Adversa's Q2 2026 AI Risk Quadrant Report, published June 3, scored 100 production agent systems against three dimensions: attack surface, blast radius, and defenses. Two numbers worth holding.
98% of production agents carry the lethal trifecta — Simon Willison's framing for the combination of access to private data, exposure to untrusted content, and the ability to take outbound actions, on the same execution path.
Only 11% qualify as adequately defended.
The remaining 87% don't lack the trifecta. They've got it; they just haven't built around it.
Tool execution alone explains 76% of blast-radius variance across the cohort. That's the headline finding. The capacity to act in the world — to write to APIs, push commits, install packages, send messages — is what converts an agent failure from a logged exception into an operational incident.
