The rapid, uncontrolled growth of AI agents inside corporations is creating a new, multi-faceted problem that pits productivity gains against rising security and cost risks.
Back
AI Agent Sprawl Creates New Risks for Over 150,000 Corporate Bots
The proliferation of autonomous AI agents, with a predicted 150,000 bots running in the average Fortune 500 enterprise within two years, is creating a significant management and cybersecurity challenge that threatens to overshadow productivity gains.
"Because everybody can do it, we’re probably going to end up with a lot of people having the same types of agents,” Michael Friedlander, chief information officer of the Americas at Magnum Ice Cream, told The Wall Street Journal, highlighting the decentralized nature of the problem.
Companies including Lyft, DaVita, and Fair Isaac (FICO) are already navigating this "AI agent sprawl," driven by the ease of creating bots with platforms like Anthropic’s Claude Cowork. Employees at kidney-care company DaVita have created over 10,000 AI agents. According to market research firm Gartner, only 13% of organizations believe they have adequate AI agent governance in place today.
This lack of governance creates a significant financial and security risk, with redundant agents driving up computing costs and misconfigured bots exposing sensitive internal systems—a threat Microsoft reports is already being actively exploited by attackers.
The Double-Edged Sword of AI Democratization
The core of the issue stems from the very accessibility that makes AI tools attractive. Platforms from companies like Anthropic and open-source frameworks like OpenClaw and Microsoft's AutoGen Studio make it simple for non-technical employees to build and deploy agents for tasks like summarizing emails, writing code, or analyzing data. At FICO, dozens of new agents are created daily across the company’s hierarchy, said CIO Mike Trkay.
While this can foster innovation, it also leads to chaos. Multiple agents may perform the same task, driving up token and computing costs unnecessarily. Worse, they can produce conflicting results from the same data, undermining decision-making. To manage this, DaVita has developed an internal platform to manage token costs and rein in underperforming agents, while Lyft is creating a centralized platform with IT controls.
From Sprawl to Exploitable Misconfigurations
The most severe risk of uncontrolled agent growth is in cybersecurity. According to Microsoft Defender for Cloud research, many AI deployments are rushed into production on cloud-native platforms like Kubernetes with weak or missing authentication. These "exploitable misconfigurations" create low-effort, high-impact attack paths.
Researchers found popular open-source AI tools deployed with insecure defaults. Mage AI, a data and AI pipeline platform, was found to expose a web UI with no authentication that allowed for arbitrary code execution with cluster-admin privileges. While the issue has since been patched, it was observed being actively exploited in the wild. Similarly, the kagent framework for running AI agents on Kubernetes was found to lack authentication by default, allowing anonymous users to deploy malicious workloads if the application was publicly exposed.
These vulnerabilities can allow attackers to achieve remote code execution, steal credentials, and access sensitive internal tools and data without using sophisticated zero-day exploits. Microsoft found that 15% of remotely deployed Model Context Protocol (MCP) servers, which allow agents to interact with external tools, were insecure and allowed unauthenticated access to internal HR systems and private code repositories.
A ‘Defense in Depth’ Strategy for Agent Security
To counter the sprawl, security experts recommend a "defense in depth" strategy focused on the application layer, where builders have the most control. This approach moves beyond relying on the probabilistic safety features of the AI model itself and implements structural controls in how agents are built and governed.
Microsoft security architects advocate for four key design patterns. First, designing agents like microservices, with narrow responsibilities and isolated permissions, to limit the blast radius of any single compromise. This counters the "everything agent" failure mode, where one bot has overly broad access.
Second is enforcing a policy of least privilege, where agents start with zero permissions and are only explicitly granted access to the specific tools and data required for a task. Third, implementing deterministic human-in-the-loop (HITL) reviews for high-stakes decisions. Crucially, the triggers for human review should be defined in code and enforced by the application, not left to the agent's own reasoning.
Finally, establishing agent identity as a core security primitive is critical. Each agent must have a unique, verifiable identity, separate from the user who created it. This allows for granular permissions, lifecycle governance, and clear audit trails, ensuring that as thousands of agents are deployed, their actions can be tracked, managed, and, if necessary, revoked.
This article is for informational purposes only and does not constitute investment advice.
[1] Companies Have a New AI Problem: Too Many Agents[2] Companies have a new AI problem: too many agents[3] When configuration becomes a vulnerability: Exploitable misconfigurations in AI apps[4] Companies Have a New AI Problem: Too Many Agents - WSJ[5] Defense in depth for autonomous AI agents - Microsoft
© 2026 Edgen Powered by