst cases.
Compliance is becoming a defense multiplier. AIUC-1, SOC 2, Purview DLP, and platform-inherited governance correlate with the leaderboard top.

1.2 Market Analysis

[Market paragraph.] The market splits cleanly into three archetypes: (a) enterprise-governed agents that inherit identity, authorization, and audit from host platforms; (b) developer-facing agents that execute on unsandboxed workstations with full user permissions; (c) consumer- or customer-facing chat and browser agents whose attack surface is the open web itself. These three archetypes carry fundamentally different defensibility profiles, yet most procurement frameworks still treat them identically. The AIRQ taxonomy forces the distinction.

[Trend paragraph.] Three trends reshape the market for the coming year: memory and MCP integrations pushing attack surface into previously “safe” chat assistants; config-file and rules-file injection becoming the dominant zero-click vector on coding tools; and the continued acquisition of pureplay AI security vendors by larger platforms — driving convergence of runtime guardrails into the same platforms shipping the agents.

1.3 Recommendations

Buy by class, not by vendor. Compare agents only within the same class and quadrant. Coding Agent vs Browser Agent, or Q1 vs Q4, are category errors.
Require documented AIRQ-02 controls before deploying any agent that ingests external content. If a vendor cannot explain what protects ingestion, they do not have a control.
For coding agents, require OS-level isolation (Seatbelt/Bubblewrap/nsjail) or procure only cloud-sandboxed variants. The local-execution-no-sandbox category is uninsurable.
Score agents with and without optional features enabled. Memory, plugins, MCP, auto-approve modes — the delta is the real attack surface.
Re-audit quarterly. CVE velocity in this market is an order of magnitude higher than traditional enterprise tooling. Annual reviews will miss the incidents.

1.4 Methodology at a Glance

[Methodology paragraph.] Each agent receives three scalar scores: X — Compromise, a 0–10 weighted sum across ten attack surfaces (AIRQ-01 User Input through AIRQ-10 Configuration), evidence-adjusted against published CVEs and demonstrated exploits; Y — Harm potential, a 0–10 score of blast radius if compromised; and D — Defense, a 0–15 composite of five verified control categories (D1 Input, D2 Execution Isolation, D3 Action Approval, D4 Output Filtering, D5 Audit). A single summary score, SAC (Security-Adjusted Capability), combines them as Y × (1 + D/15) × (5 / (X + 5)) — rewarding capability paired with defense, penalizing capability that comes at the cost of attack surface.

[Quadrant paragraph.] The two axes partition the cohort into four quadrants. See Section 2.1 for definitions and the interactive quadrant figure.

1.5 Scope & Inclusion Criteria

[Scope placeholder.] AIRQ scores agents that are (a) shipping as commercial or publicly-available products, (b) agentic — meaning they take actions, not just generate text, (c) English-language documented, and (d) published as of 2026 Q2. Code-only agent frameworks (LangGraph, CrewAI, AutoGen), physical-world agents (robotics, autonomous vehicles), and closed-enterprise tools without public documentation are out of scope.

2 AI Risk Quadrant Framework

[Leadership lede.] Four figures compose a single risk map. Each view is interactive and shares the filter row below, so scoping by quadrant, class, or search term applies everywhere at once.

2.1 The Risk Quadrant

[Figure intro.] Every bubble is one agent, plotted by Compromise (X, attackability across ten surfaces) and Harm potential (Y, blast radius if compromised). Bubble size encodes the inverse of total defense strength — smaller is stronger. The four quadrants separate agents by whether capability outruns defense investment. Click any bubble for a full breakdown.

Q2 Fortified Leaders upper-left

High capability, constrained attackability. The target state — enterprise platforms with platform-inherited governance. Procurement should focus here.

Q4 Reckless Powerhouses upper-right

High capability, maximum attackability. God-like execution combined with shallow guardrails. A prompt injection here executes code, deletes data, compromises hosts.

Q1 Constrained Tools lower-left

Low capability, low attackability. Safe by architectural design — little to compromise because they cannot take meaningful autonomous action.

Q3 Leaky Copilots lower-right

Read-heavy, moderate attackability. Cannot wipe your servers but see all your data. Draft-and-review limits blast radius; exfiltration remains the risk.

Reckless Powerhouses

Fortified Leaders

Leaky Copilots

Constrained Tools

Compromise (10 Attack Surfaces, Evidence-Adjusted) →

Ability to Inflict Real Harm →

capability ≈ attackability

Select an agent

Click any bubble for full breakdown

Figure 1. The AI Agent Risk Quadrant — 10 agent classes plotted by Compromise (X) and Harm potential (Y), sized inversely to total defense strength.

Takeaways · Quadrant

Capability tracks attackability. The vendors with the most capable agents are, at the market level, also the most attack-surface exposed.
Nearly half the cohort sits in Q4 Reckless Powerhouses — high capability with shallow defenses. This is where most security incidents originate.
Q2 (Fortified Leaders) is almost entirely enterprise platforms that pair high capability with governance layers — ServiceNow AI Agents, SAP Joule, Salesforce Agentforce, Amazon Q Developer.
OpenClaw is alone at Y = 10 with zero defenses — the worst structural risk in the cohort, with 10+ CVEs and active mass exploitation of ~30K exposed instances.
Interpretive rule: compare agents only within the same quadrant. Q1 vs Q4 comparisons are category errors.

2.2 Attack Surface Decomposition

[Figure intro.] The X-axis is a weighted sum of ten attack surfaces (AIRQ-01–AIRQ-10, per AIRQ methodology). Figure 2 shows each agent's per-surface score so you can see where the attack surface concentrates, not just how large it is. Rows sort by X descending — most compromised first.

Figure 2. Attack surface decomposition across ten surfaces (AIRQ-01–AIRQ-10) for every scored agent. Cell intensity encodes 0–4 severity; row order reflects total Compromise (X).

Takeaways · Attack Surface

AIRQ-02 (External Data) is the worst surface across the cohort — indirect prompt injection via retrieved content is nearly universal. Documents, web pages, tickets, emails, repo files.
AIRQ-06 (Tool Execution) is the Q4 discriminator. AIRQ-02 gets you an injection; AIRQ-06 turns it into code execution. Autonomous coding, computer-use, and automation agents spike here.
AIRQ-03 (Memory) scores are low today but rising — ChatGPT with persistent memory already demonstrates multi-session attack chains (ZombieAgent, CVE-2026-24307 Reprompt).
AIRQ-10 (Configuration) is the signature attack on IDE-based coding agents — .cursorrules, .clinerules, .windsurfrules, copilot-instructions.md, AGENTS.md. One poisoned repo = one zero-click RCE.
If you only fix one thing across your agent portfolio, put a guardrail on AIRQ-02 ingestion. Almost every current incident starts there.

2.3 Security-Adjusted Capability (SAC) Leaderboard

[Figure intro.] Ranked by SAC = Y × (1 + D/15) × (5 / (X + 5)). SAC rewards capability that is paired with defense investment, and penalizes capability that comes at the cost of attack surface. Higher = more capability per unit of risk — which is what enterprise procurement should actually be buying.

Ranked by Security-Adjusted Capability: SAC = Y × (1 + D/15) × (5 / (X + 5)). Higher = more capability per unit of risk. Defense acts as multiplier.

Figure 3. SAC leaderboard — All sample agents across 10 classes, ranked by security-adjusted capability. Filters at the top of the page narrow the ranking.

Takeaways · Leaderboard

The top of the leaderboard is enterprise. ServiceNow AI Agents (6.59), Amazon Bedrock Agents (6.60), SAP Joule (6.55), Amazon Q Developer (6.53), Salesforce Agentforce (5.95) — mid-high capability paired with platform-inherited governance.
Business Process Agents punch above their weight. ITSM-focused operators lead the leaderboard (ServiceNow 6.59, Moveworks 6.13). Governance workflows + approval gates translate directly into SAC.
The bottom is structural, not accidental. AutoGPT continuous (3.52) and OpenClaw (3.52) sit low because they have high capability and zero defenses. Adding governance would lift them 3+ points without changing capability.
Tabnine (2.80) is low by design — it is non-agentic. Low SAC here is not a procurement red flag, it is the absence of an attack surface to adjust against.
SAC is a better procurement signal than raw X, Y, or defense. It rewards vendors who invest in both capability and defense, which is the behavior you want.

2.4 Comparative Analysis

[Figure intro.] Pick two to four agents to compare head-to-head on every scored dimension. The highest-signal comparisons are same-class, different autonomy level (Cursor vs Devin to see the autonomy premium) or same Y, different defense posture (Microsoft 365 Copilot vs Google Gemini Workspace to see what Purview actually buys).

Click any agent name below to add to the comparison. Use the filter row at the top to narrow the selection.

Figure 4. Head-to-head comparison matrix for up to four agents on every scored dimension.

Takeaways · Comparative Analysis

Same class, different autonomy is the highest-signal comparison: Cursor vs Devin, Sierra vs Zendesk, M365 Copilot vs Agentforce.
Same X, different defense reveals which vendors are actually investing — two agents at X = 5.5 can have SAC scores 2 points apart purely from D1–D5 quality.
Cross-class comparisons are valid for procurement decisions (“do I buy Glean or Microsoft 365 Copilot?”) but not for risk trending — they span different attack models.
Compare attack-surface profiles (the ten S-scores), not just totals. Two agents at X = 6.0 can have entirely different weak spots to fix.

3 Agentic Landscape Security

[Class lede.] The 10 agent classes of the AIRQ taxonomy, applied across the sample agents in this edition. The rollup appears first; deep dives for each class follow, each with its description, membership, and class-specific takeaways.

3.0 Agentic Landscape Overview

[Rollup intro.] Each card shows the class mental model, a count, and average X / Y / Def / SAC for its members. Averages respect whatever filters are active in the toolbar.

Figure 5. Class rollup — ten classes with per-class averages and membership.

Takeaways · Agentic Landscape Overview

Coding Agents is among the largest and most internally varied classes. Within the class, more autonomous agents sit several X-axis points higher than interactive copilots; class-level averages can mislead, so read the member list before drawing conclusions.
Work Copilot Agents cluster around a consistent Y profile — the indirect-injection-via-shared-documents class, with EchoLeak-style CVEs as the canonical case.
Business Process Agents lead on average defense. They inherit governance from their target systems (ITSM approvals, Salesforce Trust Layer, SAP authorizations, AWS IAM).
General Chatbot Agents and Deep Research Agents remain volatile classes — market-defining vendors continue to ship new capabilities faster than defenses mature.
The class filter above works as a scope knob — apply it before reading the other sections to see how each class sits on the quadrant, heatmap, and leaderboard.

4 Key Recommendations

[Recommendations placeholder.] The actions below translate the AIRQ findings into a short, prioritised programme for teams building, buying, or governing agentic systems. Items are ordered by expected risk reduction relative to implementation effort.

Treat the agent, not the model, as the unit of risk.Evaluate every deployment on its full attack surface — inputs, tools, memory, and oversight — rather than the underlying LLM alone.
Constrain tool access by default.Start every new agent in a minimal-privilege sandbox and expand capabilities only after targeted red-teaming and policy review.
Put a human in the loop for high-impact actions.Require explicit confirmation for irreversible or outbound operations (payments, data egress, code execution, customer-facing messages).
Harden the input boundary.Apply prompt-injection defences on every untrusted surface — web pages, documents, emails, tool outputs — and log injection attempts as security events.
Instrument agents like production services.Ship structured traces, tool-call audits, and behavioural baselines so anomalies can be detected, triaged, and rolled back quickly.
Re-assess against AIRQ on every major release.Re-score agents when capabilities, tools, or deployment posture change; use quadrant drift as a signal for renewed governance review.

5 About the AIRQ Project

[About placeholder.] AIRQ is a framework for reasoning about agent security at the level of categories, not individual products. The report is organised around ten established agent classes that together cover the working landscape; specific agents are cited only to illustrate and support the points made about their class.

Edition: 2026 Q2
Authors: [author placeholder]
Citation: AIRQ: AI Risk Quadrant for Agentic Landscape.
Retrieved from [this URL].