Anunta Blog US

Endpoint Automation: Why Partial Coverage Creates Risk

Written by Vinod Jeyachandran | Jul 6, 2026 8:26:59 PM

 

A critical vulnerability goes public on Tuesday, and it is already being exploited in the wild. Security hands you a number: every machine patched inside 24 hours. You push the emergency update across the fleet. By Wednesday, the dashboard reads 97 percent compliant. The job ran, the report was green, and the incident looked closed.

It is not closed. The missing 3 percent is not a rounding error. It is the laptops that were offline when the job fired, the installs that failed silently, and the users who deferred the reboot one more time, which leaves the fix pending while the dashboard counts it as done. Those machines stay exposed during the exact window when attackers move fastest. The dashboard is reporting the job, not the outcome.

That gap, between what the tools report and what is true at the endpoint, is the subject of this piece. It is trivial on one device and dangerous across an estate. It is also the predictable result of how most organizations have approached automation. They automated the easy majority of the work and stopped, and partial automation is not a step on the way to finish. It is the most dangerous place a team can stop, more dangerous than never automating at all.

Why is partial automation worse than no automation?

Partial automation is what you get when you automate the routine work and leave the exceptions to people. It is the normal state of endpoint management today, and it is more dangerous than staying fully manual. The reason is visibility. A fully manual operation hides nothing, because when everything is done by hand, you can see the queue, you feel the backlog, and the pain drives investment toward a fix.

Partial automation removes that pain without removing the risk, and most teams are living in exactly that state. The 2026 State of Endpoint Management report found that only 6 percent of organizations have reached full endpoint automation. The other 94 percent run partial automation, which means they have automated the high-volume, predictable work: patch deployment to standard devices, routine configuration, and the part that follows a pattern. That work runs clean and reports green.

The problem is what happens to everything else. The automated routine reports as healthy, so the dashboard goes green, while the work that did not automate falls off the dashboard entirely, because the dashboard only shows what the tools successfully touched. You did not close the gap; you stopped seeing it. The question that matters next is what fell out of view.

What does partial automation hide?

It hides the exceptions, and the exceptions are where the incidents are.

Consider what sits in that pile. There is the device that failed the patch and needs a human, the laptop that has not checked in for three weeks, the reboot deferred one more time, the machine on an end-of-life OS that cannot take the patch at all, and the exception granted for a business reason and never revisited. None of it follows a pattern, so none of it automated, and the same report found 43 percent of teams lose ten or more hours a week to handling it by hand.

This is not edge-case trivia. The Ponemon Institute found that 54 percent of organizations are grappling with unpatched vulnerabilities, 48 percent with misconfigurations, and 43 percent with end-of-life systems. Those are not the devices that are patched cleanly. They are the residue that partial automation leaves behind, and they are the devices an attacker reaches.

The patch that deployed to ten thousand machines is not your problem. The handful that failed silently and nobody chased is the way in. Faced with that backlog, the instinct is to demand more speed, and that instinct points at the wrong target.

Does patching faster fix the problem?

Patching faster does not fix the problem, because speed is the wrong axis.

The routine already patches fast, because that is the part you automated, so speed was never the problem for the eighty percent that works. The problem is the twenty percent that never completes, and you cannot make a silent failure faster. A device that failed the patch is not slow. It is unpatched, and it stays unpatched until a human notices.

Speed also will not outrun the exploitation window. CISA's analysis of its Known Exploited Vulnerabilities catalog found that 42 percent of known exploited CVEs are attacked on the day of disclosure, half within two days, and three quarters within the first month. Against that clock, a process that depends on someone spotting an exception in a queue is already too slow on the devices that matter. The only thing that keeps pace is the ability to push a change across the whole estate and confirm it landed, without a person in the loop for each device. That capability has a name, and it is worth measuring.

What is the real measure of endpoint management maturity?

The real measure is not how many tools you run, and it is not how much of your estate you have automated. Those numbers make good slides and tell you nothing about your exposure.

The real measure is enforceability. When you decide something must change, can you push that change across every endpoint you own, today, and confirm it landed? The answer cannot be most of them. It has to be all of them, including the exceptions, the remote devices, the personal hardware, and the machines that failed the last attempt.

This is the question that a completed deployment job cannot be answered. A job that ran is not a fix that landed, and a high success rate is not full coverage. Until you can enforce a change everywhere and verify it on the device, your compliance number is a story your dashboard is telling you, and the story ends the moment something goes wrong on a machine that reported green.

Stop measuring what you have deployed. Start measuring what you can still change.