MIT Study Finds AI Agents Face Major Security Gaps in 2025

A major academic study examining 30 deployed agentic AI systems has found widespread failures in transparency, security documentation, and user control across the industry. The research was led by Leon Staufer of the University of Cambridge, with collaborators from MIT, Harvard University, Stanford University, the University of Washington, the University of Pennsylvania, and the Hebrew University of Jerusalem.

Agentic AI refers to software programs that go beyond responding to text prompts. These systems connect to external databases, tools, and services, and carry out multi-step tasks with a degree of autonomy. They are used in enterprise workflows, customer service operations, and web browsing, and they are increasingly embedded in mainstream software products.

The report, titled The 2025 AI Index: Documenting Sociotechnical Features of Deployed Agentic AI Systems, analyzed agents across eight categories of disclosure. In most of those categories, the majority of agents provided no public information at all. The omissions cover a wide range, from undisclosed potential risks to the complete absence of third-party security testing results.

One of the most significant findings is that for many enterprise agents, it is not possible to determine from publicly available information whether any monitoring of individual execution traces exists. This means there is no clear way to track exactly what an agentic AI system is doing at any given time. Twelve of the thirty systems examined either provide no usage monitoring at all or only alert users when they have reached a rate limit, making it difficult for organizations to track compute consumption.

Most of the agents studied do not identify themselves as AI systems to users or to third parties by default. This includes basic practices such as watermarking AI-generated images or responding to a website’s robots.txt file to flag automated traffic. Without these disclosures, it becomes difficult to distinguish AI-generated activity from human behavior.

Several systems lack any documented method for stopping an active agent once it has begun running. Alibaba’s MobileAgent, HubSpot’s Breeze, IBM’s watsonx, and the automation platform n8n are among those that have no documented stop options despite operating autonomously. In some enterprise platforms, the only available option is to stop all agents simultaneously or to retract an entire deployment.

The report provides three detailed case studies. OpenAI’s ChatGPT Agent was highlighted as a relatively positive example, as it cryptographically signs the browser requests it makes, allowing its behavior to be tracked. Perplexity’s Comet web browser was flagged as having no agent-specific safety evaluations, no third-party testing, and no sandboxing or containment documentation beyond basic prompt-injection mitigations. HubSpot’s Breeze tools hold certifications for compliance standards including SOC2, GDPR, and HIPAA, but its security testing documentation is incomplete. Breeze was evaluated by a third-party security firm but provides no methodology, results, or details about the testing process.

The research team contacted all companies whose systems were covered and waited four weeks for responses. Roughly one quarter of those contacted replied, but only three out of thirty provided substantive comments. Those responses were incorporated into the final report.

Most of the agentic systems reviewed are built on a small number of closed-source models from OpenAI, Anthropic, and Google. The study was based on public documentation, websites, product demos, academic papers, and governance documents. Researchers also created user accounts with some systems to verify certain aspects of their actual behavior.

The backdrop to this research includes the rapid spread of open-source agentic frameworks. OpenAI recently hired the creator of OpenClaw, an open-source framework that gained significant attention for enabling capabilities such as sending and receiving email on a user’s behalf. The same framework drew sharp criticism for serious security vulnerabilities, including the potential for complete takeover of a user’s personal computer.

The researchers warn that the governance challenges identified in the report, including ecosystem fragmentation, tensions around web conduct, and the absence of agent-specific evaluations, are expected to grow more serious as agentic capabilities expand. Responsibility for addressing these gaps, including proper documentation, independent security audits, and reliable control mechanisms, rests with the developers and organizations building and deploying these systems.