
THE SIGNAL
The sprawl you already know about.
There's a moment in every enterprise technology wave I've learned to recognize. It's the moment when the people inside the organization can see the problem forming — can name it, can describe it, can feel the operational risk building — and deploy anyway.
I watched it happen with Salesforce. One of the largest financial services companies I worked with had 14 Salesforce instances running across the organization. Not because someone designed it that way. Because every division bought their own license, configured their own fields, and built their own workflows. By the time the governance team got involved, the data model was unsalvageable. The re-architecture took longer than the original implementation.
I watched it happen with RPA. A Fortune 100 operations team deployed 300+ bots in 18 months. No inventory. No ownership map. No one knew which bots were still running, which had drifted from their original scope, or which were making decisions they were never authorized to make. The audit finding was brutal.
Every time, the pattern is the same. The technology is real. The value is real. And the organization deploys faster than it governs not because it doesn't know better, but because the incentive to ship outweighs the discipline to design.
→ The OutSystems 2026 State of AI Development report just gave us the definitive numbers on how this pattern is playing out with agents:
96% of enterprises are already running AI agents.
94% are concerned that sprawl is increasing complexity, technical debt, and security risk.
Those numbers don't add up. Almost everyone is deploying. Almost everyone knows it's creating ungoverned risk. And almost no one has built the governance layer. The gap between awareness and action isn't ignorance. It's organizational inertia, the same force that created 14 Salesforce instances and 300 untracked bots.
Except this time, the speed is different. Salesforce sprawl took years. RPA sprawl took 18 months. Agent sprawl is happening in weeks. IBM projects 1,600+ agents per large enterprise by the end of 2026 and 70% of executives say their governance isn't fit for purpose.
→ The industry's response has been to build platforms. ServiceNow just launched Autonomous Security & Risk at Knowledge 2026, integrating Armis and Veza into a single system that discovers, inventories, and governs agent identities and permissions across the enterprise. Microsoft expanded Agent 365 with registry sync across AWS Bedrock and Google Cloud.
These are real products solving real problems. I don't dismiss them.
But a platform tells you what agents are running. It doesn't tell you what they should be authorized to do.
That's the gap the platform can't close. Authorization design, checkpoint architecture, the decision about where a human stays in the loop and where the agent runs free. Those aren't configuration settings in a dashboard. They're process architecture decisions that require someone who understands the workflow, the stakeholders, the compliance requirements, and the organizational politics.
The 14 Salesforce instances didn't happen because the company lacked a CRM governance platform. They happened because nobody designed the operating model before the technology shipped. The same dynamic is playing out with agents faster, with higher stakes, and with a blast radius that's organizational rather than departmental.
Governance isn't a product you buy. It's a discipline you design.enterprise scale.
THE PATTERN
The Blast Radius Triage?
Not all 1,600 agents need the same level of governance. The mistake I see organizations make, the same mistake I saw with RPA, is treating governance as binary: either everything is governed or nothing is. That's how you end up with a governance framework that's too heavy for simple agents and too light for critical ones.
Instead, triage by blast radius: what happens when this agent is wrong?
Tier 1 — Contained blast radius. The agent does something wrong and one person's workflow is affected. Examples: a summarization agent that misreads a document, a scheduling agent that books the wrong room. Governance need: minimal. Audit log and a human who checks the output before acting on it.
Tier 2 — Departmental blast radius. The agent does something wrong and a team or function is affected. Examples: a procurement agent that approves a vendor without proper review, a reporting agent that sends inaccurate numbers to leadership. Governance need: documented authorization scope, defined escalation path, periodic evaluation.
Tier 3 — Organizational blast radius. The agent does something wrong and it crosses compliance boundaries, customer-facing systems, or financial controls. Examples: a customer service agent that commits to terms the company can't honor, a financial agent that executes transactions outside policy. Governance need: full process architecture — authorization matrix, human checkpoints at every decision boundary, real-time monitoring, and audit trail.
The rule: Start from Tier 3 and work down. Most organizations do the opposite — they govern the easy agents first and leave the critical ones running on hope. By the time the audit finding hits, the blast radius is organizational.
Quick count: How many of your deployed agents are Tier 3? If you don't know, that's your first governance task — not building a dashboard, but drawing the map.
THE SIGNAL BOARD
WHAT I AM TRACKING THIS WEEK:
What I'm tracking this week:
→ ServiceNow positions itself as the enterprise AI governance layer. At Knowledge 2026: Autonomous Security & Risk (Armis + Veza integration), expanded AI Control Tower, and MCP Server going GA so external agents can plug into ServiceNow's "system of action." The platform play for governance is real. The question is whether platform without methodology produces governed agents or just inventoried ones. → Constellation Research
→ NVIDIA launches open agent development platform. Enterprise software leaders including Cadence, Dassault, Siemens, and Synopsys are building autonomous AI "digital coworkers" with NVIDIA Agent Toolkit. Nemotron 3 Ultra delivers 5x faster inference for agentic tasks. The infrastructure to deploy agents at scale just got cheaper. The governance to operate them didn't. → NVIDIA Blog
→ Microsoft Agent 365 tackles shadow AI. Now generally available with cross-cloud registry sync for AWS and Google Cloud agents. Futurum calls it "turning shadow AI into a governed asset class." Discovery and inventory are necessary steps. They're not the same as authorization design. → Microsoft Security Blog
→ Gartner: 40% of enterprise apps will have AI agents by year-end, but 40% of agent projects will fail by 2027.The adoption curve and the failure curve are both steep. 60% of organizations plan to deploy agents in the next two years — the most aggressive adoption curve among all emerging technologies Gartner tracks. Runaway costs, unclear business value, and policy violations are the top failure modes. Those aren't engineering problems. → Gartner
→ Deloitte's 2026 State of AI in the Enterprise report drops. Only 1 in 5 companies has a mature governance model for autonomous agents. The rest are in various stages of "we know we need it but haven't built it." That's the 94% paradox in a single statistic. → Deloitte
THE MOVE
This week's exercise: The Agent Inventory
You probably don't have one. Most organizations don't — only 18% maintain a current, complete inventory of agents running inside their walls.
Here's the 15-minute version. Open a blank spreadsheet. Four columns:
Agent name — what it does in plain language.
Owner — who deployed it. If no one knows, write "unowned."
Blast radius — Tier 1, 2, or 3 from The Pattern above.
Authorization scope — what is this agent allowed to decide without a human? If the answer is "undefined," write that.
You won't finish the list. That's the point. The exercise isn't to complete an inventory — it's to see how many agents you can't answer those four questions about. That number is your governance gap.
Most organizations discover they have more "unowned, undefined" agents than governed ones. That's not a technology problem. It's a process architecture problem.
→ If your inventory shows more gaps than answers: DM me on LinkedIn or book 15 minutes — cal.com/ai-workflow/readiness-score

Agentic Congruence is a weekly newsletter about orchestrating ventures, agents, and systems. Published by La Maestría. Reply to this email anytime — I read everything.
