Here is the number that should be keeping every CTO up at night.
94%.
That's the share of organizations that say AI sprawl is increasing their complexity, technical debt, and security risk - according to OutSystems' 2026 State of AI Development report, which surveyed nearly 1,900 global IT leaders.
And here's the part that makes it worse: 96% of those same organizations are already using AI agents.
They're deploying faster than they can govern. And most of them know it.
This Is Not Shadow IT. It's Worse.
Shadow IT was a governance problem we understood. Employees used unauthorized tools. IT found out eventually. Policies got updated. Risk was contained.
AI agent sprawl is different in kind, not just degree.
Shadow IT was humans making decisions with unauthorized tools. Agent sprawl is autonomous systems making decisions without oversight - at machine speed, at scale, with access to your data, your communications, and your business processes.
The blast radius isn't comparable.
When a human uses an unauthorized SaaS tool, the worst case is a data leak. When an autonomous agent operates without governance, the worst case is an agent that sends emails on your behalf, commits budget without approval, or shares confidential information with the wrong party - and does it thousands of times before anyone notices.
This isn't hypothetical. It's happening right now.
The Numbers Are Stark
The OutSystems report paints a clear picture of where enterprises stand:
- 96% of organizations use AI agents in some capacity
- 94% are concerned that AI sprawl is increasing complexity, technical debt, and security risk
- Only 12% use a centralized platform to manage their agents
- Only 36% have a centralized AI governance approach
- 38% mix custom-built and pre-built agents, compounding standardization risk
- 52% use a human-in-the-loop model - but two-thirds find it technically challenging to implement
Read those numbers again. Nearly every enterprise is running agents. Barely one in three has centralized governance. And the majority find human oversight technically difficult to maintain.
This is not a gap. It's a chasm.
Why Governance Gets Skipped
The pattern is predictable. A team sees a productivity opportunity. They spin up an agent. It works. Other teams notice. More agents get deployed. Each one is a local success. The aggregate is chaos.
No one set out to create a governance problem. They set out to move fast. Governance was the thing they'd get to later.
Later never comes.
By the time an organization realizes it has a sprawl problem, it has dozens of agents running across different platforms, with different permission models, different data access levels, and no unified audit trail. Retrofitting governance onto that architecture is expensive, slow, and incomplete.
The organizations that will win the agentic AI era are the ones that build governance in from day one - not the ones that move fastest and clean up later.
What Governance-First Looks Like
We published a post a few months ago asking a simple question: "Who gave it permission to do that?"
It's still the right question.
Every agent action should be traceable to an explicit authorization. Not a general "the agent has access to email" - but a specific, scoped permission granted by a specific person for a specific purpose. When something goes wrong (and it will), you need to be able to answer that question in under five minutes.
Governance-first architecture has three components:
1. A policy engine. Every agent action passes through a rule set before execution. Rules can be hard blocks ("never send external email without approval"), soft flags ("escalate if financial commitment exceeds $X"), or monitoring triggers ("log all actions involving investor contacts"). The policy engine is the difference between an agent that operates within guardrails and one that operates on vibes.
2. Observability. You cannot govern what you cannot see. Every agent action - every email drafted, every task created, every API call made - should be logged, searchable, and reviewable. Not just for compliance. For learning. The audit trail is how you improve your governance model over time.
3. Orchestration with escalation paths. Agents need to know when to stop and ask. Not for everything - that defeats the purpose. But for decisions that are irreversible, high-stakes, or outside their established scope, the right behavior is to pause, surface the decision to a human, and wait. This isn't a limitation. It's a feature.
The SMB Advantage
Here's the counterintuitive part: small and mid-sized businesses have a structural advantage in this moment.
Enterprises are retrofitting governance onto agent architectures they built without it. That's expensive, slow, and politically complicated. Every team that deployed its own agents has a stake in the current system. Change is hard.
SMBs are starting fresh. They can build governance-first from day one. They can choose platforms that treat authorization as a core feature, not an afterthought. They can establish the right habits before the sprawl starts.
The window for that advantage is closing. As agentic AI becomes table stakes, the organizations that built correctly will compound their lead. The ones that moved fast and skipped governance will spend the next three years cleaning up the mess.
94% of enterprises are already in that mess.
You don't have to be.
[outermind.ai]