AI Agent Digest: Week 26, 2026 - Agent Spend Hits $206B, Amex Buys an Agent Startup, and 'Agentjacking' Hijacks Coding Agents

Share
AI Agent Digest: Week 26, 2026 - Agent Spend Hits $206B, Amex Buys an Agent Startup, and 'Agentjacking' Hijacks Coding Agents

This was the week the numbers got serious, the incumbents got out their checkbooks, and the security researchers spoiled the party. Agent spending forecasts doubled, American Express bought an agent startup, and a new attack class showed exactly how fragile "let the agent read your tools" can be. Here are the eight stories that mattered, with our take on each.

1. Gartner says agent software spending hits $206B this year, up 139%

A new Gartner forecast puts AI agent software spending at roughly $206.5 billion in 2026, up 139% from $86.4 billion in 2025, the fastest-growing slice of enterprise software (Crescendo).

Hot take: A category that doubles in a year is not a trend, it is a stampede. The number itself is almost beside the point. What it really says is that the budget conversation moved from "should we pilot this" to "which line item does it come out of," and that shift is irreversible. The companies still debating whether agents are real are now debating it with a spreadsheet that already has agents in it.

2. American Express buys Hyper, an AI expense-agent startup

Amex is acquiring Hyper, a Sam Altman-backed startup whose agents auto-categorize expenses, check them against policy, and chase down late filings, to power a commercial expense platform launching later this year (American Express, PYMNTS).

Hot take: First Salesforce bought Fin, now Amex buys Hyper. The pattern is no longer subtle: incumbents have decided it is faster to buy an agent business than to build one, and a 130-year-old financial institution moving this fast tells you the window for "we will get to AI eventually" has closed. If your category has an agent-native startup in it, your biggest competitor is about to acquire one.

3. "Agentjacking" hijacks AI coding agents through fake bug reports

Researchers at Tenet Security disclosed Agentjacking: attackers send crafted error events to Sentry using public DSNs, hide commands in the markdown, and AI coding agents (Claude Code, Cursor, Codex) that read those errors via MCP execute the commands with the developer's own privileges. They found 2,388 exposed organizations and hit an 85% success rate in testing. Sentry called a full fix "technically not defensible" (The Hacker News, Tenet Security).

Hot take: This is the most important story of the week and almost nobody outside security is talking about it. The whole promise of agents is that they read your tools and act. Agentjacking weaponizes exactly that: any data source an agent trusts is now an attack surface, and "the agent did it with your credentials" is a sentence that should terrify every engineering leader. Treating tool output as trusted input was always the original sin. The bill is arriving.

4. The model flood: Gemini 3.5 Flash ships, three more loom

Google made Gemini 3.5 Flash generally available, tuned for agentic and coding work, while Gemini 3.5 Pro, OpenAI's rumored GPT-5.6, and Anthropic's Claude Mythos are all reportedly weeks away (Essa Mamdani, centerbit).

Hot take: Notice the framing on every one of these releases: agentic and coding performance, not chat. The frontier labs have quietly agreed on what these models are for, and it is running agents, not answering trivia. The other tell is speed. Flash-class models exist because multi-step agents care more about latency and cost per step than raw intelligence. The smartest model is losing to the fastest good-enough one.

5. Microsoft Agent 365 goes GA as a cross-cloud control plane

Microsoft Agent 365 reached general availability, offering a single plane to discover, govern, and secure agents across Microsoft, AWS, and Google Cloud, with Defender threat mapping arriving alongside (Futurum).

Hot take: Governance just became the product, not the afterthought. That is the right instinct, and the timing next to the Agentjacking disclosure is almost poetic. But watch the lock-in. A control plane that governs your agents everywhere is also a control plane that owns your agents everywhere. Centralized oversight is good. Centralized oversight you cannot leave is a different deal.

6. Alteryx lets analysts build agents without IT

At Inspire 2026, Alteryx unveiled Agent Studio and an MCP Server that let business analysts turn existing data workflows into autonomous agents, no central IT queue required (ERP Today).

Hot take: The citizen agent builder has arrived, and it is going to be both the best and worst thing about this year. Best, because the people who know the workflow can finally automate it without a six-month IT ticket. Worst, because every one of those self-built agents is an ungoverned thing touching real data, which is precisely the shadow-AI problem Agent 365 just shipped to solve. Democratization and governance are now in a race.

7. Qualcomm bets on agents across 40+ devices

Qualcomm laid out a roadmap to support AI agents across more than 40 devices, pushing agentic capability down to the hardware and the edge (AI Agent Store).

Hot take: Everyone is watching the cloud agent wars and missing the quieter one. When agents run on the device, the latency, privacy, and cost math changes completely, and so does the question of where your data lives. On-device agents are the strongest argument yet for the self-hosted, you-own-the-stack model. The edge is coming, and it favors whoever does not need to phone home.

8. The money concentrates, and the wrappers start dying

Venture capital is consolidating hard into a tier of core orchestration platforms. Startups with deep IP in multi-agent routing, state management, or vertical data integration are prime acquisition targets, while thin UI wrappers over generic APIs are being left to fade (Product Leaders Day).

Hot take: The shakeout we predicted is here on schedule. The "wrap an API, call it an agent" era is ending, and the survivors all own something hard underneath: real orchestration, real memory, real integration. If a company's entire moat is a nice chat box in front of someone else's model, it is not a startup anymore, it is an acquihire waiting to happen.

What we're watching next week

  • Whether GPT-5.6 or Claude Mythos actually ships, and whether the launch messaging is about agents or benchmarks.
  • The first real-world Agentjacking incident, as opposed to a research disclosure. It is coming.
  • A third major incumbent acquiring an agent startup, which would turn a pattern into a rule.

Bottom line

Week 26 was the week the agent market grew up in public. The spending is real, the acquisitions are real, the model roadmap is openly agent-first, and so, unfortunately, are the attacks. The throughline connecting all eight stories is the same one we keep landing on: capability is no longer the question. Trust is. Who governs the agent, who can hijack it, where it runs, and whether you can audit what it did are now the questions that decide everything.

That is the whole reason Geta.Team is built the way it is: AI employees with their own scoped identity, an auditable record of every action, and self-hosted deployment so your data and your agents stay yours. In a week that featured a 139% spending jump and an 85% attack success rate in the same breath, "which agents can you actually trust" stopped being a slogan and became the only question worth asking.

Want to test the most advanced AI employees? Try it here: https://Geta.Team

Read more