The independent AIRQ report (AI Risk Quadrant, 2026 Q2) evaluated 100 commercial and publicly available AI agents and found only 11% met its security threshold, according to reporting by Help Net Security and IT Security News. The assessment highlights that many production agents run with standing credentials and tool access that create opportunities for single-document or prompt-based takeover. Separately, the open detection project Agent Threat Rules (ATR) publishes an open YAML rule format and a reference engine; Help Net Security reports ATR carries more than 400 rules and records benchmark recall ranging from 98.0% on NVIDIA garak's in-the-wild jailbreak corpus to single-digit recall on several other corpora. The ATR project documents coverage gaps and recommends combining rule-based detection with credential brokering, sandboxing, and human review for high-risk actions, per Help Net Security.
What happened
The independent AIRQ report (AI Risk Quadrant, 2026 Q2) scored 100 commercial and publicly available AI agents and reported that only 11% passed its security bar, according to Help Net Security and IT Security News. The coverage notes production agents frequently run with standing credentials and have access to tooling such as browsers, code execution, cloud consoles, and data warehouses, which increase attack surface in real deployments.
Technical details (reported)
The open detection project Agent Threat Rules (ATR) publishes a versioned YAML schema for detection rules, a TypeScript reference engine, and a Python wrapper called pyATR, Help Net Security reports. ATR's repository contains more than 400 rules covering categories including prompt injection, agent manipulation, skill compromise, and context exfiltration. Help Net Security reports ATR's version-pinned benchmark recalls as 98.0% on NVIDIA garak's in-the-wild jailbreak corpus, 38.5% on the broader garak set, 66.0% on hackaprompt, and single-digit recall on corpora such as AdvBench (1.3%), HarmBench (2.5%), and JailbreakBench (5.0%).
Industry context
Editorial analysis: Industry observers note that rule-based detection excels at structured, patternable attack signals but struggles with paraphrased or semantically rephrased adversarial inputs. Public reporting frames the ATR project as explicitly documenting this coverage gap and recommending that rule-based detection be paired with credential brokering, sandbox execution, and human review for high-risk actions.
What to watch
For practitioners: monitor three categories of indicators when evaluating agent deployments and defenses:
-
•rule coverage and benchmark recall across diverse adversarial corpora;
-
•whether agents hold standing credentials or use ephemeral, brokered credentials; and
-
•integration of sandboxing and human-in-the-loop controls for risky tool use. Editorial analysis: Observers building or operating agents should treat reported recall numbers as a measure of pattern-match coverage rather than complete protection. Organizations adopting ATR-style rule formats will need engineering to integrate rule evaluation into runtime controls and governance workflows, and to manage false positives and false negatives across different corpora.
Bottom line
The reported 11% pass rate in the AIRQ assessment and ATR's mixed benchmark recalls underscore that production AI agents remain a high-risk surface. The ATR project provides a pragmatic, open format for detection rules, but public measurements in Help Net Security indicate substantial coverage gaps that practitioners must address through layered controls.
Scoring Rationale #
The findings document high-risk exposure in production AI agents and provide a practical open detection format, making this notable for engineering and security teams. It is not transformational but is directly relevant to practitioners operating agents.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.