96% of Enterprises Use AI Agents. 94% Say the Sprawl Is Already Out of Control

There is a pattern forming across enterprise IT that should concern anyone responsible for platform architecture. Nearly every organization is deploying AI agents. Almost nobody is governing them. OutSystems published its 2026 State of AI Development report in April, surveying roughly 1,900 global IT leaders, and the headline numbers paint a picture of adoption outrunning infrastructure.

According to the report, 96 percent of organizations are already using AI agents in some capacity. Ninety-seven percent are exploring system-wide agentic AI strategies. And 94 percent report that AI sprawl is creating unmanageable complexity, technical debt, and security risk. That last number is the one that matters.

The Sprawl Problem

The issue is not that enterprises are adopting agents too quickly. The issue is that they are adopting them without centralized governance.

According to OutSystems, 38 percent of organizations are mixing custom-built and pre-built agents, creating AI stacks that are difficult to standardize and secure. Each team or department picks its own tools, builds its own agents, and connects them to its own data sources. The result is a fragmented landscape of AI capabilities with no unified management layer.

Only 12 percent of enterprises have implemented a centralized platform to manage agent sprawl. That means 88 percent of organizations are running agents across their operations with no single pane of glass for visibility, no consistent security model, and no standardized way to audit what agents are doing.

This is the same pattern enterprises went through with cloud adoption a decade ago. Teams spun up AWS instances without central oversight. Shadow IT proliferated. Security gaps multiplied. It took years of painful consolidation to build cloud governance frameworks. The same cycle is starting with AI agents, and it is moving faster.

Why Governance Matters More Than Capability

The capability story is strong. According to the OutSystems survey, 49 percent of IT leaders describe their agentic AI capabilities as advanced or expert level. Fifty-two percent rely on a human-on-the-loop operational model, meaning agents operate autonomously with human oversight rather than human approval at every step.

But capability without governance creates risk. When agents operate across different platforms with different data access policies, the attack surface expands with every new deployment. When there is no centralized audit trail, compliance becomes impossible. When agents from different vendors interact with each other, failure modes become unpredictable.

The security implications alone should be driving urgency. AI agents typically need broad data access to be effective. They connect to databases, APIs, file systems, and third-party services. An ungoverned agent with overly permissive access is not just an operational risk. It is a security vulnerability waiting to be exploited.

What To Do About It

1. Inventory your current agent landscape. Before you can govern agents, you need to know where they are. Catalog every AI agent deployed across your organization, including the ones teams built without IT approval. For each agent, document what data it accesses, what actions it can take, and who is responsible for it.

2. Define agent governance policies now. Establish clear policies for agent deployment: who can deploy agents, what data access levels are permitted, what approval processes are required, and how agents are monitored. Do not wait until you have a centralized platform. Start with policy, then build tooling to enforce it.

3. Consolidate toward a platform approach. The long-term solution is a centralized agent management platform that provides visibility, access control, audit trails, and lifecycle management across all agents. Evaluate whether your existing enterprise platforms like ServiceNow, Atlassian, or Salesforce are building agent management capabilities that could serve as a foundation.

4. Treat agent security like application security. Apply the same rigor to agent deployments that you apply to production application deployments: security reviews, access control audits, penetration testing, and incident response planning. Agents are software. Govern them like software.

HRIM's Take

The OutSystems data confirms what we are hearing from every enterprise client conversation: agents are proliferating faster than governance can keep up. The 94 percent sprawl concern number is not surprising. What is surprising is how few organizations are treating this as urgent. The window to get ahead of agent sprawl is closing. The organizations that build governance frameworks now, while agent deployments are still in the dozens, will be far better positioned than those who wait until they have hundreds of ungoverned agents scattered across their stack. This is a platform architecture problem, and it needs to be treated as one.