Agent Sprawl Is the New Shadow IT — And the Numbers Are Worse Than You Think

A piece of data published two weeks ago has not been turned into an argument by anyone yet, and it should be the argument every board, every CEO, every CISO, and every regulator has on the table this quarter.

OutSystems’ 2026 State of AI Development surveyed enterprise technology leaders and found that 97% of organizations now run AI agents in production. 94% are concerned about agent sprawl. Only 12% have centralized control. Only one in five report mature governance for autonomous systems.

The headline number is the spread: between what is running and what is governed, there is an 88-point gap.

Every regulatory framework currently in motion — the FINOS AI Governance Framework v2.0, the EU AI Act high-risk obligations, DORA, OSFI E-23, the FDA’s expectations on AI-enabled medical devices, the SEC’s investment-advice guidance, NIST AI RMF — was written on the assumption that the regulated enterprise knows what it is running. 88% of enterprises do not.

That is not an awareness gap. It is an infrastructure gap. And with EU AI Act high-risk enforcement 89 days away, the cost of that gap is no longer theoretical.

This is what shadow IT looks like in 2026. The vocabulary is mostly the same. The stakes are not.

Shadow IT 2014 vs Shadow AI 2026

The first wave of shadow IT, around 2014, was about unsanctioned SaaS — the marketing team’s Trello, the sales rep’s HubSpot trial, the engineering team’s GitHub-with-personal-credentials. The cost was data fragmentation, integration debt, compliance blind spots, and security risks at the data boundary. Painful, but recoverable. Eventually the SaaS got centralized, the spend got rationalized, the data went into a warehouse, and the auditors found a way to ask about it.

Shadow AI in 2026 is structurally different. The cost is not unmanaged data. It is unmanaged decisions.

An agent does not just store information. It takes actions. It calls tools, makes API requests, queries databases, modifies records, sends emails, executes transactions, and hands off to other agents. It maintains state across sessions. It exhibits emergent behavior across multi-agent chains. It does all of this at machine speed, often without a human in the loop, and almost always without an authoritative policy decision being recorded at the moment the action fires.

The control surface has moved. In 2014 the question was what data left the building? In 2026 the question is what action was taken, by which agent, on whose authority, against what policy, with what evidence, at what time?

The same governance vocabulary does not fit. An asset register is necessary but not sufficient. An audit log is necessary but not sufficient. A policy document is necessary but not sufficient. The architectural primitive every regulator is now asking about is runtime evidence of control effectiveness — proof that the policy fired at the moment of the action, and that the institution can produce that proof on demand.

Most enterprises do not yet have the infrastructure to answer that question for any single agent. The OutSystems data tells us they do not have it for the average of 97% of agents either.

The four governance gaps the OutSystems numbers expose

The 88-point gap between running and governing decomposes into four specific architectural deficiencies. Each maps directly to a clause in one or more regulatory frameworks now in force.

Agent inventory. 88% of enterprises cannot answer the question which AI agents are running in our environment, what data do they touch, what tools can they invoke, and who is accountable for them? The Vision Compliance 2026 EU AI Act Readiness Report puts the number even higher — 83% of enterprises have no AI inventory. This is the AIGF v2.0 AI Asset Management control. It is also the substrate for EU AI Act Article 9 risk management systems and the conformity assessment regime that activates August 2. Every other governance control depends on the inventory. None of them work without it.

Identity for non-human actors. The typical regulated enterprise now operates with somewhere between 50 and 150 non-human identities for every human user, depending on agent deployment maturity. Each one is a potential authorization decision: each tool call, each MCP request, each agent handoff. Most enterprises still treat agents as application processes rather than as users. The AI Act’s Article 14 human oversight obligations and the AIGF v2.0 controls on agent action authorization both presume the institution has a non-human identity model. Almost none do at production scale.

Authoritative policy decisions at runtime. Most products in the AI governance market today log decisions after the fact. They do not intervene at the moment of action. They are observation tools, not enforcement tools. The AIGF v2.0 agentic risk catalogue names this gap directly: agent action authorization bypass is the second of the six new agentic risk categories, and it describes precisely the scenario where an agent invokes a tool the platform allowed but the policy did not. Logging the bypass after it happened satisfies neither the AIGF nor the EU AI Act. The architectural primitive is an authoritative policy decision point in the operational path of the agent, not adjacent to it.

Evidence of control effectiveness. Only 1 in 5 enterprises reports mature governance for autonomous systems. That number maps almost exactly to the percentage of institutions that can produce regulator-grade evidence on demand — tamper-resistant, identity-attributed, mapped to specific regulatory clauses, retrievable at examination time. DORA’s Article 19 requirements on continuous evidence and the AIGF’s mandatory evidence layer both describe this artifact. 80% of enterprises do not produce it today. They will be asked to produce it in 89 days.

Reading the OutSystems data the way a regulator would

The OutSystems numbers have been published as operational metrics — interesting, slightly alarming, business-as-usual for an AI report. Read them through a DORA examiner’s lens or an EU AI Act conformity assessor’s lens, and they are something else entirely.

94% of enterprises are concerned about agent sprawl is not a sentiment statistic. It is a self-disclosed material ICT risk event under DORA. Every institution in scope for DORA has a duty to assess, document, and mitigate material ICT risks they are aware of. 94% have, in print, acknowledged awareness of one. Most have done none of the documentation, mitigation, or evidence work that DORA requires once awareness is on the record.

Only 12% have centralized control is the AIGF v2.0 AI Asset Management control assessment, in inverted form. 88% of enterprises cannot pass that control today. AIGF v2.0 is moving from voluntary framework to procurement standard at the institutions that contributed to it. RBC, Morgan Stanley, Citi, BMO, Bank of America, JP Morgan — these institutions are not going to deploy or contract with vendors who fail the asset-management control once their internal procurement standards harden.

Only 1 in 5 has mature governance for autonomous systems is the EU AI Act high-risk readiness assessment. 80% of enterprises will not pass an Article 9 / Article 14 / Article 26 conformity check on August 2 if the original deadline holds — and given that the second EU AI Act trilogue collapsed last week without agreement on the proposed Digital Omnibus delay, the August 2 deadline is the operating assumption every legal practitioner is now defending in writing.

The OutSystems data was published as a moment-in-time read on AI agent adoption. Read like a regulator would read it, the data is a forward indicator of audit findings.

What boards and CEOs are missing

There is a complementary signal worth surfacing. BCG’s May 2026 survey of 625 senior leaders — 351 CEOs and 274 board members from companies with $100M+ in revenue — found a perception gap that explains why the OutSystems numbers exist.

Boards believe their AI knowledge is on par with or better than peers (75% say so). 60% of CEOs say their boards are pushing too fast on AI transformation. 35–40% of CEOs say their boards overestimate what AI can replace and lack a realistic view of how AI reshapes the business.

The two studies, read together, describe one structural failure. Boards are pushing for speed without visibility into the runtime behavior of the systems they are accelerating. CEOs are accountable for outcomes they cannot inspect. The 88-point gap between running and governing is the operational consequence of an executive perception gap — boards moving faster than the infrastructure they cannot yet see.

The remedy is not better board education or better CEO communication. The remedy is shared evidence. When the same dashboard shows the board the velocity of agent deployment and the CEO the evidence of control effectiveness, the perception gap closes — not because either party changes their mind, but because both are working from the same picture.

That dashboard is the Trust Layer the prior pieces in this series have described. It is what the FINOS AIGF v2.0 specifies. It is what DORA, OSFI, the EU AI Act, FDA 21 CFR Part 11, and the new RAPID coverage pathway are all converging on. It is the architectural primitive nobody is going to deliver on a slide.

The FINOS AIGF v2.0 codifies the gap

The FINOS AI Governance Framework v2.0, released in late 2025, added a dedicated agentic AI risk catalogue. Six new risk categories specific to autonomous architectures, mapped to the EU AI Act, DORA, NIST AI RMF, ISO 42001, OWASP, and MITRE ATLAS.

Each of the six describes a scenario the agent platform will run successfully and the regulator will find unacceptable. Multi-agent trust boundary violations. Agent action authorization bypass. Tool chain manipulation. MCP server supply chain compromise. Agent state persistence poisoning. Agent-mediated credential harvesting.

What is critical about the AIGF v2.0 catalogue is that the controls are sequential. The institution must first know what is running — the inventory question — before any of the six can be evaluated. AIGF was built on the assumption that the 12% can become 100%. The path from 12% to 100% is the infrastructure problem of the next 18 months — and it is also the substrate on which every other regulatory expectation rests.

Why most current tools won’t close the gap

The market is full of tools. Most of them solve the wrong problem.

Traditional GRC platforms — ServiceNow, MetricStream, and the rest — were built for asset registers of static systems and policy management against checkbox compliance. They work for the artifacts of the previous era. They do not enforce policy at agent runtime, do not produce regulator-grade evidence as a byproduct of operation, and do not map naturally to the AIGF v2.0 agentic risk catalogue.

AI security tools — the ones that emerged 18 months ago and have largely been absorbed into network and application security stacks — focus on prompt injection, data exfiltration, and model-layer threats. They do not address the four governance gaps named above. They are necessary but not sufficient.

Model monitoring tools track drift, performance, latency. They do not enforce authorization at the moment of tool invocation. They are observation, not control.

Custom internal builds at large institutions are bolted on to existing infrastructure and struggle with the runtime requirement. Most produce dashboards that summarize what already happened. Few produce evidence that intervenes before the action.

The categorical mismatch is the same one the prior pieces in this series have identified — the AI governance stack most enterprises spent the last three years building was designed for a world that no longer exists. That argument was the thesis of the Open RegTech piece two weeks ago. The OutSystems data is the empirical proof.

The Canadian signal

The institutional money is moving, and where it is moving tells you what is going to happen next.

Three of Canada’s six Domestic Systemically Important Banks are now active in the FINOS ecosystem. RBC co-chairs the FINOS Open RegTech Special Interest Group. TD joined as a Platinum FINOS member on April 13, with Rajesh Raman joining the FINOS Governing Board. BMO is active through its technology and innovation leadership.

OSFI E-23 on model risk management is in force. B-13 on technology and cyber risk is in force. The forthcoming OSFI guidance on AI in financial services will be examination-relevant on its own timetable, independent of any EU AI Act trilogue outcome.

What the Canadian D-SIB cohort is funding is the infrastructure layer that closes the 88-point gap. Not vendor tools. Not consulting projects. Open-source standards (CDM, Morphir, DRR, AIGF v2.0) plus managed infrastructure to run them under SLA. The institutional appetite for that combination is significant and growing — and it is the answer to the FCA, BaFin, FINMA, MAS, JFSA, OCC, and Federal Reserve questions for any institution with cross-jurisdictional exposure.

What the right architecture looks like

It is worth being precise about what the architecture is, because the OutSystems and BCG data together describe the gap, and the regulatory frameworks together describe the requirement, but neither describes the build.

The architecture is five capabilities, deployed together, on managed infrastructure.

A continuously updated agent inventory — not an annual register, a living artifact that updates as agents are deployed, retired, or reconfigured. Every agent has an owner, a permission set, an authorized scope, and a record of every change.

Identity for every non-human actor — agents, tools, MCP servers, cross-agent handoffs. Each has an identity, an authentication method, and a permission tier. Each tool call carries a verifiable identity assertion. Each handoff is logged.

An authoritative policy decision point in the operational path of every model invocation, every tool call, and every cross-agent handoff. Policy is resolved, versioned, and locked before the agent runs. The decision point intervenes — allow, deny, escalate, hold — at the moment of action, not after.

Evidence collection as a byproduct of operation. Every authorization decision produces an artifact: tamper-resistant, identity-attributed, time-stamped, mapped to the regulatory clause it satisfies. The institution does not assemble evidence for audit. The infrastructure produces evidence continuously, and audit is a query against the existing artifact set.

Cross-domain consistency. The same evidence pipeline works for agent governance, for trade reporting, for life sciences submissions, for any regulated workflow. One operating model. One audit story. One pane of evidence across multiple regulatory domains. This is what the prior series piece called the Trust Layer — the architectural primitive that closes the gap between running and governing.

These five together are the architectural answer to the OutSystems data, the BCG perception gap, the AIGF v2.0 risk catalogue, the EU AI Act high-risk obligations, and the DORA evidence regime, simultaneously. They are not separate projects. They are one infrastructure problem.

What we are building

At iTmethods this is what the Fortress Family — Reign, Forge, and BioCompute — is being built to deliver.

Reign is the Trust Layer for enterprise AI. The AI Gateway evaluates policy in the operational path of every model invocation and every tool call. The Evidence Engine produces the regulator-grade artifacts that DORA, the FINOS AIGF v2.0, and the EU AI Act high-risk requirements all specify. Reign maps to all 25 AIGF risk categories, including the six new agentic risks in v2.0. Foundation is in production today. Full agentic-runtime coverage and the dual-regulator evidence architecture that the AIGF v2.0 codifies are in active development.

Forge is the managed infrastructure layer underneath. The same operating model that runs Fluxnova for business process orchestration runs AI workloads under governance. One SLA. One evidence pane. Reign-aligned by default.

BioCompute extends the same pattern into sovereign AI for regulated life sciences — pharma, biotech, diagnostics, clinical research — where the FDA, EMA, HIPAA, and the new RAPID coverage pathway are imposing the same evidence requirements on AI-enabled diagnostics that the AI Act imposes on financial services.

We are building deadline-agnostic infrastructure by design. The platform is architected to satisfy whichever deadline lands, in whichever jurisdiction, on whichever date the political process produces. We are honest about the building-versus-available distinction because regulators will be honest about it too — the path from 12% to 100% governance maturity is a 12 to 18 month build, and the institutions that started it before they had to are the ones that will be ready when the next forcing function arrives.

The bottom line

97% of enterprises are running AI agents.
12% have centralized control.
88% of the governance maturity is inside that gap.

89 days to EU AI Act high-risk enforcement. DORA already in force. OSFI E-23 already in force. The FINOS AIGF v2.0 moving from voluntary framework to procurement standard at every institution that contributed to it. The boards pushing for speed. The CEOs accountable for outcomes they cannot inspect. The regulators preparing to ask the same question on five jurisdictions at once: show me what your agents did, on whose authority, with what evidence.

The infrastructure problem is who closes the 88-point gap, and how, and at what evidence grade.

The pieces are on the board. The institutional money is moving. The data is in print. The clock is running.

97% are running. 12% are governing. The 89-day window is when those numbers stop being acceptable.

Paul Goldman is CEO of iTmethods and creator of the Fortress Family — Reign, Forge, and BioCompute — the trust layer for enterprise AI. He has been building managed infrastructure for regulated enterprises for 21 years and writes weekly on AI governance and what regulated enterprises need to build safely in the agentic era.

Reign is the AI governance and runtime enforcement layer of the Fortress Family. The Evidence Engine produces regulator-grade compliance artifacts mapped to the FINOS AIGF v2.0. Forge operates Fluxnova and AI workloads on managed infrastructure. BioCompute extends sovereign AI to regulated life sciences. Enterprise AI. Governed. Learn more at itmethods.com.

Sources

• OutSystems 2026 State of AI Development — Agentic AI Goes Mainstream in the Enterprise, but 94% Raise Concern About Sprawl (PR Newswire, April 22, 2026)
• BCG — CEOs and Boards Are Aligned on AI in Theory, but Divided in Practice (May 2026, survey of 625 leaders)
• Vision Compliance — 2026 EU AI Act Readiness Report (78% of enterprises unprepared, 83% have no AI inventory)
• FINOS AI Governance Framework v2.0 — Addressing Agentic AI Risks in a Rapidly Evolving Landscape (FINOS, late 2025)
• EU AI Act Implementation Timeline — August 2, 2026 high-risk activation
• DORA Article 19 + Final RTS on incident reporting and continuous evidence
• OSFI E-23 — Model Risk Management Guideline
• TD FINOS Platinum Membership Announcement (April 13, 2026)
• Permiso / CyberArk — Non-Human Identity Ratios in Enterprise Environments

Previously in this series: EU AI Act Delay Doesn’t Change What to Build · Vendor AI Data Governance Problem · Why the AI Governance Stack Was Built for the Wrong Problem · 114 Days