Skip to main content
William Shane Burrell William Shane Burrell
12 min read

Agent Sprawl Is the New Shadow IT: Why AI Adoption Needs Platform Engineering

Agentic AI is moving from pilots into production workflows, creating a new form of shadow IT. Technical leaders need platform engineering discipline to manage AI agents with governance, context standards, validation, observability, and cost control.

Agent Sprawl Is the New Shadow IT: Why AI Adoption Needs Platform Engineering

A lot of companies think they are adopting AI.

What they are really doing is creating a new layer of shadow IT.

That may sound harsh, but it is the pattern I am seeing emerge as AI agents move from experiments into real work. Engineers are using agents to write code, review pull requests, generate tests, inspect infrastructure, summarize incidents, create documentation, triage bugs, query internal systems, and explore unfamiliar codebases. Product and operations teams are using them to analyze customer feedback, draft communications, prepare reports, and automate routine decisions.

Some of that work is genuinely valuable. I am not arguing for slowing down AI adoption or pushing everything through a committee. That would be the wrong lesson.

The problem is not that people are using agents. The problem is that many organizations are letting agentic work spread without the operating model needed to make it safe, repeatable, measurable, and trustworthy.

In 2026, the cutting edge AI problem is no longer simply access to a better model or a better assistant. Those tools are everywhere. The harder problem is turning scattered AI usage into organizational capability.

That is a platform engineering problem.

The New Shadow IT Is Not SaaS, It Is Agents

Years ago, technology leaders worried about shadow IT in the form of unapproved SaaS tools. A team needed to move faster, so someone bought a tool on a credit card. It solved a local problem. Then another team did the same thing. Before long, the company had sensitive data in systems nobody owned, duplicate tools doing similar work, unclear access controls, unexpected costs, and no consistent way to manage risk.

Agentic AI is creating a similar pattern, but with a more complicated surface area.

An AI agent is not just another application. It can read context, transform data, call tools, generate code, propose changes, interact with systems, and sometimes take action. That makes it powerful. It also means the risk profile is different from a simple productivity app.

With SaaS sprawl, the question was often, “Where is our data going?”

With agent sprawl, the questions multiply:

  • What data can this agent see?
  • What tools can it call?
  • What actions can it take?
  • What assumptions did it make?
  • Who reviewed the output?
  • What validation happened before the result was trusted?
  • How much did the workflow cost?
  • Can another person reproduce the result?

Those are not theoretical concerns. They show up quickly once AI moves beyond personal experimentation and starts touching delivery systems, infrastructure, customer operations, and internal decisions.

The uncomfortable truth is that many organizations do not actually know how AI-assisted work is happening inside their teams. They know which tools they bought. They may know how many licenses are active. They may even have a policy document somewhere.

But they often cannot describe the real workflows.

That is the gap.

Why Agent Sprawl Happens

Agent sprawl happens because the local incentives are obvious before the organizational risks are visible.

An engineer tries an agent on a refactor and saves hours. A support lead uses one to summarize customer issues and gets a cleaner weekly report. A platform engineer uses one to inspect Terraform drift and produce a remediation plan. A product manager uses one to analyze release notes and customer feedback.

Each of those decisions makes sense locally.

That is why sprawl is hard to stop after it starts. People are not adopting AI because they are careless. They are adopting it because it works often enough to become useful.

The usual forces are predictable:

  • The tools are easy to start using.
  • Individual productivity gains are visible immediately.
  • Teams optimize for local speed.
  • Governance arrives after the workflow already exists.
  • Security review focuses on vendors more than day-to-day behavior.
  • Cost tracking lags behind usage.
  • Leaders mistake tool adoption for capability.

The last point matters most.

Buying tools is not the same as building capability. A team can have access to excellent AI agents and still have no repeatable AI operating model. A few high-performing users may get impressive results, but the organization cannot scale those results because the knowledge lives in individual habits, private prompts, undocumented context, and personal judgment.

That is not capability. That is dependency.

The Failure Mode: Fast Work With High Variance

The biggest risk in unmanaged AI adoption is not that every output is bad. If that were true, the problem would solve itself.

The real risk is that some outputs are excellent, some are mediocre, some are subtly wrong, and the organization cannot consistently tell the difference without leaning harder on its best people.

That creates fast work with high variance.

At first, the speed feels like the whole story. Tickets move faster. Documents appear faster. Code changes arrive faster. Incident summaries get written faster. The organization feels more productive.

Then the second-order effects show up.

Context varies from person to person. One engineer gives the agent architectural constraints, runbooks, test expectations, and examples of good patterns. Another gives a vague task and accepts the first result. One team restricts sensitive data. Another pastes more context than it should. One workflow includes test generation and review. Another treats the agent’s answer as nearly final.

The same tool produces very different outcomes because the workflow around the tool is different.

That is where the hidden cost appears:

  • Senior engineers spend more time reviewing AI-generated work that arrived faster than it can be trusted.
  • Security boundaries become a matter of individual judgment instead of system design.
  • Infrastructure changes are proposed without consistent rollback thinking.
  • Documentation gets produced, but nobody knows whether it reflects reality.
  • Product and operations teams make decisions from summaries without understanding source quality.
  • Model usage, SaaS seats, inference costs, and review overhead become another unexplained bill.

This is why speed alone is not the win.

The real win is repeatable speed with lower variance.

If AI helps one person move ten times faster but the organization cannot reproduce the pattern, the value is fragile. If AI helps an entire team move faster with visible context, clear validation, appropriate guardrails, and measurable outcomes, that becomes operating leverage.

The difference is not the model. It is the system around the model.

AI Adoption Is Becoming Platform Engineering

The answer to agent sprawl is not to freeze adoption. It is to platform it.

Platform engineering emerged because organizations learned that cloud, DevOps, CI/CD, infrastructure as code, and self-service delivery do not scale safely when every team invents its own path from scratch. The goal was never to remove autonomy. The goal was to make the right path easier than the unsafe path.

That same idea now applies to AI-assisted work.

If AI agents are going to touch code, infrastructure, data, support, documentation, and operational decisions, then leaders need more than a policy. They need a platform mindset.

That means treating AI adoption as an internal product and operating model, not a collection of disconnected tools.

The translation is straightforward:

Golden paths become approved AI workflows. Instead of asking every team to invent its own way to use agents, define supported patterns for common work: bug triage, test creation, incident summaries, refactoring, infrastructure review, release notes, documentation updates, and operational analysis.

Infrastructure standards become context standards. AI output improves when the right context is packaged consistently. Repositories, runbooks, architectural boundaries, service ownership, coding conventions, security rules, and deployment constraints should not depend on one person’s memory.

CI/CD gates become validation gates. AI-generated work needs explicit checks: tests, policy validation, security review, human approval, rollback criteria, and evidence that the output was evaluated against the right standard.

Observability becomes AI workflow telemetry. Leaders need visibility into which workflows are being used, where they succeed, where they fail, how much they cost, and whether they improve actual delivery outcomes.

Platform product thinking becomes developer experience for AI. If the approved path is painful, people will route around it. The goal is not bureaucracy. The goal is to make disciplined AI-assisted work easier than improvisation.

This is where many organizations will either compound advantage or create drag.

Teams that treat AI adoption as a loose tool rollout will get pockets of productivity and pockets of risk. Teams that treat it as a platform capability will build reusable patterns that improve every time they are used.

What Leaders Should Standardize First

The mistake is trying to standardize everything at once.

That approach usually turns into policy theater: long documents, broad principles, and very little impact on how work actually happens.

Start with the recurring workflows where AI is already being used or where the payoff is obvious. Then define the minimum operating model needed to make those workflows repeatable.

There are five areas I would standardize first.

1. Task Patterns

Define the classes of work where AI assistance is encouraged, supported, and measured.

Good starting points include:

  • bug triage
  • test generation
  • refactoring support
  • documentation updates
  • incident summaries
  • pull request preparation
  • infrastructure review
  • migration planning
  • release readiness checks

The key is specificity. “Use AI to be more productive” is not a standard. “Use this workflow to investigate a production bug, gather context, propose a fix, run tests, and document validation” is a standard.

2. Context Packages

Most poor AI output starts with poor context.

For each supported task pattern, decide what context should always be available:

  • relevant code paths
  • system boundaries
  • service ownership
  • coding conventions
  • runbooks
  • deployment constraints
  • security requirements
  • observability links
  • acceptance criteria

This reduces dependence on individual prompting skill. It also helps the organization preserve knowledge that would otherwise stay trapped in the heads of senior people.

3. Access Controls

Agents need boundaries.

Leaders should be explicit about what agents can read, what they can write, what tools they can call, what data they can handle, and when they must escalate to a human.

This matters because agentic systems blur familiar lines. A coding assistant that only suggests code is one thing. An agent that can inspect logs, query internal systems, open pull requests, update tickets, or invoke infrastructure tools is another.

The more action an agent can take, the more the organization needs identity, permissions, auditability, and approval design.

4. Validation Rules

Every supported AI workflow should answer a simple question:

What has to be true before we trust this output?

For code, that may mean tests, linting, security review, architecture review, and human approval. For incident summaries, it may mean source links, timeline validation, and owner review. For infrastructure changes, it may mean plan output, policy checks, blast radius assessment, rollback steps, and staged rollout.

Validation is where AI adoption either earns trust or loses it.

If leaders skip this layer, AI work may appear faster while quietly increasing review burden and operational risk.

5. Measurement

Do not measure AI adoption by license count.

That is one of the least useful metrics available. It tells you who has access, not whether the organization is better.

Measure outcomes instead:

  • cycle time by workflow
  • review load on senior engineers
  • escaped defects
  • change failure rate
  • incident duration
  • documentation freshness
  • developer satisfaction
  • adoption of approved workflows
  • cost per workflow
  • time saved on repeatable tasks

The goal is not to prove AI is exciting. The goal is to prove it changes the economics of work without lowering quality, security, or trust.

The Executive Test

Here is a simple diagnostic for leaders:

If your best AI-enabled engineer, platform lead, or product operator left tomorrow, could the rest of the organization reproduce their workflow?

If the answer is no, you probably do not have AI capability yet.

You have individual heroics with better tools.

That distinction matters because leadership teams often confuse impressive anecdotes with organizational maturity. A few people can produce remarkable results with AI. I have seen it firsthand. But unless those results can be taught, repeated, governed, measured, and improved, they remain fragile.

Capability looks different.

Capability means a new team member can follow an approved AI workflow and get a reasonable result. It means senior engineers review higher-quality work instead of cleaning up avoidable mistakes. It means leaders can see where AI is helping and where it is creating noise. It means security and data boundaries are built into the workflow, not left to memory. It means costs are visible enough to manage.

Most importantly, capability means the organization gets better over time.

Each good workflow becomes a template. Each failure improves the guardrails. Each review strengthens the standard. Each repeated task becomes easier to execute with less setup cost and lower variance.

That is how AI stops being a personal productivity hack and becomes an operating advantage.

Do Not Stop the Agents. Platform Them.

There will be a temptation in some organizations to respond to agent sprawl with heavy-handed control.

That would be a mistake.

The answer is not to slow everything down until AI feels safe. The answer is to make the safe path fast enough that teams want to use it.

That is the core platform engineering lesson. Developers do not adopt golden paths because leaders write policies about them. They adopt them because the golden path saves time, reduces friction, and helps them get reliable work into production.

AI adoption needs the same discipline.

Give teams supported workflows. Package the right context. Define tool and data boundaries. Build validation into the path. Make usage and cost visible. Measure outcomes. Improve the system as teams learn.

The organizations that win in 2026 will not be the ones with the most agents, the most licenses, or the loudest AI strategy.

They will be the ones that turn agentic work into a governed, observable, repeatable operating capability.

That is the difference between adopting AI and building leverage from it.

The Five Critical Takeaways

  1. Agent sprawl is becoming the new shadow IT. AI agents are spreading through real workflows faster than many operating models can absorb.
  2. Tool access is not capability. Capability requires repeatable workflows, context standards, validation, measurement, and ownership.
  3. The biggest unmanaged risk is high variance. AI can create fast work that is hard to trust, reproduce, or scale.
  4. AI adoption now needs platform engineering discipline. Golden paths, guardrails, telemetry, and developer experience apply directly to agentic work.
  5. Measure outcomes, not enthusiasm. License counts and anecdotes matter less than cycle time, quality, review burden, incident impact, cost, and trust.

Before your organization adds another agent, ask a better question:

Which recurring workflows should become easy, safe, visible, and repeatable with AI support?

That is where the real advantage will be built.

Building AI-enabled workflows, agent guardrails, or an operating model that helps teams move faster without sacrificing quality, security, or trust? Connect with me on LinkedIn to compare approaches and discuss practical AI adoption.