Agent Sprawl: When too many AI agents in business departments spiral out of control

Every department builds its own AI agent, and no one has an overview. Why agent sprawl is a control problem, not an AI problem.

Hand-drawn sketch: many robot arms sprout from a desk, one hand holds a single connecting thread

Marketing has built itself a chatbot that pre-sorts inquiries from the contact form. Sales uses a Copilot agent for quote texts. Accounting is testing an n8n workflow that automatically checks incoming invoices. Every department has started its own small AI project, and no one in management knows the complete list.

That's exactly what the term agent sprawl describes, and it has long since stopped being a niche topic for the IT departments of large corporations. Mid-sized companies in Germany are now facing the same question: how many AI agents are already running, who built them, and who is allowed to switch them off again?

What agent sprawl actually means, and why the numbers are growing so fast

Agent sprawl refers to the uncontrolled, decentralized proliferation of AI agents within a company, where individual departments set up their own automations without any central overview or responsibility existing. According to a recent IBM survey large companies will have an average of more than 1,600 AI agents in use by the end of 2026. At the same time, only 18 percent of the organizations surveyed maintain a current, complete inventory of these agents, and only 12 percent have a central platform to manage the proliferation. Seven out of ten executives also state that their existing AI governance no longer matches actual usage.

This dynamic is also confirmed by the study "State of AI Agent Development 2026" with 1,900 IT decision-makers surveyed worldwide: 94 percent of organizations are concerned that the spread of AI agents increases complexity, technical debt, and security risks, while in turn only 12 percent have a central control platform. 38 percent also mix self-built and purchased agents in an uncoordinated way, leading to fragmented AI landscapes.

How big is the security risk when no one bears responsibility?

The real risk of agent sprawl lies not in the AI itself, but in the lack of assigned responsibility for what an agent is allowed to do. The "State of AI Agent Security Report" (April 2026 edition, 750 technology leaders surveyed in the UK and the US) shows that on average only 52 percent of agents running in production are monitored at all, meaning 48 percent have largely unsupervised access to systems and data. Only 7.2 percent of organizations name a single person formally responsible for the behavior of AI agents; the rest describe responsibilities as unclear, shared, or simply never discussed. 54 percent of respondents already report suspected or confirmed security incidents related to AI agents. The report's publisher, Gravitee, calls this the confidence-reality gap: 91.8 percent of companies consider themselves well positioned on security, while the actual monitoring rate is just over half.

Also, Gartner now takes the topic so seriously that in April 2026 its analysts published their own six-step plan against AI agent sprawl. When an analyst firm gives a phenomenon its own name and its own methodology, the point has been reached where "we'll look at that later" is no longer a defensible stance.

Why individual departmental tools make the problem worse instead of solving it

The obvious first reflex, giving every department its own AI tool quickly so it is relieved, is exactly the mechanism that creates agent sprawl. Every additional agent without central oversight is an additional access point to customer data, systems, and processes that no one fully oversees anymore, and a piece of technical debt that someone will eventually have to clean up. This is not a rejection of AI agents; it is a rejection of AI agents without a plan.

As we already described in "AI Maturity in the German Mittelstand", the risk rarely arises from the technology itself, but from missing rules. From our project experience in the Mittelstand, agent sprawl almost always arises from good intentions: a team wants to deliver quickly, has no access to a central IT resource, and builds something itself using a chat tool or a no-code platform. After a year, no one knows exactly anymore which of the three resulting agents has access to which CRM, and who would actually be allowed to switch it off.

What control means in practice, before the next agent goes live

At NordFlux, we therefore never consider automation and AI agents in isolation from the rest of the IT landscape. Before every new agent, we ask ourselves the same question: who in the company is responsible for this system, what data is it allowed to see, and how is its behavior logged and regularly reviewed? That is exactly the core of our positioning: you retain control. Not rolling out as many agents as possible as quickly as possible, but introducing every agent in a way that stays traceable and ultimately leaves the decision to a human.

In our AI consulting the first session is therefore always a stocktaking: which AI tools are already running in the departments, often without management knowing, and how a structure can be built from this that grows along without losing the overview. Anyone who wants to invest directly in individual AI agents should still do this stocktaking first. Otherwise the next agent will just be another data point in the next sprawl study.

Frequently asked questions

What distinguishes agent sprawl from ordinary software sprawl?

With classic software sprawl, unused licenses and tools accumulate. Agent sprawl goes further, because every agent acts independently, accesses data, and makes decisions without anyone continuously reviewing these actions.

From how many AI agents onward should a company maintain a central overview?

From the first productively deployed agent outside the IT department. An overview with purpose, data access, and responsible party can be set up for one agent in an hour; for fifty, it's barely possible to do retroactively.

Who in the Mittelstand should take responsibility for AI agents?

It doesn't need a new department, but a named person, usually from management or IT leadership, who knows, approves, and regularly reviews every new agent. According to the Gravitee report, this assignment is missing today at more than 90 percent of companies.

Does central AI governance prevent quick solutions in the departments?

No, if the framework is established beforehand instead of being cleaned up afterward. A clearly documented approval process often takes less time than a department otherwise loses testing uncoordinated tools.

About NordFlux

NordFlux UG (haftungsbeschränkt)

NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.

More about us
Read more

Related posts

Free initial analysis

Concrete questions about automation or AI?

In a free initial analysis we discuss your case directly. No strings attached.

Agent Sprawl: Getting AI agents under control