Gartner counted thousands of vendors claiming to ship agentic AI. About 130 of them actually do. The rest are rebadged chatbots, RPA tools, and AI assistants with the word "agent" pasted on the box. This is agent washing, and your procurement team is buying it.
## Key takeaways
- Gartner estimates only ~130 of thousands of agentic AI vendors are real (2025 prediction, updated 2026).
- 40% of agentic AI projects will be canceled by end of 2027, mostly due to vendor mismatch and unclear business value.
- Agent washing is rebranding existing products (chatbots, RPA, AI assistants) as "agentic" without real autonomous capability.
- The five vendor tells: no tool use, no multi-step reasoning, no state persistence, no autonomy, no clear identity model.
- Seven procurement questions filter most fakes in 15 minutes.
## What is agent washing?
Agent washing is the marketing practice of selling existing AI products (chatbots, RPA flows, AI assistants, workflow automation) as agentic AI without the underlying autonomy, reasoning, or tool use that defines a real agent. Gartner popularized the term in mid-2025 alongside their 40% cancellation forecast. The pattern is now so widespread that Gartner analysts called it the single biggest reason agentic AI deployments are going sideways.
The damage isn't just wasted budget. It's audit risk, compliance gaps, and security incidents that get pinned on agentic AI in general when the actual cause was a washed product that never had agent-level controls in the first place.
## How big is the agent washing problem?
Gartner: roughly 130 of the thousands of vendors marketing agentic AI actually ship a real agent. That's the public number. The implication is that more than 95% of agentic AI marketing in 2026 is washed. This isn't a minor calibration error. It's the dominant pattern in the market.
## What are the five tells of a washed agent?
A real AI agent does five things a chatbot or RPA flow can't. If a vendor's product fails any of these, you're looking at agent washing.
- Tool use. A real agent picks tools at runtime and chains them. A chatbot calls one API per turn.
- Multi-step reasoning. A real agent plans a sequence and adjusts when steps fail. RPA follows a fixed flow.
- State persistence. A real agent carries context across actions and sessions. AI assistants reset.
- Autonomy bounded by policy. A real agent acts without per-step human approval, inside a defined policy envelope. Washed products need a human click for every action.
- A real identity model. A real agent has its own identity, separate from the user. Washed products run on the user's session token.
## What seven questions filter most agent washing in 15 minutes?
Procurement keeps buying washed products because security and architecture aren't in the room when the demo happens. Send these seven questions to every agentic AI vendor before the second meeting.
1. Show me a single transaction where the agent picked between three tools and chose one based on the input. No demo means no real tool use.
2. What happens when a step fails mid-task? Real agents retry, reroute, or escalate. Washed products error out.
3. How is the agent's identity provisioned and what's its blast radius? A real answer involves a non-human identity, scoped credentials, and a policy engine.
4. Show me an action log for a multi-step run, with the agent's reasoning at each step. Real agents produce a reasoning trace. Washed products produce a flat API log.
5. What's the kill switch and how fast does it cut? Real agents revoke credentials and halt in-flight tasks in seconds. Washed products don't think about this.
6. What happens to the agent if the underlying model deprecates? Real vendors have an abstraction layer. Washed products are hard-coded to one model.
7. Map your product to OWASP Top 10 for Agentic Applications 2026. Real vendors have an answer. Washed vendors don't know the framework exists.
## How does agent washing show up in an audit?
The August 2, 2026 EU AI Act high-risk obligations don't distinguish between real agents and washed ones. If your product makes a decision that affects a person's credit, employment, or healthcare, it's high-risk regardless of how autonomous the underlying tech actually is.
Auditors are now asking the same five Agentic Trust Framework questions (CSA, February 2026) for every system labeled "AI agent" in your stack. A washed product fails every one. Identity isn't separable. Behavior baselining doesn't exist. Blast radius is undefined. Kill switch is theoretical. The risk is paying for a washed product and getting flagged for it.
## What's in this week's Trusted Agents?
The blog post stops here. The full briefing in Trusted Agents goes deeper:
- The vendor-by-vendor scorecard for the top 20 agentic AI claims in 2026 (who's real, who's washed).
- The full procurement RFP template, including the OWASP Top 10 Agentic mapping requirements.
- How to migrate off a washed product without a full re-architecture.
Trusted Agents is my weekly newsletter on AI agent security for business leaders. Subscribe at trustedagent.substack.com.
## Frequently asked questions
Who coined the term agent washing? Gartner popularized it in mid-2025 alongside their forecast that 40% of agentic AI projects would be canceled by end of 2027. The term echoes earlier patterns like AI washing and blockchain washing.
Is every vendor that markets agentic AI washing? No. Gartner's ~130 real vendors exist. The point is that the base rate of real agentic AI in 2026 marketing is low enough that you should treat every claim as washed until proven otherwise.
How do I tell washing apart from a vendor early in their roadmap? Ask about identity and policy. Vendors building toward agentic capability talk openly about their identity model. Washing vendors redirect to AI capabilities and avoid identity questions.
What's the legal exposure of buying a washed product? Under the EU AI Act's August 2, 2026 obligations, the deployer (you) is liable for how the system is used. Penalties run up to EUR 35M or 7% of global annual turnover.
How does this connect to the Agentic Trust Framework? ATF (CSA, February 2026) is built around five questions: identity, behavior, data flow, blast radius, kill switch. A real agent answers all five. A washed product fails the first one (identity). If a vendor can't pass ATF, they can't pass audit.
Joshua Woodruff is the author of Agentic AI + Zero Trust (foreword by John Kindervag) and a CSA Research Fellow. The Agentic Trust Framework was published by the Cloud Security Alliance in February 2026.