Two weeks ago, we wrote about four supply chain attacks in three weeks. Last week, Microsoft made Agent 365 generally available, a product whose entire reason for existing is that nobody in your company knows how many AI agents are running inside it. Those two things are related.
For most of the mid-market companies we work with, the agent fleet has grown faster than the policy that governs it. An engineer wires up a Claude Code workflow on Monday. A product manager installs a Notion agent on Tuesday. A sales rep authorizes a meeting notes agent on Wednesday. By Friday, there are six new identities operating against company data with no clear owner. We have seen this pattern in client after client. It is a near-perfect repeat of the SaaS sprawl story from a decade ago, compressed into a quarter.
Why AI Agent Sprawl Is Worse Than SaaS Sprawl
SaaS sprawl was bad. Agent sprawl is worse, for three specific reasons.
Agents act on your behalf. A rogue SaaS subscription wastes money. A rogue agent with a stale API token can read, write, send, or delete on behalf of an identity that almost certainly has more access than it needs. The blast radius of a misconfigured agent is the union of every system its credentials can touch, and that union is usually larger than the person who set it up realized. This is not theoretical. The Vercel breach we covered last month started with a single compromised AI tool used by one employee. That one tool gave attackers a path into Google Workspace, which gave them access to internal systems and potentially npm and GitHub tokens.
Agents call other agents. The architecture we described in our post on agent loops is now a production reality for many teams. An MCP server your developer installed last month is being called by a coding assistant that is being orchestrated by a planning agent. Each link in that chain is a place where a credential is reused, a permission is borrowed, or a payload is logged somewhere nobody checks. You cannot draw the data flow diagram because nobody knows what the data flow diagram looks like.
The install base is invisible by default. Most agents are not deployed from a central catalog. They live in editor configs, browser extensions, personal API keys, and developer laptops. The traditional inventory tools (MDM agents, network sensors, SSO logs) all miss them or see only a partial picture. Microsoft's Agent 365 GA announcement specifically calls out discovery of local agents running on Windows endpoints, including third-party tools like OpenClaw and Claude Code, as a core capability. They built that feature because the visibility gap is real, and their enterprise customers told them it was the first problem to solve.
The Microsoft Agent 365 Signal
Microsoft Agent 365 went GA on May 1, 2026, at $15 per user per month as a standalone product, or bundled into the new Microsoft 365 E7 suite at $99 per user per month. E7 wraps E5, Copilot, Entra Suite, and Agent 365 into a single SKU. The product is built around three pillars: observe (a centralized registry of every agent in your tenant), govern (policy-based controls on what agents can and cannot do), and secure (runtime threat detection through Microsoft Defender, with the tools gateway capability currently in public preview). Registry sync with AWS Bedrock and Google Gemini Enterprise Agent Platform is also in public preview at GA, a tacit admission that nobody is going to standardize on a single platform.
You may or may not buy Agent 365. That is not the point. The point is that the largest enterprise software vendor in the world just shipped a product because the problem is real and the existing tools do not solve it. The next phase of the roadmap includes governance coverage for GitHub Copilot CLI and Anthropic's Claude Code, pulling third-party developer agents under the same Defender and Intune controls that manage first-party Microsoft tools. They are building toward a world where every agent on a managed Windows device, regardless of vendor, is visible to IT. That ambition only makes sense if the current state of invisible, unmanaged agents is widespread enough to justify a $15 per user per month product.
If you are running a 50 to 500-person company and your security posture assumes "nobody here is doing anything weird with AI yet," that assumption is already wrong. The question is what you do about it before someone else forces the answer.
AI Agent Governance Inventory You Can Run This Week
Before you buy a governance product, you need to know what you are looking at. The reason most companies do not have an agent inventory is not that they lack tools. It is that the tools they have were designed for a world where every identity was either a person or a service account provisioned through IT. Agents are neither. They are spawned by individuals, run with borrowed credentials, and often operate in environments (local IDEs, browser extensions, personal cloud accounts) that corporate security never sees.
Here is the inventory pass we run with clients during engagement audits. It works whether or not you ever cut a check to a vendor.
- Pull every API key issued in the last 90 days. From OpenAI, Anthropic, Google, AWS Bedrock, and any other model provider you have a billing relationship with. Group by owner. Any key unused for 30 days gets rotated or revoked. Any key without a clearly identified owner gets the same treatment. This single step usually surfaces a third of the agents your security team did not know about.
- Audit MCP server installs across engineering laptops. If your team uses Claude Code, Cursor, or any modern coding assistant, MCP servers are the new browser extensions. Each one is code your engineers ran on their machine, often with access to a token, a database, a file system, or all three. List every MCP server configured across the team and ask who installed it and why. The list will be longer than you expect.
- Map agent-to-data dependencies. For every agent on the inventory, document what data it can read and what actions it can take. Customer records, source code, payment data, calendars, email, internal Slack, production databases. You are looking for agents whose blast radius does not match the criticality of the use case. The meeting-notes agent that can read your entire engineering Slack does not need to read your entire engineering Slack.
- Flag the chained agents. Any agent that calls another agent or tool is a chain. Document the credentials at each hop, the prompts at each hop, the data at each hop. If a chain crosses a trust boundary (a public model service calling an internal database, for example), that chain gets reviewed first. This is the pattern that made the supply chain attacks we documented so damaging: attackers exploit the handoff between trusted systems.
- Classify every agent as sanctioned, tolerated, or banned. This is a policy step, not a tooling step. Sanctioned agents have an owner, a documented purpose, scoped credentials, and a renewal date. Tolerated agents are personal productivity tools that do not touch regulated data, and the owner accepts responsibility for them. Banned agents touch regulated data without the controls that the rest of your stack has to meet. You will not get this list right on the first pass. Get it written down anyway.
Budgeting for Your AI Agent Fleet
Most engineering organizations are still treating AI spend as a line item on someone's corporate card. That works for the first three agents and breaks at the thirtieth.
We have started recommending a different model in our discovery work: treat your agent fleet the same way you treat your cloud account. A shared resource with named owners, monthly budgets, and a quarterly review. The numbers in our post on AI development costs are useful context here, because the same dynamics apply. Token spend is volatile. A productive agent can 10x its monthly cost in a single bad week. An unmonitored agent will quietly burn budget that nobody knew was being burned until the invoice arrives.
The practical version of this is straightforward. Set a monthly token budget per team or project. Route all API keys through a single billing account with usage alerts. Review the top 10 agents by spend each month and ask whether the cost matches the value. Revoke keys that have not been used in 30 days. None of this requires a governance platform. It requires a spreadsheet and a calendar reminder.
The companies handling this well are the ones that put one person in charge of the agent fleet. Not as a full-time role, but as a named accountability: inventory, policy, budget review, and the quarterly cleanup pass. The role pays for itself within a few months in revoked unused keys alone.
What Agent Sprawl Looks Like in Practice
When we come into a code audit or a discovery phase, the agent inventory is now part of the standard checklist, alongside the dependency review and the secrets scan. We are finding things our clients did not know were there: a fine-tuned model trained on customer data sitting in a personal account, an MCP server that a contractor set up six months ago and that still has a live token, a planning agent calling a coding agent calling a deployment agent with no audit trail at any hop, and API keys shared across three engineers because "it was easier than requesting a new one."
None of these is catastrophic on its own or malicious. They are the byproduct of a team moving fast in a tooling landscape that did not have governance primitives a year ago. The remediation is almost always the same: name an owner, scope the credentials, document the chain, and decide whether to keep it. Straightforward work, but the longer you wait, the harder the cleanup. Every week adds new agents, new credentials, and new chains that nobody documented when they were created.
Should You Buy Agent 365 or Build Your Own Governance?
If you are a Microsoft 365 shop and your security team has the bandwidth, Agent 365 is worth a pilot. The registry alone is more than most companies have today, and the Defender integration means agent behavior shows up in the same threat detection pipeline as everything else. If you are not a Microsoft shop, the inventory and policy steps above will get you most of the way there without spending a dollar, and they will make whatever governance product you eventually buy more useful, because you will already know what you are buying it for.
Either way, the moment to start is now. The number of agents in your company is going up every week. The cost of the cleanup grows with the size of the fleet.
Frequently Asked Questions
AI agent sprawl is the uncontrolled growth of AI agents operating within an organization without centralized visibility, ownership, or governance. Unlike SaaS sprawl, agents act on behalf of users, call other agents in chains, and often run outside the tools IT uses to monitor software installations.
Microsoft Agent 365 is an AI agent governance product that went generally available on May 1, 2026. It provides a centralized registry of agents operating in an organization's tenant, policy-based controls over agent behavior, and security monitoring through Microsoft Defender. It is available as a standalone product at $15 per user per month or bundled into Microsoft 365 E7.
Start by pulling every API key issued to model providers (OpenAI, Anthropic, Google, AWS Bedrock) in the last 90 days and grouping them by owner. Audit MCP server installs across engineering machines. Map what data each agent can access and what actions it can take. Flag any agent chains that cross trust boundaries. Classify each agent as sanctioned, tolerated, or banned.
Agents operate with credentials that often have broader access than the use case requires. A compromised or misconfigured agent can read, write, or delete data across every system its credentials can reach. When agents call other agents in chains, each handoff is a potential point of credential reuse or data exposure with no audit trail.
Microsoft Agent 365 costs $15 per user per month as a standalone product. It is also included in the Microsoft 365 E7 suite at $99 per user per month, which bundles E5, Copilot, Entra Suite, and Agent 365 into a single SKU.
