Enterprises Face Rapid Agent AI Sprawl
Agent sprawl is an emerging operational risk that APS agencies deploying AI agents need governance controls for now, before scale compounds the problem.
Key points
- Gartner forecasts Fortune 500 enterprises could run over 150,000 AI agents by 2028, up from fewer than 15 in 2025.
- Agent sprawl creates unmanaged identities, credentials, and permissions - a governance and security control problem for any large organisation.
- Recommended controls - inventory, ownership, least-privilege access, lifecycle management, and telemetry - apply equally to government deployments.
Implications for Australian agencies
- Consider Agencies piloting or scaling agentic AI could assess whether current governance frameworks address agent identity, ownership, and lifecycle controls before deployments proliferate.
- Monitor Policy and ICT security teams may want to monitor whether Australian Government identity and access management standards (e.g. via ASD or DTA guidance) are updated to cover AI agent identities.
Implications are AI-generated. Starting points, not advice — see methodology for how they're framed.
View original source
Copied.
Appeared in:
Weekly digest, 29 June 2026
"Enterprises Face Rapid Agent AI Sprawl"
Source: Let's Data Science – AI Governance
Published: 4 July 2026
URL: https://letsdatascience.com/news/enterprises-face-rapid-agent-ai-sprawl-00d60b4d
A synthesis item drawing on Gartner, IBM, and Towards AI coverage of enterprise AI agent sprawl - the rapid, decentralised deployment of AI agents by business units without unified governance. Gartner forecasts Fortune 500 enterprises could average more than 150,000 agents by 2028, up from fewer than 15 today. The core risk mirrors service-account sprawl: untracked identities, inconsistent permissions, incomplete audit trails, and difficult incident reconstruction. Recommended practitioner responses include agent inventories, assigned ownership, least-privilege tool scopes, credential rotation, action logging, and defined retirement rules - controls applicable to any large organisation, including Commonwealth agencies beginning to deploy agentic AI.
Implications for Australian agencies:
- [Consider] Agencies piloting or scaling agentic AI could assess whether current governance frameworks address agent identity, ownership, and lifecycle controls before deployments proliferate.
- [Monitor] Policy and ICT security teams may want to monitor whether Australian Government identity and access management standards (e.g. via ASD or DTA guidance) are updated to cover AI agent identities.
Retrieved from SIMS, 18 July 2026.