Cyber Security

AI Agent Sprawl Isn’t Just the New Shadow IT — It’s Worse

By Ron Longo, CEO, TrustLogix

Security teams have seen this before. A new technology shows up, proves too useful to wait for IT approval, and spreads quietly across the organization. By the time anyone notices, the exposure is already there. 

That was Shadow IT. Unauthorized SaaS apps, personal cloud storage, browser plugins no one vetted. A real headache, but a bounded one. The core problem was containment: sensitive files ending up somewhere they shouldn’t. The data sat still. It didn’t do anything. 

Shadow AI is a different problem. And AI agent sprawl is its most dangerous form. The question is no longer where your data lives. It’s what’s actively working with it right now, using credentials nobody reviewed and permissions nobody thought through. 

From Shadow Apps to Shadow Actors 

Ravi Sharma, a senior IT audit and cybersecurity leader, put it plainly: “The unapproved tools are no longer just apps. They are autonomous systems, chatbots, large language models, and low-code agents that learn, think, act, and decide. Unlike shadow IT, these agents not only move data, they influence decisions.” 

That’s the shift that changes everything. Shadow IT gave you unsanctioned technology. Shadow AI gives you unsanctioned intelligence. A rogue SaaS app stores your data somewhere inconvenient. An unmanaged AI agent queries your data environment, chains the results to another system, runs a workflow, and sends something out the door — no human involved, no record of what happened. 

Gartner put some numbers to where this is heading. The average Fortune 500 enterprise will run more than 150,000 agents by 2028, up from fewer than 15 in 2025. By the end of 2026, 40% of enterprise applications are expected to have AI agents embedded in them, up from under 5% last year. Only 10% of those organizations have any real plan for managing them. 

And the incidents are already happening. Gravitee surveyed 919 organizations and found 88% had experienced confirmed or suspected AI agent security incidents in the past year. In healthcare it was 92.7%. The WEF Cybersecurity Outlook 2026 found that 87% of security leaders see AI-related vulnerabilities as the fastest-growing risk they face. IBM’s research puts the share of organizations with actual AI governance policies at 37%. Nearly every enterprise has already had a Shadow AI incident. Most just haven’t found it yet. 

The Real Problem Is Permissions 

Why are these incidents so hard to catch? Because of what agents are actually allowed to do once they connect to your data. 

Most agents run on service accounts or static API keys. Those credentials tend to be overprivileged, set up manually, and left running indefinitely. An agent someone built to pull customer summaries might be using the same access token as something touching financial records. And in most cases, nobody defined the scope, set an end date, or is keeping an eye on it. Obsidian Security found that AI agent activity grew 300x in 2025 as employees connected personal agents to enterprise systems, handing out read and write access along the way with no real oversight. What they described afterward was a network of invisible agents that nobody owns or monitors. 

This is where the Shadow IT comparison runs out of road. A misconfigured SaaS app sits there being wrong. A misconfigured AI agent keeps moving, keeps querying, keeps doing things. How much damage it can do depends entirely on how much it can reach — and that’s almost always more than anyone intended. 

CyberArk documented a case that makes this concrete. A financial services company deployed an agent to let vendors check their recent orders. An attacker hid a malicious prompt inside a shipping address field on a small order. When a vendor triggered the agent, it picked up the prompt, pivoted to an invoicing tool it had access to for no good reason, pulled bank account details, and sent them out. The whole thing worked because the agent’s permissions were wider than its job. CyberArk’s takeaway was direct: an agent’s entitlements are its blast radius. 

MCP Made It Faster 

Model Context Protocol was designed to make it easy for agents to connect to enterprise systems without custom engineering for every integration. It succeeded. A developer can wire up an agent to a back-end system in hours now instead of weeks. Security review almost never moves that fast. 

Microsoft flagged a pattern it keeps seeing across enterprise customers: MCP servers connected to sensitive back-end systems and left exposed to the internet without authentication. Cisco’s State of AI Security 2026 found that only 29% of organizations felt prepared to secure the agentic deployments they were already building. 

The multi-agent problem makes it worse still. When one agent hands work off to another, there’s typically no check on what permissions the second agent is carrying or how it was built. Researchers found tool poisoning, remote code execution vulnerabilities, and supply chain tampering showing up inside MCP ecosystems within the first year of widespread adoption. The trust assumptions baked into agent-to-agent communication were never designed with security in mind. 

Shadow IT Already Gave Us the Playbook 

The Shadow IT era is useful here, not because the problems are the same, but because it already showed us what doesn’t work. 

Enterprises that tried to ban Dropbox and Google Drive in the early 2010s didn’t eliminate Shadow IT. They pushed it somewhere less visible. Employees found other ways. Security teams lost sight of what was happening without actually stopping it. Gartner’s Max Goss made  this point about agents: block access to sanctioned tools and people will build something ungoverned instead. That pattern won’t change this time. 

Google Cloud’s security team explained the choice this way: try to block agents and you push the problem underground, or build a governance layer and actually know what’s running. The second option is harder upfront. It’s the only one that works. 

So What Does Governance Look Like 

NIST stood up its AI Agent Standards Initiative in February 2026 — the first federal effort specifically aimed at AI agent security. The frameworks coming together across NIST, Cisco, Forrester, and Google Cloud are pointing at the same things: inventory, identity, least privilege, observability, continuous compliance. 

Least privilege is where most organizations need to start, because it’s both the most actionable and the most neglected. Every agent should be scoped to only have access to what it needs to do its job. Nothing more. An overprivileged agent turns one successful prompt injection into a much larger problem. Permissions assigned at deployment and forgotten are not a governance posture. They’re a waiting vulnerability. 

Just-in-time access solves the standing credential problem. Instead of AI service accounts running on persistent tokens that never expire, access is issued for a specific task and revoked when that task is complete. The most common attack vector in Shadow AI environments isn’t some sophisticated exploit. It’s the dormant, over-permissioned account nobody ever cleaned up. 

Observability brings the whole picture together. If you can’t trace what an agent accessed, when, and why, you can’t investigate incidents, and you can’t satisfy an auditor. Agents running without audit trails are a liability that grows with every new deployment. 

The governance challenge of Shadow IT took enterprises a decade to address meaningfully. Shadow AI is moving much faster, the access risks are higher, and regulatory scrutiny is arriving much sooner: Gartner’s 2026 Audit Plan Hot Spots report found that 94% of chief audit executives are including data governance and AI risk in their audit plans for the year. 

The question for security and data leaders is not whether to build the infrastructure. It is whether your governance can keep pace with the agents your organization is already running. 

Author

Related Articles

Back to top button