AI Agents Fail More Than Half the Time. Smarter Models Won't Fix It.

At a law firm Noufal Basheer is keeping unnamed, an AI agent reviewed every contract the paralegals had drafted and applied consumer protection statutes to an M&A agreement. The output was not obviously wrong. It was irrelevant — the agent had learned a pattern and applied it without any sense of when the pattern should not apply.

That is the organizational failure Basheer, Director of Strategy and Transformation at PepsiCo, spent several months documenting across nearly twenty peer organizations running agentic AI projects. What he described as organizational and philosophical is now showing up in independent security research as a measurable technical problem: agents inherit the oversight gaps of the organizations that deploy them, and those gaps compound faster than the platforms can patch them.

Microsoft patched CVE-2026-21520, an indirect prompt injection vulnerability in Copilot Studio, on January 15. Capsule Security, which discovered the flaw, documented what happened next: data exfiltrated anyway. Microsoft's own safety mechanisms flagged the request as suspicious during testing. The patch addressed the vulnerability class. The exfiltration succeeded because the safety mechanisms in production caught the symptom, not the cause. The case is a concrete instance of what Basheer calls the gap between how agents are trained and how they are overseen — except here the oversight failure has a CVE number.

The same research identified a parallel vulnerability in Salesforce AgentForce. Microsoft assigned a CVE to its flaw. Salesforce has not, as of publication. Both platforms are in active enterprise deployment. Both have documented failure modes that patching alone does not close.

The pattern Basheer documented across peers has a name in the failure literature: organizations deploy agents faster than they build the infrastructure to govern them. A Rubrik ZeroLabs survey published this month, covering more than 1,600 global IT and security leaders, quantifies the result: 81 percent of organizations report their AI agents require more manual oversight than the efficiency those agents were meant to generate. Eighty-eight percent cannot roll back an agent's actions without disrupting their systems. Eighty-six percent expect agent proliferation to outpace their security guardrails within the year.

"Most failures are because many expect it to behave like tools instead of teammates," Basheer wrote in a March 4 post on HackerNoon that has circulated widely among practitioners since. The four failure patterns he heard most consistently: starting with an AI strategy instead of a business problem; treating agents as generalists rather than building for specific workflows; rolling out technology without investing in the AI literacy of the humans who will work alongside it; and treating human-in-the-loop oversight as a compliance checkbox rather than as a genuine learning mechanism.

The CVE chain illustrates the fourth pattern concretely. Microsoft's safety mechanisms flagged the Copilot Studio exfiltration request as suspicious. The request succeeded anyway. The system caught the symptom. The system did not prevent the outcome. Patching the vulnerability class was necessary and not sufficient — because the underlying oversight gap, the inability of the deployment to act on what the safety mechanism detected, is an organizational problem the patch does not reach.

The breakdown of how agentic AI projects fail varies by source but converges on the same root cause. Digital Applied, which analyzed failure patterns across hundreds of enterprise agent initiatives, identifies seven distinct failure modes: scope creep accounts for 34 percent of failures, data quality problems for 27 percent, security blockers for 14 percent, integration complexity for 9 percent, cost overruns for 7 percent, governance gaps for 5 percent, and organizational resistance for 4 percent. Gartner predicts more than 40 percent of agentic AI projects will be canceled by the end of 2027, citing escalating costs, unclear business value, and inadequate risk controls. A study from MIT's NANDA initiative, published last August, found that 95 percent of generative AI pilots at companies fail to deliver measurable return on investment. None of these sources are measuring the same thing identically. They are all pointing in the same direction.

The organizational failure Basheer describes is also a technical one: agents trained on incomplete contexts will produce outputs that are locally correct and globally irrelevant. The law firm agent applied consumer protection statutes to an M&A agreement. The Copilot Studio agent exfiltrated data through a patched vulnerability. Both behaviors are exactly what the system was designed to do, within the context the system was given. Neither system had an effective mechanism for noticing the context was wrong.

Some organizations remove humans from the loop too early and let agents compound small errors into expensive failures. Others overcorrect so completely that automation disappears and return on investment evaporates. The answer is not to add a reviewer at the end of the pipeline. It is to treat new agents the way one would treat a new employee: heavy supervision early, structured feedback loops, autonomy granted only as output becomes measurably reliable.

The counterexample is equally instructive. A customer experience leader Basheer spoke with trained one agent exclusively on customer refund claims. Narrow scope, repetitive task, tight feedback loop. In the pilot, the agent eventually resolved nearly 65 percent of claims end-to-end. The organization is now preparing a broader rollout.

PepsiCo, Basheer's own employer, has been public about its agentic ambitions. The company has committed to being agentic AI-first across every part of its business by 2026, according to public statements by Athina Kanioura, its EVP and chief strategy and transformation officer. It has built an internal sandbox called PepGenX, partnered with AWS on Bedrock integration, and is deploying Salesforce's AgentForce platform across its operations.

The gap between announcement and execution is where Basheer's findings live. He is not writing about PepsiCo specifically. He is writing about the consistent patterns he heard from peers across industries — patterns that his own firm is presumably trying to avoid.

Organizations that apply structured failure-mode assessment before beginning development reduce their failure rate to below 15 percent. The methodology is not a secret. It is organizational discipline dressed up as AI strategy: define scope explicitly, invest in data readiness before building the agent, build security architecture concurrently with development, establish governance frameworks before deployment.

None of these are technical breakthroughs. They are the practices that separate the 12 percent of agent projects that reach sustained production from the 88 percent that do not.

What is changing now is that the scale of failure is becoming large enough to see. The sunk cost is becoming visible in quarterly reports. The vendors and internal champions who sold C-suites on agentic ROI on the premise that better models would close the gap are now exposed to a different kind of question: not whether the models are good enough, but whether the organizations are.

The models are not the problem. They have never been the problem. The question is whether the organizations deploying them have built the systems those models are being asked to run inside.