A CIO recently shared with me that their biggest challenge with AI isn’t deploying it – it’s discovering it when it’s been deployed by someone else. Despite having clear policies in place, the company had uncovered dozens of unapproved AI tools in use across finance, HR, sales and marketing. Most were unsanctioned, few were documented, and several handled sensitive data that should never have been processed outside the company’s control.

This invisible layer of “shadow AI” is quickly becoming every CIO’s nightmare: AI sprawl.

AI sprawl describes what happens when undocumented, unchecked, and unmanaged AI tools spread across an organisation. Employees today adopt AI impulsively, often “vibe subscribing” tools based on a LinkedIn post, a peer recommendation, or for a quick workaround. They use company expense cards, personal cards or freemium services – none of which are approved. Freemium tools are often the most risky, enabling uncontrolled data exfiltration, processing and the training of external AI models. All outside the company’s visibility or consent.

The result is a fragmented and unregulated digital environment that expands out of sight. For enterprises, this creates not just a technology burden, but a governance crisis, one that will define the role of the CIO going forward.

AI Blind Spots

As everyone knows, AI adoption is exploding. Innovation is welcome and can help create competitive advantages, but the pace of uptake and lack of coordination is creating visibility gaps that IT and compliance teams are struggling to close.

There are several factors driving this trend:

Flood of easy-access tools: From generative AI assistants to low-code AI analytics platforms, there’s almost no friction involved in adopting new tools. If an employee can start a free trial with a credit card, they likely will.

Decentralised procurement: Business units bypass IT to source their own AI solutions, leaving them unaccounted for and entirely disconnected from central identity management. This “shadow AI” mirrors the shadow IT issues of a decade ago, but with higher stakes, as AI tools not only store but also process and analyse sensitive corporate data.

Experimentation culture: Enterprises reward innovation but often lack guardrails. POCs and pilots and evaluations multiply rapidly, becoming operational without undergoing formal review.

When all of these factors come together, they result in critical blind spots where AI is in use, but IT teams, or those working in conjunction with the CIO, can’t see it measure it, or secure it. And then come the risks.

The Risks CIOs Can’t Ignore

CIOs today must weigh three categories of risk most heavily:

Security vulnerabilities

AI tools, particularly generative models, ingest and process sensitive information. When employees use unvetted tools, data will inadvertently leave the secure perimeter. Metomic research shows 64% of enterprises have deployed at least one AI application with critical vulnerabilities – and a third only discovered the issue after an incident.

Rising cost and inefficiency

The average enterprise now juggles 125 different SaaS applications and relies on five or more data discovery and security tools. This kind of software bloat can be costly, with overlapping license fees, duplicated features, and additional management overhead for tools that can often be unfit for purpose. Worse, sprawling stacks lower ROI by dispersing investments across fragmented initiatives instead of scaling enterprise-wide capabilities.

Compliance exposure

AI regulation is beginning to take shape across the world, giving organisations a clearer idea of where their compliance requirements lie. In Europe, with the EU AI Act now in place, firms face fines up to 35,000,000 EUR or 7% of turnover for Article 5 violations, and up to 15,000,000 EUR or 3% for other violations. Without clear ownership of every AI process, CIOs cannot guarantee alignment with policies, exposing the enterprise to existential fines.

What CIOs can do to combat AI Sprawl

If left unchecked, AI sprawl could define enterprise dysfunction by the end of this decade. Imagine a 2030 organisation where AI tools outnumber employees, with no clear record of which models influence business outcomes, where sensitive data flows, and how bias or errors enter decision-making. In such an environment, operational risk eclipses competitive advantage. AI ceases to be a driver of innovation and instead becomes an unmanageable liability. But thankfully we are still in the nascent stages of AI adoption. CIOs have the chance to seize control before sprawl becomes entropy. Decisive leadership can reverse this trend.

CIOs should focus on three strategic interventions:

Establish strong discovery and monitoring frameworks: Deploy tooling that illuminates every AI tool in use, whether centralised or shadow. It is impossible to govern what you cannot see.

Balance innovation with accountability: Draft and communicate policies that set clear expectations. Ensure employees understand what is approved, what requires review, and what is prohibited. Importantly, reinforce that governance is not a blocker but an enabler of sustainable innovation.

Engage and educate teams: Employees rarely adopt shadow AI maliciously; they’re looking for opportunities. CIOs should position governance as collaborative, rather than punitive. Incentives, workshops, and transparent approval processes can bring hidden usage into the open.

This approach transforms governance from restriction into empowerment – a way of showing employees that AI use is welcome, but under clear, safe, and value-driven conditions.