Skip to main content
June 9, 2026Anthropic Launches Claude Fable 5 with Runtime Fallback Safeguards and Mandat...

CORE CONCEPTS

The AI agents you approved are not the problem. The ones you don't know about are.

Agent Sprawl is the proliferation of AI systems across an enterprise without corresponding governance architecture. It operates at three distinct tiers. Most organizations are actively managing only the first, and the third is where the largest incidents are now occurring.

v1.0 · May 2026Reconcile the agent count

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

The term defined

The inventory that doesn't match reality

Agent Sprawl is the distance between the approved list and the actual operating population. This section defines the problem before it becomes a remediation exercise.

Use this section to establish the baseline question: what is actually running, and how far is that from what governance approved?

Editorial governance illustration showing the gap between an approved AI agent list and the larger actual operating agent population.

Approved list vs actual population

The actual count is the governance baseline

Agent Sprawl begins when the approved list no longer matches the population of agents actually operating in the environment.

The IT team has a list of approved AI tools. The business units have a different count. The developers have built agents that appear in neither list. The citizen developers in Operations built automations in Copilot Studio that nobody in IT knows exist. Somewhere in the environment, three agents approved eighteen months ago are still running under the credentials of a person who left the organization in Q3.

Ask the CISO how many AI agents are operating in the environment. The number they give you is the number the governance team approved. The actual count is higher. In most enterprises in 2025 and 2026, significantly higher.

Reco's 2025 State of Shadow AI findings reported that 71 percent of office workers used AI tools without IT approval, and nearly 20 percent of organizations had already experienced data breaches or leaks attributable to unauthorized AI use. Cyberhaven's 2026 report found that 39.7 percent of all AI data movements involve sensitive data. IBM's 2025 Cost of a Data Breach report found that high levels of shadow AI added approximately $670,000 to the average breach cost.

The gap between the approved list and the actual count is Agent Sprawl. The gap has three tiers that require three different governance responses.

INSIDE THE ORGANIZATION

The governance question

How many AI agents are currently operating in your environment, not the count that were formally approved, but the count that are actually running? If you cannot produce both numbers and explain the gap between them, Agent Sprawl is active in your organization and its scale is unknown.

The pattern

Three tiers. Three different governance responses.

Agent Sprawl is not one problem. It is three distinct proliferation patterns operating simultaneously, each with a different cause, a different risk profile, and a different governance response. An organization that solves Tier 1 has not solved Tier 2. An organization that solves both has not solved Tier 3.

Use the tiers to separate employee behavior, decentralized procurement, and over-permissive authorized agents. Each one requires a different control response.

Editorial diagnostic board showing Tier 1 employee shadow AI, Tier 2 department procurement, and Tier 3 over-permissive approved agents with different control responses.

Three sprawl tiers

Three proliferation patterns need three different responses

Employee shadow AI, decentralized procurement, and over-permissive approved agents create different risks and cannot be controlled by one policy.

T1TIER 1

Employee shadow AI

Individual employees use personal accounts, personal devices, or browser-based access to AI tools for work tasks without IT approval, organizational visibility, or any assessment of what organizational data is being processed. This is the most visible tier and the one most organizations have begun to address with policy and monitoring. The governance response is policy and technical enforcement: acceptable use policies that specifically address AI, DLP controls extended to browser-based AI usage and clipboard flows, and CASB visibility into which AI tools are accessing organizational data from corporate endpoints.

Evidence

Reco reported that 71 percent of office workers used AI tools without IT approval. Its 2025 report also identified long persistence windows for unsanctioned tools. Public reporting on Samsung engineers pasting proprietary source code into ChatGPT remains a canonical early shadow AI example.

T2TIER 2

Organizational procurement without central visibility

Business units independently adopt AI tools and vendors through department-level purchases, pilot programs that became permanent, or vendor integrations that bypassed central IT procurement. The agents exist in the environment with legitimate business purposes. The problem is that no central function has visibility into the full inventory, assessed the combined risk surface, or assigned governance accountability. The governance response is inventory and procurement governance: mandatory AI intake for all deployments, cross-functional discovery for existing deployments, and a central registry that reflects the actual count rather than the approved list.

Evidence

Reco reported that companies with 11 to 50 employees averaged 269 shadow AI tools per 1,000 employees. Larger organizations still showed high unsanctioned AI density. These are often motivated employees solving real problems with tools their organizations made reachable.

T3TIER 3

Authorized agents with over-permissive operational scope

Agents were formally approved, correctly configured, and deployed with legitimate business authorization, but their operational permissions were never bounded to what their documented purpose actually requires. The organization knows these agents exist. The governance failure is in what they are permitted to do once deployed. This is the tier producing the largest incidents, and it is the least addressed. The governance response is operational constraint architecture: defining what the agent may not do regardless of technical capability, what system changes require human approval before execution, and what conditions trigger mandatory human review before deployment.

Evidence

Oso's Agents Gone Rogue register tracks the Meta internal agent Sev-1 exposure in March 2026 and the Replit coding assistant production database deletion. Both cases show agents or agent outputs operating with insufficient operational constraints.

The liability

The inventory problem compounds with every deployment cycle

The cost is not only tool proliferation. The cost is an authorization ratio that gets worse while the organization believes it is improving.

Use this section to explain why sprawl becomes a regulatory and audit problem even when individual deployments look useful.

Editorial governance illustration showing deployment cycles growing Tier 2 and Tier 3 agent populations while the authorization coverage ratio fails to improve.

Compounding ratio

Sprawl shifts the ratio even when one tier improves

Tier 1 controls can improve while Tier 2 and Tier 3 keep adding governance debt to the operating population.

Most enterprise AI governance programs in 2025 and 2026 are focused on Tier 1. Shadow AI policies, DLP extensions to AI tools, and CASB dashboards showing unsanctioned usage are the right interventions for Tier 1. They are necessary. They are not sufficient.

An organization that has solved Tier 1 has addressed the employee behavior problem. It has not addressed the organizational procurement problem. Business units continue adopting AI vendors through channels that bypass the new controls because the intake process applies to IT-procured tools and the business unit purchased this one through a SaaS subscription on a corporate card. The Tier 2 population grows while the Tier 1 population is being managed.

An organization that has solved Tier 1 and Tier 2 has a complete inventory and an intake process. It has not addressed what happens to agents after they are approved. Tier 3 sprawl occurs inside the governed population. The agents are in the registry. The authorization records exist. But the operational permissions were never bounded, the change-actor question was never asked, and nobody defined what the agent is not allowed to do regardless of what it is technically capable of doing.

The Governance Readiness Matrix measures where an organization sits on agent count versus authorization coverage. Most organizations that have made progress on Tier 1 discover that their Tier 2 and Tier 3 populations have been accumulating Governance Debt at the same pace they were reducing it in Tier 1. The ratio is not improving. It has shifted.

Primary source

Reco, 2025 State of Shadow AI Report and findings article. Findings include 71% of office workers using AI tools without IT approval and nearly 20% of organizations reporting breaches or leaks attributable to unauthorized AI use.

View source

Primary source

Cyberhaven, 2026 AI Adoption and Risk Report. Finding: 39.7% of all data movements into AI tools involve sensitive data.

View source

Primary source

Cyberhaven, AI insider threat research. Finding: 30x increase in data sent to generative AI apps and 22% of uploaded files containing sensitive data, cited in 2026 insider-risk analysis.

View source

Primary source

IBM, Cost of a Data Breach 2025. Finding: ungoverned AI systems are more likely to be breached and more costly when they are.

View source

Primary source

VentureBeat analysis of IBM Cost of a Data Breach 2025. Finding: shadow AI added approximately $670,000 to breach costs.

View source

Primary source

Oso Security, Agents Gone Rogue incident register, 2025-2026. Cases: Meta internal agent Sev-1 breach, March 2026; Replit AI coding assistant production database deletion.

View source

Primary source

Microsoft Security Blog, "Detecting and mitigating common agent misconfigurations," February 12, 2026. Used for Copilot Studio agent misconfiguration, prompt injection, and email-based data exfiltration risk framing.

View source

The registry is not the answer

Where Agent Sprawl concentrates in Microsoft 365 environments

A registry is useful only when it is reconciled against what is actually deployed. Without that discipline, it becomes a record of approved intent, not operating reality.

Use this section to distinguish inventory from reconciliation: the organization needs both the approved count and the actual count.

Editorial tenant evidence map showing tenant inventory, Power Platform, governance registry, inherited permissions, registry gap, and count reconciliation.

Tenant reconciliation

The registry is useful only when reconciled

The tenant inventory, platform records, and governance registry must be reconciled before leaders can trust the agent count.

Organizations standardized on Microsoft 365 face a specific Agent Sprawl pattern that differs from the general enterprise picture. Microsoft 365 is the productivity layer for most of the corporate data these organizations govern: email, documents, SharePoint content, and Teams conversations. When employees bring external AI tools into their workflows, they are almost always bringing them into contact with Microsoft 365 data.

Copilot Studio's no-code agent builder accelerates Tier 2 and Tier 3 simultaneously. A motivated business analyst can deploy a Copilot Studio agent against SharePoint, Teams, and organizational data in an afternoon without writing code and without involving the security team. The agent appears in the Microsoft 365 admin center inventory. It may not appear in the IT governance registry. The permissions it inherited from the creator's account may significantly exceed what its documented purpose requires.

Microsoft's 2026 security guidance for Copilot Studio agents names prompt injection, unsafe orchestration, email-based data exfiltration paths, and misconfigured agent workflows as risks organizations must detect and prevent.

The Tenant Agent Reconciliation Framework is the operational tool for surfacing the actual Microsoft 365 agent population across M365 admin center inventory, Power Platform, Azure, and the gap between those three counts and what the IT governance registry contains.

RELATED CONCEPTS

Where Agent Sprawl sits in the accountability structure

Agent Sprawl is the scale problem. These adjacent concepts explain the accountability failures that compound inside the sprawl population.

Use these concept links when the question shifts from agent count to the failure pattern inside each ungoverned agent.

Agent Sprawl is the scale problem. The other concepts describe what happens at the level of individual agents when sprawl is not contained.

Governance Debt is what Agent Sprawl produces at organizational scale. Every agent deployed without authorization, a named owner, and a compliance review is a unit of Governance Debt. Agent Sprawl is the mechanism by which Governance Debt compounds faster than organizations can address it.

The Accountability Assumption operates inside every ungoverned agent in the sprawl population. Each agent without a named Consequence Owner is an agent where the assumption is in place, and the assumption compounds with every agent added to the ungoverned inventory.

Intent Architecture is the organizational design layer that prevents Tier 2 and Tier 3 sprawl at the source. An intake process enforced consistently, including for deployments described as urgent, limited, or temporary, stops ungoverned agents from entering the population. The intake process is what converts the Authorization Coverage Lifecycle from Accumulation to Resolution.

The Intent Gap is total for every agent in the sprawl population that has no documented intent. An agent with no authorization record has no documented purpose, no explicit prohibitions, and no named accountable owner watching the distance between intended and actual behavior.

Governance Debt The Accountability Assumption Intent Architecture Intent Gap

WHAT GOOD LOOKS LIKE

When Agent Sprawl is under control

The end state is not a prettier registry. It is a governed operating population whose count, ownership, and scope can be explained under review.

Use this section as the target condition for remediation planning after the actual agent count is known.

Editorial target-state illustration showing an actual agent registry with approved count, actual count, declining tenant reconciliation gap, high count high coverage, owners, scope, authorization records, review cadence, and operational constraints.

Controlled population

Sprawl is under control when actual count and coverage are both known

A governed population has a reconciled registry, declining reconciliation gap, high authorization coverage, and bounded operational scope for approved agents.

The organization's agent registry reflects the actual count of AI agents operating in the environment, not just the count of formally approved ones. The Tenant Reconciliation Gap is declining quarter over quarter as the intake process matures. The Governance Readiness Matrix places the organization in the high count, high coverage quadrant because authorization coverage has kept pace with deployment velocity.

For Tier 1: employees have clear guidance on which AI tools are permitted for work use, what organizational data may be processed through which tools, and where the boundaries are. DLP and CASB controls extend to browser-based AI usage. The shadow AI population is monitored and declining.

For Tier 2: every new AI deployment, regardless of whether it originates from IT, a business unit, or a citizen developer using Copilot Studio, goes through the intake process before it enters production operation. The intake process is enforced consistently, including for deployments described as urgent. The business unit that wants to bypass the process encounters the same gate as IT.

For Tier 3: every authorized agent has a documented operational scope specifying what it may not do regardless of technical capability, what system changes require human approval before execution, and what conditions trigger mandatory human review. The Consequence Owner for each agent can describe these constraints without reading the technical configuration.