Managed AI against the proliferation of AI agents: Why your unsupervised AI agents will soon become a legal risk

AI agents out of control: How “agent sprawl” became the biggest IT risk in 2025

The end of AI experiments: Why over 40 percent of autonomous agent forces will soon be shut down

Artificial intelligence is revolutionizing everyday business – but while departments are enthusiastically rolling out ever more autonomous AI agents for their processes, a massive IT and compliance risk is brewing in the background. The so-called "agent sprawl" (uncontrolled proliferation of AI agents) not only leads to exploding infrastructure costs and redundant systems, but also opens up dangerous security gaps. With the stringent requirements of the EU AI Act, this lack of control is becoming an existential legal problem. To avert an impending governance disaster and secure the long-term ROI of AI transformation, technology leaders now face a crucial task: They must stop the uncontrolled proliferation and replace it with a central managed AI platform before the window of opportunity closes completely.

Related to this:

• UNFRAME.AI: The Good, the Bad, and the Ungoverned: What Agent Sprawl Is Really Costing You

Managed AI against the proliferation of AI agents: How a central control platform averts the looming governance disaster in the company

In most companies, something has been happening over the past eighteen months that didn't appear in any budget, didn't trigger any risk alerts, and for which no single team is centrally responsible. Department by department, teams have begun deploying AI agents. The finance department built one for invoice verification. HR deployed one for onboarding inquiries. Customer service launched another for ticket triage. Each of these agents solved a real problem. Each was approved, or at least not stopped. And each was built on a different platform, with a different model, connected to a different data source, and regulated by absolutely no one across the board.

This is AI agent sprawl, or "agent sprawl" in English jargon. And by the time most technology leaders have given it a name, significant financial and structural damage has already been done. What at first glance appears to be a minor operational issue is, according to current market data, developing into perhaps the most pressing strategic risk of AI transformation. The figures are clear: Over three million AI agents are already operating in enterprise environments worldwide – and of these, only 47.1 percent are actively monitored or secured. Around 1.5 million agents are thus running completely unsupervised. At the same time, 82 percent of executives believe their existing policies are sufficient. This discrepancy between self-perception and reality is the foundation on which this uncontrolled growth flourishes.

A familiar pattern in a new guise: The historical context of technological proliferation

Agent sprawl is not a new problem, but a familiar pattern in a new guise. The corporate world has already experienced similar phases several times, the course and consequences of which correspond remarkably consistently to the current situation.

Over several years, the so-called cloud sprawl resulted in dozens of uncoordinated cloud environments that devoured budgets and created security vulnerabilities, the complete remediation of which sometimes took years. SaaS sprawl followed the same pattern: at its peak, the average company ran hundreds of applications simultaneously. Although companies are now actively consolidating—the average number of SaaS applications has decreased from 374 to 342—shadow IT remains a massive, persistent problem. According to recent surveys, 68 percent of employees use tools not sanctioned by IT, and 57 percent enter sensitive company data into these unsanctioned systems. IT departments currently manage only 28 percent of total SaaS spending and monitor only 17 percent of all applications.

Then came the RPA sprawl: a wave of automation bots that began with promising pilot results and ended as a tangle of fragile, overlapping workflows that no one could fully test or maintain. In practice, RPA projects often failed due to unrealistic expectations, unclear process selection, and a lack of governance infrastructure. The parallel to the current situation is structurally almost identical—with one crucial difference.

Autonomous AI agents are like RPA with a brain. The same dynamics apply, but the consequences are faster and more far-reaching. An RPA bot that stops working simply stops working. An AI agent operating without governance continues to work—and makes decisions independently. This is the significantly more dangerous scenario. Software waits for commands. Agents act autonomously. This qualitative shift in technology makes the governance question not just a gradual one, but fundamentally more urgent.

Anatomy of an uncontrolled rollout: What uncontrolled growth looks like in practice

The development pattern of agent sprawl is remarkably consistent across organizations, even if the details vary. It typically begins with a small number of well-intentioned pilot projects. The results are promising enough to justify scaling. Other teams notice the positive experiences, request their own agents, or simply build them themselves. Vendors facilitate this process—companies are lured with free or inexpensive entry-level tools, and at first glance, there seems to be little reason not to add yet another platform to the infrastructure.

Within twelve to eighteen months, a typical company finds itself in a situation characterized by several distinctive features: Agents with different functions are being developed on disparate platforms—from OpenAI to AWS and Google to internal tools—without a unified way to monitor or manage them. Because each agent is built differently, from a management perspective, there is no central overview, no so-called "single pane of glass.".

Each agent has its own data connections and access rights, configured independently without a common policy layer. No one has a complete picture of which systems each agent can access. The same integrations are rebuilt over and over again: five agents with five separate connectors to Salesforce; three agents with three independent pipelines to the data warehouse. Agents working in adjacent functions have no common context or coordination layer. When the marketing agent, the supply chain agent, and the HR bot all operate in isolated silos, you don't create an automated workforce—you create a digital revolt. Model selection is also ad hoc: different teams use different vendors based on what was available at the time of build, rather than on strategic standards for cost, performance, or risk profile.

The logic behind this is perfectly rational from the perspective of the individual teams: each department optimizes for its own speed and its own use case. The systemic problem arises from the sum of these local rationales. It is a classic case of coordination failure, which inevitably occurs without an overarching control structure.

The true costs: Beyond the obvious waste of budget

The most obvious costs of agent sprawl are budget waste due to redundant integrations, overlapping functions, and duplicated infrastructure. This is real and adds up quickly. The operating costs for AI agents comprise a multitude of components: infrastructure costs for compute and memory, token costs for API calls, IT management costs for monitoring, security, and updates, and implementation costs, which can range from a few thousand to several hundred thousand euros depending on complexity.

But the less visible costs are the truly dramatic ones: the so-called governance debt. Every agent operating without a central policy layer represents a compliance gap. Every agent running without oversight is an unquantifiable risk. In highly regulated industries like financial services, healthcare, or legal consulting, this gap isn't just theoretical. It's a reprimand that will become a problem during the next audit. Uncoordinated agents lead to "token bleed," where redundant API calls and overlapping computational tasks quietly erode the return on investment.

Even more seriously, they can lead to actual operational failures when agents with conflicting goals operate on the same data without an orchestration layer aligning their decisions. IDC predicts that 60 percent of AI failures in 2026 will be due to governance gaps—not poor model performance. This figure reflects a fundamental insight: The technological maturity of AI models is no longer the primary risk. It is the organizational and structural embedding.

Furthermore, there are far-reaching legal risks. IDC warns in its FutureScape forecasts that by 2030, up to 20 percent of the world's thousand largest organizations will face lawsuits, fines, and the removal of CIOs – caused by serious disruptions resulting from inadequate AI agent governance. The EU AI Act exacerbates this outlook with concrete sanctions: violations can be punished with fines of up to €35 million or 7 percent of global annual revenue. For high-risk AI systems, logging, operational monitoring, and human oversight are explicitly required. A company that operates autonomous AI agents without structured governance thus exposes itself directly to these regulations.

The costs of retroactively implementing governance in a sprawling agent fleet are invariably significantly higher than the costs of establishing a governance infrastructure from the outset. Organizations migrating from governance level 1 to level 3—that is, from reactive error logging to a zero-trust architecture with isolated execution environments—see a 40 percent reduction in their AI-related technical debt and a 25 percent improvement in time-to-market for new agent features, according to CISIN data.

Here you will learn how your company can implement customized AI solutions quickly, securely and without high entry barriers.

A managed AI platform is your all-inclusive, worry-free solution for artificial intelligence. Instead of dealing with complex technology, expensive infrastructure, and lengthy development processes, you receive a ready-made solution tailored to your needs from a specialized partner – often within just a few days.

The key advantages at a glance:

⚡ Rapid implementation: From idea to ready-to-use application in days, not months. We deliver practical solutions that create immediate added value.

🔒 Maximum data security: Your sensitive data stays with you. We guarantee secure and compliant processing without sharing data with third parties.

💸 No financial risk: You only pay for results. High upfront investments in hardware, software, or personnel are completely eliminated.

🎯 Focus on your core business: Concentrate on what you do best. We take care of the entire technical implementation, operation, and maintenance of your AI solution.

📈 Future-proof & scalable: Your AI grows with you. We ensure continuous optimization and scalability, and flexibly adapt the models to new requirements.

More information here:

• Managed AI Platform

Regulatory pressure is growing: EU AI Act as an accelerator for governance obligations

With the EU AI Act, Europe has created the world's first comprehensive law regulating artificial intelligence. In force since August 1, 2024, it will increasingly have an operational impact from 2026 onwards. For companies in Germany and across Europe, this means that AI governance is no longer a voluntary strategic decision; it has become a legal requirement.

The logic of the EU AI Act is risk-based: AI systems are classified into risk categories according to their potential for causing harm, and the requirements increase with the risk. Extensive obligations already apply to high-risk AI applications – for example, in employment, education, or critical infrastructure: risk management systems, data governance, technical documentation, transparency, human oversight, and logging throughout the entire lifecycle. The requirement for an AI use case register is not a bureaucratic formality, but rather the structural minimum prerequisite for any form of compliance: without an inventory, there is no prioritization; without prioritization, there is no functioning compliance.

For companies operating in a fragmented, uncontrolled environment, this regulatory landscape presents a twofold challenge. Firstly, they must conduct an inventory of their existing operations and assess their risk classification. Secondly, they must ensure that new deployments comply with legal requirements from the outset. Both of these tasks are virtually impossible without a central governance infrastructure. The EU AI Act is therefore not an additional bureaucratic hurdle, but rather a regulatory catalyst that accelerates the already necessary strategic decision to establish a platform infrastructure.

EY's analysis of AI trends for 2026 sums it up perfectly: The difference lies less in whether companies use AI, but rather in whether they have the necessary governance structures to operate AI responsibly, scalably, and adaptively. This includes clearly defined roles and responsibilities for AI decisions, robust control mechanisms that keep pace with the speed of technological development, and transparent decisions regarding data and model architectures that enable both internal oversight and regulatory scrutiny.

At the turning point: The short window of time to get ahead of the rampant growth

Gartner predicts that by the end of 2026, around 40 percent of all enterprise applications will integrate task-specific AI agents – compared to less than 5 percent in 2025. This represents an eightfold increase within twelve months. At the same time, less than 25 percent of companies have successfully scaled AI agents into production, even though nearly two-thirds are already experimenting.

Even more revealing is another Gartner statistic: Over 40 percent of agentic AI projects will be abandoned by the end of 2027 – not due to technological limitations, but because of escalating costs, a lack of business value evidence, and inadequate governance. Only 2 percent of companies have fully implemented agentic AI today. A mere 21 percent report having a mature framework for managing autonomous agents. These are sobering figures when compared to the explosive growth forecast.

The window of opportunity for a CIO or CDO to proactively address this problem is shrinking daily. Business units are now building agents on their own timelines, using their own tools, and outside the purview of central IT. Every day that passes without establishing a structured governance approach is a day that the technical and compliance debt continues to accumulate. And repaying that debt becomes more expensive with every additional agent deployed without oversight.

The managed AI platform as a structural answer: Why a platform approach solves a deployment problem

Organizations that effectively curb uncontrolled growth make a crucial strategic distinction early on: They treat the AI ​​agent infrastructure within the company as a platform problem, not a deployment problem. This semantic shift has far-reaching structural consequences.

A deployment focus asks: How do I quickly build a good agent for this specific use case? A platform focus asks: How do I create an infrastructure that allows all agents in the company to operate reliably, securely, in a regulated manner, and cost-effectively? The answer to the second question is the central control plane. It is the only place where agents are regulated, customized, monitored, and deployed—before the number of agents grows to the point where governance becomes difficult to implement retroactively.

Such a managed AI platform systematically addresses all the core problems of uncontrolled growth. It creates a unified view of all active agents within the organization, regardless of the underlying platform on which they originated. It enforces a common policy layer for data access, permissions, and escalation paths. It enables true observability—the ability to understand which data an agent has consulted, which alternatives it has considered, and why it made a particular decision. And it ensures that model selection, cost monitoring, and security architecture follow strategic standards rather than ad-hoc decisions.

The analogy to DevOps and MLOps is particularly apt here: When software development and machine learning operations were structured in recent years, the same principles were followed – tools, guardrails, metrics, and central policy levels as the foundation. The same logic applies to AI agents, but with an added urgency arising from the autonomous nature of the systems.

Unified AI governance platforms are now recognized by IDC as critical infrastructure for scalability. They provide a single source of truth for policy, monitoring, and reporting. According to IBM research, organizations with comprehensive governance frameworks achieve a 30 percent better ROI from their AI portfolios compared to those relying on manual approaches.

Security and data protection dimension: The underestimated risk of unmonitored agents

Beyond the compliance and operational risks, uncontrolled agent sprawl presents a specific security dimension that is still under-discussed. Every unmonitored agent is potentially a hidden cost center consuming cloud resources, a compliance liability that exposes the company to regulatory penalties, and a potential security vulnerability that can be exploited for unauthorized data access.

The problem of uncontrolled decision cascades is particularly critical: When agents are authorized to perform actions, consideration must be given to how these actions might propagate through interconnected systems. A lack of control and visibility can lead to unintended consequences that spread across complex system landscapes. Furthermore, if teams lack explanatory tools to understand why an agent performed a particular action, managers may be unable to defend the results to regulators or customers.

Only 14.4 percent of organizations receive full security clearances before deploying agents. This means that in more than 85 percent of cases, agents are running in production environments without their security profile having been systematically assessed. In a world where agents can access sensitive personnel files, financial data, customer data, and critical business processes, this is unacceptable.

A zero-trust approach for the agent infrastructure—where each agent receives only the minimum necessary permissions, and these are granted dynamically on a session-by-session basis—provides the technical response to this risk profile. Supplemented by "human-in-the-loop" mechanisms that define when an agent must pause and seek human confirmation, this creates a security architecture that balances autonomy and control.

Three strategic immediate actions: What leaders need to do now

The practical way out of this uncontrolled proliferation doesn't begin with selecting a platform, but with a structured inventory. Companies should take three consecutive immediate actions before deploying the next agent.

The first step is a complete inventory of all active agents across the entire organization. This includes recording the platform on which each agent was created, the data it can access, the systems it interacts with, and the individuals responsible for its behavior. Most organizations discover more agents than anticipated during this exercise—often with broader access rights than originally intended. This inventory is not a one-off task but rather the beginning of an ongoing lifecycle management process that serves as the foundation for all subsequent governance measures.

The second step is standardizing the infrastructure layer, not the use cases. The mistake many companies make is trying to build all agents the same way. This stifles innovation and is practically unenforceable. What needs to be standardized instead is the layer below: how agents access data, how it is logged, how their performance is measured, and how security policies are enforced. This separation between a standardized infrastructure layer and the freedom to customize at the use-case level is the structural secret to successful enterprise AI governance. Large organizations should aim for a platform-first design with centralized standards and local execution: cross-platform governance with approved model catalogs, standard logging, reusable evaluation templates, and policy-based access.

The third step is establishing a continuous ROI measurement framework for all agents. Leaders should ensure a basis for evaluating the actual value contribution of each agent before new deployments are approved. This includes requiring anyone wishing to deploy an agent to submit a cost assessment and benefit forecast beforehand. Furthermore, periodic reviews of agent AI expenditures and optimization opportunities create the organizational foundation for a sustainable cost-benefit balance. Boards and governance committees increasingly demand measurable returns, not just innovation headlines—governance plays a direct role in ROI by reducing risks, improving reliability, and accelerating deployment.

Early architectural decisions as a turning point: Why now is the decisive moment

A pattern repeats itself with remarkable regularity in the history of technology: early architectural decisions determine long-term competitiveness. Those who embraced multi-cloud governance early in their cloud transition now have significant advantages over those who struggled years later with the arduous dismantling of distributed, uncontrolled environments. With agent sprawl, the enterprise landscape now stands at precisely this juncture.

The window of opportunity is narrow. Gartner identifies a three-to-six-month horizon within which software organizations must define their agentic AI strategy and investment plan—or risk being left behind. The exponential growth curve—from less than 5 percent to 40 percent penetration in twelve months—means that if the uncontrolled growth isn't structured now, it will very quickly reach a level where corrective action becomes enormously expensive or virtually impossible.

At the same time, Gartner's other forecast serves as a sobering warning: Over 40 percent of agent-based AI projects will be abandoned by 2027. The companies that abandon these projects will not be those that chose the worst AI technology. They will be those that failed to build a governance infrastructure and whose escalating costs and lack of proven value have eroded their legitimacy for further investment. Governance, therefore, is not the opposite of innovation—it is the infrastructure that makes sustainable innovation possible in the first place.

The lesson from previous technology waves – whether cloud, SaaS, or RPA – is clear: uncontrolled growth always occurs when the speed of adoption exceeds the maturity of the governance infrastructure. AI agents that were still experimental in 2025 will be operational reality in 2026. The momentum is unstoppable. The question is not whether agents will become the enterprise standard – that has already been decided. The only remaining question is whether this transition will take place on a controlled foundation or amidst a governance disaster.

Companies investing in a centralized managed AI infrastructure today are not just buying control and compliance. They are buying the right to continue benefiting from agentic AI for two or three years – while others will be busy picking up the pieces of an uncontrolled, rampant growth.

I would be happy to serve as your personal advisor.

You can contact me at wolfenstein∂xpert.digital or

Just call me on +49 7348 4088 965 .

LinkedIn