Shadow Agents: The AI Your Governance Wasn't Built to See
There was a moment in a conversation with a Chief Learning Officer a few months ago that I haven’t been able to set aside. They told me their organisation had deployed AI agents across four functions. Healthy adoption. Strong metrics. The board was pleased. I asked what had changed in how those functions made decisions. They said: the tools are there, people are using them, adoption is strong. I said: that’s not what I asked. The room went quiet.
I’ve been in rooms where questions go unanswered because they’re unwelcome. This was different. The silence wasn’t evasion. The question was genuinely unanswerable with the instruments the organisation had, because none of them had been built to answer it. The dashboards showed adoption. The adoption was real. And adoption had become the proxy for something it was never designed to measure.
The governance frameworks most organisations built for AI over the past three years were designed around a specific assumption: that AI suggested and humans acted. You prompted, it responded, you decided. That model had a property so comfortable that most governance thinking absorbed it without noticing. When something went wrong, a human had acted on a bad output. The failure had a face. You could find the person, find the decision, find the moment, and fix the process. The entire oversight architecture, the training programmes, the intake workflows, the review gates, the adoption dashboards, was built to make that human moment go well. That architecture was not wrong. It was fit for purpose. The purpose has changed.
What changed is not the sophistication of the tools. It’s the direction of initiation. The tools stopped waiting to be asked. And while most organisations were running AI literacy programmes and tracking completion rates, something quieter was happening underneath. According to Microsoft’s Cyber Pulse report, drawn from a multinational survey of over 1,700 data security professionals, 29% of employees are already using unsanctioned AI agents for work tasks. Not unauthorised chatbots. Agents: systems connected to email, calendars, file storage, task management, given instructions to act, and left running. The technically capable person on your team who connected a few tools together and told the system to keep me on top of things has built an agent. They probably didn’t use that word, and nobody asked them to — nobody reviewed it, nobody classified it, and it does not appear on any dashboard in any form.
The visibility layer was built for a different category of tool. Adoption dashboards measure what was procured, deployed, and tracked. They were never designed to surface what someone assembled from commercially available components and wired into company systems with their personal credentials. So the green on your dashboard is accurate. It describes a landscape. Just not the one you’re operating in.
This is a classification problem before it’s a governance problem. The market has collapsed fundamentally different capabilities into one word, “agent,” applied equally to a tool that responds when you ask it something and a system that acts on its own. These are not points on a spectrum of slightly better tools. They are different governance objects with different liability, different audit requirements, and different failure modes. Calling them all the same thing means governing them all the same way, which in practice means applying oversight designed for prompted tools to systems that no longer wait for prompts. The unsanctioned agent on your network isn’t ungoverned because nobody cared. It’s ungoverned because the category didn’t exist in the governance framework at the time the framework was designed.
I’ve spent eighteen months helping organisations build oversight architecture for AI. The architecture I helped build assumed the organisation knew what it was running. That assumption was reasonable when AI meant something people actively invoked. It’s less reasonable now, and I have been slower than I should have been to say that out loud.
There’s a question I’ve started asking before any conversation about governance design: can you describe, right now, the most autonomous AI system operating inside your organisation? Not the one you procured. Not the one IT approved. The one someone on your team assembled. Most people find it harder than they expected. Some can’t answer it at all. That gap, between what’s running and what’s known to be running, is the actual governance problem. Most governance conversations skip it entirely and start building from there.
The CLO’s dashboards were green. I don’t doubt the adoption the dashboards showed was real. But the question I asked, about what had changed in how decisions got made, went quiet not because nobody wanted to answer it. Because the instruments they trusted had been built for the tools they knew about. And that, for most organisations right now, is where the problem actually lives.
