Shadow AI Agents: The Governance Blind Spot Nobody's Counting
9 min read Fullmakt Team
- governance
- shadow-ai
- agents
- credentials
- traceability
- data-ownership
Ask a CISO how many employees have login credentials, and they can pull a number from the identity provider in seconds. Ask the same person how many AI agents are calling internal and third-party APIs on their organization’s behalf right now, and the honest answer is usually “we’re not sure.” Not because nobody cares — because nobody minted those agents through a system that counts. A data team spun one up to enrich a spreadsheet. A support lead approved an integration that quietly gained a second use six months later. A developer’s weekend prototype never got decommissioned and is still calling a production API with a personal token. Each one is a legitimate, well-intentioned decision. Together, they’re an inventory nobody owns.
That’s shadow AI — the agentic-era sibling of shadow IT — and it’s a governance blind spot that sits upstream of almost every “AI agentic gone wrong” story we’ve covered before. You cannot enforce data ownership, authenticate consistently, or trace a chain of calls back to a task and a human if you don’t know an agent exists in the first place. Sprawl isn’t a side effect of bad agentic AI governance. It’s usually the actual root cause.
How agent sprawl happens without anyone doing anything wrong
Shadow AI rarely starts with a rogue actor. It starts with the normal way software gets built inside a company that’s moving fast:
- Every team can get its own API key. Most APIs and MCP servers don’t ask “is this the only agent that should exist for this integration” — they ask “here’s a key, go.” Nothing forces a new agent through a central point that would notice it’s the fifth one calling the same customer-records API this quarter.
- Credentials outlive their original scope. A key minted for one prototype gets pasted into a shared vault “just in case,” and three unrelated workflows quietly start depending on it. We’ve written about this exact failure pattern — the repurposed long-lived credential — but sprawl is what makes it inevitable: nobody re-reviews a credential’s purpose if nobody’s tracking which agents hold which credentials in the first place.
- Agents spawn other agents. A single approved integration turns into a delegation chain — agent A calls agent B to handle a sub-task, and B was never provisioned or reviewed on its own. It exists because A’s framework made it easy to create, not because anyone signed off on a new principal with its own reach into your systems.
- “Temporary” never gets revisited. A proof-of-concept agent built for a demo keeps its credential long after the demo ends, because decommissioning isn’t anyone’s job and the key still works.
None of this requires malice or even carelessness in the moment. It requires the absence of a single place where “a new AI agent now has standing access to something” has to register before it happens.
Why this is a data-ownership and traceability problem, not just a security one
It’s tempting to file shadow AI under “we should rotate keys more often.” That undersells what’s actually broken. An unknown agent is, definitionally, an agent no policy was ever written for — which means:
- Data ownership can’t be enforced for an agent nobody scoped. We’ve covered how a credential needs to carry a specific owner — this customer, this tenant — not just a service identity. That binding has to be decided when the agent is provisioned. An agent nobody provisioned through a governed path has no ownership binding to enforce, only whatever the underlying API key happens to permit.
- Traceability breaks at the first unregistered hop. Traceability depends on a root task ID and a delegation chain surviving every call. An agent that was never issued a credential through the system that propagates that context is a hole in the chain — the trail doesn’t break loudly, it just goes quiet at exactly the hop you’d need it most.
- Observability dashboards only show what they’re pointed at. A monitoring system tuned to watch the agents you know about will not flag the one you don’t. Shadow agents don’t trip anomaly detection for “unusual behavior” — their behavior is the baseline, because no baseline was ever defined for them.
- The login handshake gets skipped, not just weakened. Even a sloppy handshake at least produces a token you can find in a log somewhere. A shadow agent using a copy-pasted key from a shared vault may not produce a distinguishable handshake event at all — it looks, from the API’s side, exactly like the agent it borrowed credentials from.
Put simply: every governance control we’ve described for agentic AI — scoping, ownership binding, chained audit logs, human-in-the-loop approval — assumes the agent went through the front door. Shadow AI is what happens outside that assumption, and no amount of hardening the front door fixes an agent that never walked through it.
Why “just do an audit” doesn’t actually solve it
The standard response — a quarterly access review, a spreadsheet of known integrations — treats sprawl as a point-in-time inventory problem. It isn’t. New agents get created between audits, by design, because creating one is supposed to be easy for teams shipping product. A yearly or quarterly review finds the agents that existed on the day someone looked. It systematically misses the ones spun up the week after, which is most of them, because agent creation in a fast-moving org has no natural rate limit of its own.
What actually closes the gap is not looking harder — it’s making agent creation itself impossible to do outside the system that tracks it. That’s an infrastructure decision, not an audit cadence decision.
The business case: a broker is a census, whether you asked for one or not
This is the part of the credential-broker pattern that’s easy to undersell as “just” security infrastructure. Because Fullmakt sits in the path of every agent-to-API call — issuing the short-lived credential each call actually uses instead of letting agents hold standing secrets — it produces, as a structural side effect, the one artifact shadow AI makes impossible to get any other way: a live, complete count of every agent that has ever asked for access, to what, on whose behalf.
- Every agent registers by construction, not by policy compliance. An agent that needs Fullmakt to get a working credential cannot exist as a shadow agent — provisioning through the broker is how it gets access at all, so “how many agents do we have” stops being a research question and becomes a query.
- New agents inherit ownership and scope at creation, not at next audit. Because the broker is the only path to a live credential, data-ownership binding and resource-level scoping happen at the moment an agent first asks for access — not whenever a reviewer eventually notices it exists.
- Delegated and spawned agents show up in the same trail. When an agent creates a sub-agent that also needs upstream access, that sub-agent’s request goes through the same chokepoint — so the delegation chain we’ve described for traceability captures new agents the moment they’re born, not months later.
- Dormant credentials become visible, and revocable, immediately. A key nobody’s used in four months but that’s still technically valid is exactly the kind of sprawl a census surfaces and a spreadsheet-based audit misses between review cycles. Revoking it is a policy change, not a hunt through a vault to find out who else might depend on it.
- The tamper-evident log is the census, not a separate project. The same cryptographically chained audit trail built for per-call governance doubles as the answer to “list every agent that has ever held a credential in this system” — because that’s exactly what it’s recording.
The commercial argument tracks the same logic as every other governance investment we’ve written about: the cost of discovering a forgotten agent during a breach investigation — reconstructing who built it, what it could reach, and whether it’s still active — is far higher than the cost of an architecture where an agent simply cannot get a working credential without first being counted. And unlike a periodic audit, a broker chokepoint doesn’t get cheaper to skip as the organization scales — it gets more valuable, because the number of teams capable of standing up a new agent only grows.
FAQ
What is a “shadow AI agent”? An AI agent that’s calling APIs or MCP servers on an organization’s behalf without having gone through any central provisioning, review, or governance process — typically because a team obtained its own credential directly from an API provider rather than through a managed system.
How is shadow AI different from shadow IT? The mechanism is the same — someone gets something working outside sanctioned channels because it’s faster. The stakes are higher for agents: an unsanctioned SaaS account is used by a person who can be asked what they did. An unsanctioned agent acts unattended, at machine speed, and can be delegated to further agents nobody reviewed either.
Why can’t a periodic access review solve shadow AI? Because new agents are created continuously, not on a review schedule. A quarterly audit only ever sees the agents that existed on the day someone looked — it structurally misses every agent spun up in the interval since, which in a fast-moving org is most of them.
How does a credential broker prevent agent sprawl specifically? By making itself the only path to a working credential. If an agent can’t call an upstream API without Fullmakt issuing it a short-lived, scoped credential, then every agent that exists is, by construction, one Fullmakt already knows about — sprawl stops being possible to hide.
Does this replace the need for data-ownership scoping and traceability? No — it’s the precondition for both. You can’t bind a credential to a specific data owner or preserve a delegation chain for an agent that was never provisioned through the system doing the binding and preserving. Fixing sprawl is what makes the other governance controls apply to every agent, instead of just the ones somebody happened to notice.
The uncomfortable truth about most “AI agentic gone wrong” postmortems is that the agent involved usually wasn’t a sophisticated attack — it was one nobody was really watching, because nobody had it on a list. Shadow AI isn’t solved by scrutinizing harder. It’s solved by removing the option to exist outside the one system built to scrutinize at all.