What is AI agent sprawl?
By Identra · Updated
AI agent sprawl is the uncontrolled multiplication of AI agents across an organization, growing faster than security teams can inventory or govern them. Each agent carries credentials, tool access, and data permissions, and many outlive their purpose. The result is a fleet of semi-autonomous identities with unclear ownership and unmonitored privileges.
Key numbers
- Machine identities outnumber human identities 82 to 1 in the average organization (CyberArk Identity Security Landscape, 2025)
- 33% of enterprise software applications will include agentic AI by 2028, up from under 1% in 2024 (Gartner press release, June 2025)
- Over 40% of agentic AI projects will be canceled by end of 2027, often for inadequate risk controls (Gartner press release, June 2025)
Why do AI agents multiply faster than governance?
Creating an AI agent used to require an engineering team. Now it requires a prompt. Low-code agent builders, agent features embedded in SaaS products, and open frameworks mean that any employee, any team, and increasingly any other agent can stand up a new autonomous worker in minutes. Governance processes built for quarterly application reviews cannot keep pace with identities that appear by the hour.
The multiplication is structural, not accidental. Agentic architectures encourage decomposition: a planner agent delegates to retrieval agents, coding agents, and browsing agents, each of which may hold its own credentials and tool connections. One approved project can quietly become a dozen active identities. Gartner projects that 33% of enterprise software applications will include agentic AI by 2028, up from less than 1% in 2024, which means sprawl arrives even in organizations that never explicitly launched an agent program.
The baseline was already unfavorable before agents. CyberArk's 2025 Identity Security Landscape found machine identities outnumbering human identities 82 to 1. Agents add a faster-growing and less predictable layer on top of that ratio, because they are cheap to create, easy to copy, and often invisible to the identity systems of record.
What makes agent sprawl risky?
Sprawl is not just clutter. Each unaccounted agent is an identity with real access and no accountable human behind it. The failure modes compound.
- Unclear ownership: agents created by employees who change roles or leave keep running with nobody responsible for their behavior or their access.
- Orphaned privileges: an agent built for one project retains API keys, OAuth tokens, and database grants long after the project ends.
- Invisible delegation: agents that spawn sub-agents or call other agents create access chains no access review was designed to trace.
- Audit gaps: actions taken by an agent are often logged under a shared service account, so investigators cannot tell which agent, or which instruction, did what.
- Abandoned experiments: Gartner expects over 40% of agentic AI projects to be canceled by the end of 2027, and canceled projects rarely include a credential cleanup step.
Ephemeral agents, persistent grants
The sharpest edge of agent sprawl is a lifecycle mismatch. Agent instances are ephemeral: they spin up for a task, run for minutes or hours, and disappear. The grants they use are persistent: API keys that never expire, OAuth refresh tokens that renew indefinitely, service-account roles that survive every restart.
This mismatch inverts the usual security assumption. With human identities, the person persists and sessions expire. With agents, the workload evaporates and the credential persists. A short-lived agent that was compromised, prompt-injected, or simply misconfigured can leave behind a long-lived token that an attacker replays weeks later. Because the agent itself is gone, there is no obvious owner to notify and no running process to kill. Deprovisioning tools built around employee offboarding never fire, since nothing that looks like an employee ever left.
How is agent sprawl different from shadow IT?
Agent sprawl inherits traits from earlier unmanaged-growth problems but behaves differently enough that old playbooks fall short.
| Dimension | Shadow IT | Secret sprawl | AI agent sprawl |
|---|---|---|---|
| What multiplies | Unsanctioned apps and SaaS accounts | Credentials scattered across code and configs | Autonomous identities that act on their own |
| Who creates it | Employees seeking tools | Developers under delivery pressure | Employees, developers, and other agents |
| Rate of growth | Per purchase decision | Per deploy | Per prompt, potentially per task |
| Blast radius | Data in one app | Whatever the leaked secret unlocks | Every system the agent can reach, chained through delegation |
| Detection | Expense reports, CASB, SSO logs | Secret scanning | No mature standard; requires runtime observation |
How do you inventory AI agents?
You cannot govern what you have not counted, and agent inventories go stale faster than any asset class before them. Effective programs combine several discovery signals rather than relying on self-registration.
- Mine credential issuance: every agent needs secrets to act, so API key creation, OAuth consent grants, and service-account provisioning logs are high-signal discovery feeds.
- Watch the traffic: LLM API calls, MCP server connections, and machine-speed request patterns at egress points and API gateways reveal agents that no one registered.
- Instrument the platforms: agent frameworks, orchestration platforms, and low-code builders should feed a central registry automatically at creation time, not through voluntary tickets, the pattern Entra Agent ID sets by assigning directory identities to agents at creation.
- Assign ownership at birth: every agent gets a named human owner, a stated purpose, and an expiry date; anything unowned is a decommissioning candidate by default.
- Tie grants to lifecycle: credentials should expire with the agent that used them, with short-lived tokens preferred over static keys so cleanup is automatic rather than remembered.
How Identra thinks about it
We read agent sprawl as a runtime problem wearing an inventory costume. A spreadsheet of agents is stale the moment it is saved, because agents are created, cloned, and abandoned continuously. The durable control point is the moment an agent acts: every tool call, credential use, and delegation observed live, attributed to a specific agent and its accountable human owner, with grants that expire when the agent does. Treat each agent as a first-class identity with a lifecycle, not as traffic from a shared service account, and sprawl becomes a managed population instead of an unmapped one.
Go deeper: The Non-Human Majority
Frequently asked questions
What causes AI agent sprawl?
Agents became trivially cheap to create. Low-code builders, agent features inside SaaS products, and open frameworks let any employee, team, or even another agent spin up a new autonomous worker in minutes. Agentic architectures then multiply the count further, because one approved project decomposes into planner, retrieval, coding, and browsing agents, each holding its own credentials.
What is an orphaned AI agent?
An orphaned agent is one that keeps running, or whose credentials keep working, after the person or project responsible for it has moved on. The agent instance may even be gone while its API keys, OAuth refresh tokens, and service-account grants persist. With no accountable owner, nobody reviews its access, notices its behavior, or decommissions it.
How is AI agent sprawl different from shadow IT?
Shadow IT grows per purchase decision and is detectable through expense reports, CASB, and SSO logs. Agent sprawl grows per prompt, is created by employees, developers, and other agents, and acts autonomously with delegated credentials. Its blast radius chains through every system an agent can reach, and there is no mature detection standard beyond observing agent behavior at runtime.
How do you discover AI agents running in your organization?
Combine several signals rather than trusting self-registration. Mine credential issuance logs, since every agent needs API keys, OAuth grants, or service accounts to act. Watch egress points and API gateways for LLM traffic, MCP connections, and machine-speed request patterns. Instrument agent platforms to register creations automatically, then assign each discovered agent a named owner and an expiry date.
