buckleyPLANET

Agent Sprawl Is the New Shadow IT

by · Published · Updated

Shadow IT never fully goes away. Instead, it evolves. Fifteen years ago, I was writing about employees were expensing Dropbox accounts, syncing SharePoint libraries to personal OneDrive instances, and building critical business processes on Box or elsewhere because the approved alternatives were too slow, too locked down, or just too frustrating to use. You may have locked a lot of that down on your company network, but I promise you that last week, someone on your team probably connected a third-party AI tool to their M365 account without filing a request.

Agent Sprawl Is the New Shadow ITIT has never fully solved shadow IT, but it has learned (mostly) to manage it through cloud access security brokers, DLP policies, Conditional Access rules. The tooling has matured. The governance frameworks have gotten better. Organizations got reasonably good at knowing what was running.

The problem today is that the unauthorized applications can act autonomously, hold persistent credentials, access internal data sources, send messages on your behalf, and make decisions without asking anyone.

Welcome to agent sprawl.

What Agent Sprawl Actually Looks Like

It never starts with a decision. Nobody holds a meeting and announces that the organization will deploy seventeen ungoverned AI agents across six business units without IT’s knowledge. It starts with convenience.

A sales rep finds an AI browser extension that drafts follow-up emails. It connects to Dynamics through an OAuth flow and starts querying the customer database. A developer installs an AI coding assistant and links it to the internal Azure DevOps repo. A marketing team adopts a content platform that ingests SharePoint documents to “personalize” the output. An HR analyst uses a third-party summarization tool that happens to process compensation data.

Each adoption feels small, local, and reasonable. Six months later, dozens of disconnected agents are operating inside the same tenant — each with different data access, different credential scopes, different behaviors, and zero centralized oversight. Nobody knows what they can see. Nobody knows what they’re doing with it. In most organizations, nobody is asking.

That’s not a hypothetical. It’s the current state of most M365 environments that have enabled Copilot Studio or Power Platform without a corresponding governance framework.

Why This Is Different from the Shadow IT That’s Still Haunting You

Classic shadow IT is largely passive. An employee syncing files to a personal Box account is moving data somewhere IT can’t see — bad enough. But the data stays put once it gets there.

Agents are active. They don’t just store data — they process it, summarize it, generate outputs from it, send messages based on it, and in agentic configurations, take actions based on it. An agent with persistent access to your SharePoint environment isn’t a visibility problem. It’s a continuous process running under your organizational identity with unclear scope, unclear logging, and unclear accountability.

There’s also the lifecycle dimension. Shadow IT tools get deployed and forgotten, but they’re stationary. Agents can be updated or repurposed by vendors with no change management process on your end. The agent you approved last quarter may behave differently today.

And then there’s MCP. Model Context Protocol has become the standard for how agents connect to external tools and data. An agent tied to an MCP server exposing internal APIs creates an access chain IT may have no visibility into at all. Governed correctly, MCP is powerful. Governed casually, it’s an open window.

The Microsoft 365 Tenant Reality

Microsoft has shipped Agent 365 — a governance layer giving IT a centralized place to discover agents, apply policy, monitor behavior, and enforce identity controls via Entra ID Governance. The agent registry provides a unified inventory of agents in the tenant, including third-party agents. That went generally available in May 2026, and it’s meaningful infrastructure.

The honest read: Agent 365 is currently more visibility plane than control plane. IT can see what’s running. Enforcement levers for non-Microsoft agents operating in the tenant are still maturing. Knowing a rogue agent exists is useful. Stopping it from continuing to operate under broad credentials is a different capability — one that’s coming, but isn’t fully there yet.

The organizations that will be in good shape are those treating current visibility features as an early warning system, and using that window to build governance foundations before enforcement becomes possible.

What a Governed Response Looks Like

Start with an inventory. If you don’t know what’s running in your tenant, nothing else matters. Agent 365’s registry is your starting point for the Microsoft estate. Third-party agents that haven’t been formally registered require a different discovery approach — one most organizations haven’t built yet.

Establish an identity standard for agents. Every agent should operate under its own managed identity, scoped to the minimum access required. Agents running under human credentials are an accident waiting for a schedule.

Define the tiers. A SharePoint retrieval agent carries different risk than one that sends Teams messages or writes to your CRM. Microsoft’s own governance model differentiates by tool access tier. Know which category each agent falls into before deciding how much oversight it needs.

Close the MCP gap. Any MCP server exposing internal APIs should run through your API gateway, not sit as an implicit open connection. If you don’t know which MCP endpoints are active in your environment today, that’s your next audit item.

The Governance Irony

Organizations moving fast on agent deployment without governance aren’t actually moving fast. They’re borrowing velocity against a debt that compounds. The teams remediating after an oversharing incident or a data exposure triggered by an ungoverned agent aren’t ahead of their disciplined counterparts. They’re just doing the governance work later, under worse conditions, after something has already gone wrong.

The agents are already in your tenant. The only question is whether you know about them.

Tags:

Christian Buckley

Christian is a Microsoft Regional Director and M365 MVP (focused on SharePoint, Teams, and Copilot), and an award-winning product marketer and technology evangelist, based in Dallas, Texas. He is a startup advisor and investor, and an independent consultant providing fractional marketing and channel development services for Microsoft partners. He hosts the #CollabTalk Podcast, #ProjectFailureFiles series, Guardians of M365 Governance (#GoM365gov) series, and the Microsoft 365 Ask-Me-Anything (#M365AMA) series.