5 ways to curb AI sprawl without stifling innovation

May 18, 2026 Yanac

The trend shows no sign of slowing. McKinsey’s latest The State of AI report suggests that 88% of organizations now use AI in at least one business function. As adoption expands, so too will experimentation and tool creation — much of it occurring outside traditional IT processes and often beyond formal oversight.

For IT leaders, the implications are significant. They are no longer managing a closed, centrally controlled environment, but one where technology can emerge anywhere, spread rapidly, and influence core business processes in ways that are difficult to predict or contain.

“Shadow usage is dramatically outpacing production,” said Chris Drumgoole, president of global infrastructure services at IT service provider DXC Technology. In many organizations, unofficial AI usage already exceeds sanctioned deployments by several multiples. Worse, he said, IT teams often have very little visibility into where and how these tools are being used.

From rollout to invisible adoption

What’s happening inside enterprises doesn’t resemble a coordinated rollout. It looks more like a distributed shift in how work gets done.

Employees are experimenting with AI assistants and no-code tools, building apps and automating workflows — often independently and without IT’s knowledge. In many cases, these efforts start as small productivity experiments but quickly evolve into shared tools that influence team-level or even business-critical processes.

In earlier waves of technology adoption, that activity was constrained by budget and formal approval processes. Those constraints have largely disappeared, replaced by tools that are easy to access, inexpensive, and often already familiar from personal use.

“The world used to have a finite number of software products you could buy,” said Jonathan Tushman, CTO and chief AI officer at Hi Marley, an AI platform for the insurance sector. “Now we have access to an infinite amount of software.”

Instead of selecting tools from a catalog, employees can now create what they need on demand. Andrea Malagodi, CTO at Sonar, which makes software to boost developers’ code quality and security, sees this across business functions. A finance employee experimenting with generative AI can assemble a working internal application in days — something that once required a development team, formal requirements, and months of work.

“The challenge isn’t that this is entirely new,” he said. “It’s that it’s happening much, much faster.”

Why AI sprawl is harder to contain

Speed alone does not explain the scale of the problem. What makes AI sprawl different is how it manifests — and how it enters the organization.

In the SaaS era, applications were still tied to vendors, contracts, and systems of record. AI, by contrast, appears in fragments: scripts, agents, workflows, and embedded features that may not be visible as standalone systems.

Alla Valente, principal analyst at Forrester Research, sees AI sprawl emerging from multiple directions. Some of it is driven by formal initiatives, but a growing share comes from unsanctioned employee usage or as new features added to existing software and services.

Many vendors are adding AI capabilities to products companies already use, often without those features being fully tracked or categorized. In some cases, these capabilities are enabled by default or introduced through routine updates, making them easy to miss.

“AI is entering organizations as embedded features of existing software as much as through structured procurement of AI tools,” Valente said.

That creates a fundamental inventory problem. Even when applications are known, the AI functionality within them may not be vetted, documented, or understood. And beyond enterprise systems, employees are also using free or low-cost tools that never go through procurement processes. As a result, organizations may be using AI in far more places than they realize.

Organizations are trying to regain visibility using indirect signals such as expense reports, network traffic, and employee surveys, but those methods only capture part of the picture.

“I’ve yet to see any organization take a serious look at how AI is being used internally and not be surprised,” DXC’s Drumgoole said.

Employees are not necessarily trying to bypass IT, but they are often reluctant to disclose their use of AI tools if they believe access might be restricted or taken away.

“They’re afraid they’re going to get shut down,” he said.

Risk is scaling faster than governance

As Valente notes, the pace of AI innovation is outstripping governance. Risks are evolving faster than policies and controls, leaving organizations to manage them in real time rather than through established frameworks.

One of the most immediate concerns is data exposure. Employees experimenting with AI tools may upload sensitive information including financial data, engineering designs, or customer records without fully understanding how that data is handled or where it might end up.

“A financial analyst trying to do the right thing might upload non-public information into a model,” Drumgoole said. “Now it’s out there.”

There is also growing concern about AI-generated outputs. These systems often produce responses that sound authoritative but are incorrect (colloquially known as “hallucinations”), increasing the risk that flawed information enters business decisions or operational workflows.

Cost is another factor. As AI usage spreads organically across teams, expenses can escalate quickly, often in ways that are difficult to track or attribute to specific business value.

Malagodi from Sonar points to a different issue that often surfaces later: ownership. When employees create tools independently, it is not always clear who is responsible for maintaining them, validating outputs, or answering for failures. Over time, these tools can become embedded in workflows, even as their creators move on.

“If an auditor asks why a number is what it is, and the answer is ‘because someone built a tool,’ that’s a problem,” he said.

The IT balancing act

The challenge is not just managing risk, but balancing it against the need for innovation.

Traditional governance models rely on review and approval before deployment. That approach breaks down when tools are created and adopted faster than those processes can operate.

By the time IT becomes aware of a tool, it may already be in use — and shutting it down can have unintended consequences, including disrupting productivity or pushing usage further underground.

“The organizations that are managing risk really well, from a traditional standpoint, may actually be the ones losing,” Drumgoole said. “That’s because they’re not getting the innovation.”

Rather than trying to prevent AI usage, many organizations are shifting toward defining how it can occur safely, accepting that some level of experimentation is both inevitable and necessary.

“Instead of saying no, you have to show up as the Department of Yes,” Drumgoole said.

As organizations begin to understand the scope of the problem, attention is shifting from diagnosis to action.

5 ways to bring AI sprawl under control

While no organization has fully solved AI sprawl, patterns are emerging in how forward-thinking companies are responding. Those responses point to five practical steps CIOs can take now.

1. Build real visibility, not just inventories.

Traditional inventories are no longer enough. AI is being used through personal accounts, embedded in third-party tools, and created internally in ways that rarely appear in standard systems.

As Valente notes, much of the challenge stems from not knowing where AI is operating — particularly when it enters through third-party applications or is used outside formal procurement processes.

Leading organizations are starting to combine telemetry, identity systems, and usage data to build a more dynamic view of AI activity. Some are introducing internal registries to track applications, agents, and workflows as they emerge.

2. Replace control with enforceable guardrails.

Blocking AI usage outright is impractical. Instead, organizations are defining clear rules around data use, model access, and acceptable use cases, and enforcing those rules through technical controls.

“It’s a lot of rudimentary stuff,” Drumgoole said, pointing to basic but critical measures such as restricting access to sensitive data and setting clear usage boundaries.

The shift, he added, is toward enabling safe use rather than trying to prevent it altogether.

3. Formalize what works.

Employees can now build useful tools in days. Turning those into enterprise assets requires structured intake processes that evaluate what has been created and determine what should be scaled.

As Malagodi emphasized, organizations need a way to take employee-built tools and bring them into a managed environment, with defined ownership, auditability, and governance. Without that step, useful innovations risk becoming unmanaged liabilities.

4. Build infrastructure for continuous creation.

AI sprawl reflects a deeper shift: software is no longer built only by IT.

Organizations need to provide internal platforms, hosting environments, and standardized patterns that allow employees to build safely within the enterprise. Tushman at Hi Marley points to the need for new infrastructure layers — including internal registries, hosting environments, and AI operations capabilities — to support this model.

5. Extend governance to vendors and third parties.

A growing share of AI is not built internally at all; it is introduced through vendors, partners, and existing software providers.

Valente warns that many organizations are already using AI through third parties without realizing it, because those capabilities are embedded in tools they already trust. “You are likely not classifying them as AI vendors,” she said, even as those tools process enterprise data.

Leading organizations are responding by tightening vendor oversight: adding AI-specific questions to RFPs, updating contracts to address data use and model behavior, and aligning third-party expectations with internal AI policies.

AI sprawl is no longer a future risk. It is already part of the enterprise — and increasingly, part of how work gets done. The challenge for CIOs is not to stop it, but to shape it, building enough structure to manage risk without slowing the innovation that makes it valuable in the first place.