Artificial intelligence is rapidly transforming the business landscape, offering incredible potential for automation and efficiency. At the heart of this revolution are AI agents—intelligent, autonomous software entities designed to perform specific tasks. However, the very ease with which these agents can be deployed is now creating a significant challenge for IT departments: an explosion of unsanctioned and unmanaged AI applications.
A recent survey by Rubrik ZeroLabs starkly highlights this growing issue, revealing that a staggering 77% of IT managers feel their AI agents are spiraling out of control. Less than a quarter (23%) of IT leaders believe they have comprehensive oversight of these agents within their organizations. This lack of control isn’t just a governance nightmare; it actively undermines the productivity benefits agents are supposed to deliver.
The survey further indicates that 81% of IT managers report agents demand more manual auditing and monitoring time than they save through workflow improvements. Security is also a major concern, with an overwhelming 86% anticipating that agent proliferation will outpace security guardrails in the coming year, and over half (52%) expecting this within just six months. The urgency is clear: businesses risk creating significant vulnerabilities and inefficiencies if this trend continues unchecked.
The Unseen Challenge of AI Agent Sprawl
The problem stems from the sheer simplicity of creating AI agents. Users often bypass standard security protocols, such as turning off VPNs, to quickly set up agents that act as personal assistants. This leads to a massive volume of unsanctioned AI applications, both those developed internally and those introduced by various vendors, creating a fragmented and chaotic digital environment.
Industry experts are observing patterns reminiscent of early cloud adoption, where individual teams independently spin up solutions using diverse frameworks and providers. Kriti Faujdar, a senior product manager at Microsoft, warns that this approach inevitably leads to “fragmentation, inconsistent governance, and hidden security gaps.” Without a centralized strategy, the enterprise becomes a patchwork of unmonitored AI functionalities.
This rapid proliferation presents a significant challenge to IT managers, most of whom (nearly all respondents) admit they lack the “undo” capabilities necessary to roll back unintended agent actions. The operational reality of agent management often stands in stark contrast to the perceived level of control. As agents act with increasing autonomy, they introduce a far greater risk profile compared to traditional software applications.
Why Are AI Agents So Hard to Control?
The ease of agent creation, coupled with a lack of comprehensive oversight, fuels agent sprawl. Nik Kale, principal engineer with the Coalition for Secure AI, notes that “any team with API access can spin up an agent in an afternoon.” In a large enterprise, this translates into hundreds of agents with overlapping permissions, no consistent identity model, and a complete lack of a centralized inventory.
Observability for agentic systems is notoriously challenging. Understanding the intricate chains of agent actions and ensuring security enforcement points are critical, yet often absent. Post-deployment, organizations struggle to answer fundamental questions necessary for tracking agent viability, which include:
- What specific purpose does the agent serve?
- What resources and tools does the agent access?
- How are its actions audited and monitored?
- What are the established policies for human intervention?
- Can its unintended actions be rolled back?
Currently, many organizations cannot define acceptable agentic behavior, audit accessed resources, establish policies for “human in the loop” intervention, or effectively roll back problematic actions. Furthermore, the foundational models driving these agents aren’t static; they tend to “drift” over time, meaning an agent certified in one quarter may behave differently just a few months later. Renze Jongman, founder and CEO of Liberty91, highlights this by stating, “Your governance model has to assume the ground moves.”
Reclaiming Control: Strategies for Effective AI Agent Governance
To navigate this complex landscape, organizations must elevate agent management from an afterthought to a first-class discipline. This involves establishing clear guardrails to ensure that speed doesn’t compromise trust, auditability, or scalability. The goal is to build robust systems that can be trusted, managed, and scaled effectively across the enterprise.
A crucial step is to architect the agent stack thoughtfully. Nik Kale advises keeping the orchestration layer separate from both the model and governance layers. Consolidating all three within a single vendor’s platform can lead to ceding control over your agent’s core intelligence, permissions, and accountability chain. Decentralization in this critical area provides greater flexibility and security.
Effective agent oversight requires a multi-faceted approach involving key stakeholders beyond just the development team. Security, architecture, and the business unit accountable for the agent’s outcomes must all be integral to the governance process. This ensures that agents are not only efficient but also secure, compliant, and aligned with business objectives.
By defining acceptable agent behavior, implementing rigorous auditing for resource access, establishing clear human-in-the-loop policies, and developing robust rollback capabilities, organizations can rein in agent sprawl. Proactive governance, continuous monitoring, and a flexible approach that anticipates behavioral drift are paramount to harnessing the true potential of AI agents securely and effectively.
Source: ZDNet – AI
