I'm using the av-insight-writer skill to draft this article in the AV Insight style.
Germany just named the regulator who has to care, and the number it is staring at is more than half.
A company spends real money on AI infrastructure, wires agents into its workflows, and then loses roughly 500 million dollars because nobody set a limit on what those agents could do. That is not a thought experiment from a risk seminar. It is one of the cases behind the Gravitee 2026 report, which puts a hard figure on a problem most firms would rather keep vague: more than half of all active AI agents are not adequately monitored. The agents are working. They are just working in the dark.
That number lands at the same moment Germany finally named the office responsible for watching. The Bundesnetzagentur has been designated the central supervisory authority for the EU AI Act in Germany, and it is not opening with abstractions about innovation. It is pointing straight at small and mid sized companies: how language models actually function, what the AI Act and the GDPR oblige a business to do, which technical safety standards apply. For the first time the German agentic governance conversation has a named address and a citable gap in the same week.
The gap is operational, not technical
The reflex is to read a "50 percent unmonitored" headline as a tooling failure, as if the right dashboard would close it. The rest of the Gravitee data says otherwise. Forty nine percent of executives name a lack of internal coordination as the single biggest barrier to getting AI under control. Not model quality, not compute, not vendor choice. Coordination. The agents are deployed faster than any team has agreed on who owns them, who reviews their output, and who pulls the plug when one of them starts spending money it should not.
The flip side of that number is the more interesting one. Fully aligned AI projects, the ones where the organisation has agreed on goals, ownership, and guardrails, scale six times more often than the rest. So the firms that treated governance as the precondition rather than the cleanup are not just safer. They are the ones actually getting their AI into production at all. The unmonitored half and the six times multiple are the same story told from two ends. Where nobody coordinated, agents proliferate and nothing scales. Where someone did the work of alignment first, the agents both behave and compound.
Why the Mittelstand is the exposed flank
The Bundesnetzagentur's decision to lead with KMU is not regulatory politeness. It is where the exposure concentrates. A large enterprise can absorb the cost of a compliance team that reads the AI Act line by line. A 140 person manufacturer in the Ruhr cannot, and it is precisely that firm that has quietly let a sales agent draft customer emails and a procurement agent compare supplier quotes without anyone documenting what data those agents touch or what legal duties now attach. The skill gap and the governance gap are the same gap. The companies least equipped to answer the regulator's questions are the ones the regulator has chosen to ask first.
This connects to a pattern the wider market priced in this same month. When Accenture reported managed services bookings down 15 percent, read explicitly as work permanently absorbed by automation, and an IBM study found 91 percent of executives do not fully understand their own AI dependencies across vendors, models, and infrastructure, the thread running through all of it is the same. Adoption has outrun comprehension. The buyers switching providers and the agents running unwatched are driven by one condition: people deployed AI faster than they understood it.
The work nobody priced in
Governance is being discovered as the missing line item, and the discovery is expensive. The half a billion dollar loss, the unmonitored majority, the projects that never scaled because no one coordinated them: these are not the cost of AI. They are the cost of skipping the work that makes AI usable. A tool that writes code or compares quotes is cheap now. The judgment about which agent may act, on what data, under whose review, and where the hard limit sits is the part that stayed scarce, and the Bundesnetzagentur has just made it legally unavoidable for the firms least ready for it.
The practical move for any mid sized operator is to draw one honest map of every agent already running in the business and ask, for each one, who would notice and who could stop it if it went wrong tomorrow. Most will not be able to finish the list, and that incompleteness is the finding.
The regulator now has a name and the gap now has a number. What it does not yet have is the workforce who can close it, company by company, before the first audit letter arrives.