The UK’s AI Security Institute just published the most comprehensive study of AI agent tool usage to date — and the numbers should change how every business thinks about AI risk. Working with the Bank of England, AISI analysed 177,000 tools built on Anthropic’s Model Context Protocol (MCP), tracking an ecosystem that grew from 5,000 tools to 177,000 in a single year. The headline finding: AI agents aren’t just reading data anymore. They’re executing transactions, controlling browsers, and writing code at scale.

The scale nobody expected

Twelve months ago, the MCP ecosystem was a niche developer experiment. Today it processes 14 million downloads, up from 80,000. That’s not linear growth — it’s the kind of adoption curve that catches procurement teams and risk functions off guard.

Strategic Reality: Most enterprise AI strategies still assume agents are advisory tools that summarise and suggest. This research shows 65% of agent tools now take direct action in the real world.

The raw numbers matter because they represent something specific: the gap between what organisations think AI agents do and what AI agents actually do is widening every month.

MetricJanuary 2025January 2026Change
Total MCP tools~5,000177,00035x growth
Downloads80,00014 million175x growth
Action tools (share)27%65%+38 percentage points
Payment servers471,578~34x growth

From observation to intervention

The most striking finding is the composition shift. In late 2024, nearly three quarters of AI agent tools were passive — they read files, queried databases, fetched information. By February 2026, that ratio had flipped. Action-oriented tools now account for 65% of the ecosystem, up from 27% over just 16 months.

Critical Context: “Action tools” means agents that write code, execute browser commands, process payments, and modify live systems. This is not hypothetical capability — it’s measured, production usage across 177,000 tools.

This shift was driven by two categories in particular: computer automation (controlling desktop applications and operating systems) and browser control (navigating websites, filling forms, clicking buttons). These capabilities turn AI agents from research assistants into operational actors.

For UK businesses, the practical question is straightforward: do your IT governance policies account for software that can autonomously interact with your production systems?

Where agents concentrate — and where they don’t

The domain breakdown tells its own story. Software development and IT account for 67% of published tools and a staggering 90% of downloads. Finance and business operations hold 14% of tools. Healthcare, research, education, and legal compliance share the remainder.

SME Advantage: The heavy concentration in software development means AI agent risks and benefits hit tech teams first. SMEs with smaller, more agile tech functions can adapt governance faster than enterprises with complex change management.

That 90% download concentration in software development deserves attention. It means the people building your systems are already the heaviest users of autonomous AI tools. Code is being written, reviewed, and deployed with agent assistance — and in many cases, with agent autonomy.

An important nuance: the paper finds most action tools support medium-stakes occupations like computer systems administration, with relatively few tools for low-stakes or high-stakes tasks. However, finance is a notable outlier — high-stakes financial occupations have disproportionately more action tools than the overall pattern predicts. Payment execution servers grew from 47 to 1,578 in twelve months, with cryptocurrency tools enabling agents to execute direct financial transactions without human approval.

Who’s building these tools — and how

Here’s where the research gets genuinely interesting. AISI detected AI-generated code in 28% of all MCP servers (36% of tools). Among newly created servers in February 2026, that figure hit 62%. The majority of new tools that AI agents use were themselves built by AI.

Implementation Note: Claude Code was responsible for 69% of AI-assisted MCP server creation, followed by Cursor (9.2%) and Copilot (9.1%). The tools agents use are increasingly built by agents — creating a recursive feedback loop that accelerates ecosystem growth but also compounds error propagation risk.

The geographic concentration adds a geopolitical dimension. Approximately 57% of action tool downloads come from the United States, with Germany alone accounting for nearly 11%. China sits at around 5%, though its share dropped by nearly 7 percentage points in the second half of 2025. UK organisations are both consumers and increasingly creators within this ecosystem, but the centre of gravity sits firmly in the US.

What this means for risk and governance

The AISI research, conducted jointly with the Bank of England, is not a technology showcase. It’s a risk assessment. The financial regulator’s involvement signals that agent autonomy has moved from a research curiosity to a systemic concern.

Warning ⚠️: Payment execution tools grew ~34x in twelve months (47 to 1,578 servers). If your financial controls assume human approval for transactions, those controls may already be bypassed by agent-enabled workflows — particularly in cryptocurrency operations.

Three specific risk vectors emerge from the data:

Compounding autonomy. When AI tools are built by AI (62% of new servers), reviewed by AI, and deployed by AI, the human oversight surface shrinks with each iteration. Traditional code review processes weren’t designed for this velocity.

Action concentration. The shift from 27% to 65% action tools means agents increasingly modify live systems. A read-only agent that hallucinates produces a bad report. An action-oriented agent that hallucinates executes a bad transaction.

Ecosystem opacity. With 177,000 tools and 14 million downloads, no single organisation has visibility across the full supply chain. Dependencies multiply, and a vulnerability in a popular MCP server cascades through thousands of downstream implementations.

StakeholderPrimary riskRecommended response
Board / C-suiteUnmonitored agent actions in productionCommission agent activity audit
CTO / ITAI-generated code in critical systemsImplement agent-specific code review gates
CFO / FinanceAutonomous payment executionReview transaction approval workflows
Risk / ComplianceRegulatory exposure from agent actionsMap agent usage against compliance obligations
OperationsBrowser automation on production systemsCatalogue all agent-accessible systems

Four challenges most organisations will miss

1. The governance gap is temporal, not conceptual. Most organisations understand they need AI governance. The problem is that agent capabilities evolve monthly whilst governance frameworks update annually. By the time your AI policy covers autonomous browser control, agents will be managing entire deployment pipelines.

Reality Check: The 35x growth in MCP tools happened in 12 months. Your annual policy review cycle is too slow for this rate of change.

2. Shadow agent adoption is already happening. Developers adopt tools individually. The 14 million downloads weren’t approved by procurement committees — they happened one developer at a time. Your security team may not know which agent tools have access to production credentials. The paper notes that its download data likely reflects developer piloting rather than routine production deployment — but that means the tools are already inside your perimeter.

3. AI-built tools inherit AI limitations. With 62% of new servers built using AI assistance, the reliability of the tooling layer depends on AI code quality. Bugs in AI-generated MCP servers don’t just affect one user — they affect every agent that calls that tool.

Hidden Cost: Testing and validating AI-generated tools requires different approaches than testing human-written code. Most QA processes haven’t adapted.

4. Financial exposure scales non-linearly. The jump from 47 to 1,578 payment execution servers doesn’t mean 34x the financial risk. It means payment execution is becoming a commodity capability available to any agent, multiplying the number of potential failure points exponentially. The paper notes that regulators are particularly concerned about tools enabling higher-risk transactions like cryptocurrencies, which have less regulatory oversight and fewer reversal options.

What to do about it

The AISI research provides a clear evidence base for action. Here’s a practical framework based on organisational maturity:

If you haven’t started (most SMEs):

  1. Audit which AI agent tools your development team currently uses
  2. Check whether any tools have write access to production systems
  3. Review whether existing IT policies mention autonomous software agents
  4. Establish a quarterly agent tool review (not annual — quarterly)

If you have basic AI governance:

  1. Extend existing policies to cover agent autonomy, not just AI model usage
  2. Implement logging for agent actions in production environments
  3. Create approval workflows for agent tools that execute financial transactions
  4. Map your MCP tool dependencies and assess supply chain risk

Take Action: Download the full AISI research paper from arxiv.org/abs/2603.23802 and share it with your risk function. This is the kind of evidence-based assessment that informs good governance.

If you’re already managing AI risk:

  1. Assess recursive risk — tools built by AI being used by AI
  2. Implement runtime monitoring for agent behaviour, not just deployment-time review
  3. Contribute to industry standards for agent tool certification
  4. Stress-test financial controls against autonomous payment execution scenarios

The bottom line

This research from AISI and the Bank of England is the first large-scale empirical study of how AI agents actually operate in the wild. The key finding is not that agents are growing — everyone knew that. The finding is that agents have already shifted from tools that help humans think to tools that act independently, and that shift happened faster than governance frameworks anticipated.

Three facts worth remembering:

  1. 65% of AI agent tools now take direct action — this is the new default, not the exception
  2. 62% of new MCP servers are built using AI — the recursive loop is real and accelerating
  3. Payment execution grew ~34x in one year — financial controls designed for human-speed approval are being outpaced

The organisations that fare best will be those that treat this research not as a technology trend report but as a risk intelligence briefing — and act accordingly.


Source: How are AI agents used? Evidence from 177,000 AI agent tools, UK AI Security Institute and Bank of England, 26 March 2026. Full research paper: arxiv.org/abs/2603.23802. Analysis by Resultsense — making sense of AI in the UK.