Navigating AI Sprawl: How to Manage Growth Without Killing Innovation

As organizations race to adopt artificial intelligence, IT leaders face a new challenge: AI sprawl. McKinsey's latest report reveals that 88% of organizations now use AI in at least one business function, but much of this adoption happens outside formal IT oversight. Employees are experimenting with no-code tools, building apps, and automating workflows—often without IT's knowledge. This shadow usage can dramatically outpace sanctioned deployments, leaving IT teams with limited visibility into what tools are being used and how they impact core processes. Managing this growth without stifling creativity requires a thoughtful approach. Below, we explore key questions about AI sprawl and strategies to keep your organization innovative yet controlled.

What Exactly Is AI Sprawl and Why Is It a Problem?

AI sprawl refers to the uncontrolled proliferation of AI tools, scripts, agents, and workflows across an organization—many of which are created or adopted by employees without IT's knowledge or approval. Unlike previous technology waves where software was tied to vendors and formal procurement, AI can emerge in fragments: a finance employee builds a generative AI app in days, a marketing team uses a no-code assistant, or a developer integrates an AI agent into a workflow. The problem multiplies because these tools often start as small experiments but quickly become shared resources influencing business-critical processes. Chris Drumgoole, president of global infrastructure services at DXC Technology, notes that shadow usage is dramatically outpacing production, and IT teams have very little visibility. This lack of oversight introduces risks around data security, compliance, and consistency, making AI sprawl a top concern for IT leaders.

How Is AI Sprawl Different from Shadow IT in the SaaS Era?

In the SaaS era, shadow IT still involved vendor-managed applications that could be tracked through contracts and systems of record. AI, by contrast, manifests in invisible fragments: scripts, agents, embedded features, and workflows that aren't standalone systems. As Jonathan Tushman, CTO and chief AI officer at Hi Marley, explains, “The world used to have a finite number of software products you could buy. Now we have access to an infinite amount of software.” Employees aren't just selecting from a catalog—they're creating custom tools on demand. Andrea Malagodi, CTO at Sonar, points out that a finance employee with generative AI can assemble a working application in days, something that once required a development team and months of work. This speed and invisibility make AI sprawl harder to contain because it bypasses traditional approval processes and spreads faster than IT can monitor.

How Can IT Leaders Balance Control with Innovation?

Balancing control and innovation requires a shift from gatekeeping to governance. Instead of blocking all unofficial AI use, IT leaders should create clear guidelines that empower employees to experiment safely. Start by establishing a lightweight approval process for low-risk tools, and offer self-service options with pre-approved AI platforms. Encourage transparency by making it easy for teams to register their AI experiments. Provide training on data security and ethical use, so employees understand the boundaries. The goal isn't to stifle creativity—it's to channel it. By fostering an environment where innovation is welcomed but guided, IT can gain visibility without becoming a bottleneck. As DXC Technology's Drumgoole suggests, the key is to acknowledge that shadow usage is inevitable and work to bring it into the light through collaboration rather than restriction.

What Tools and Techniques Can Help Gain Visibility into AI Usage?

Gaining visibility into AI sprawl requires a combination of technical and cultural approaches. On the technical side, consider deploying AI discovery tools that scan endpoints, cloud environments, and network traffic to detect unauthorized AI usage. Integrate with existing asset management and security information platforms to flag unknown applications. Set up alerts for unusual data flows or API calls that might indicate AI tool activity. Equally important is a cultural approach: create a non-punitive reporting mechanism where employees can voluntarily share the AI tools they're using. Regularly survey teams about their AI experiments and encourage internal forums for sharing best practices. By combining automated monitoring with open communication, IT can build a comprehensive map of AI assets, as recommended by experts like Andrea Malagodi, who emphasizes that visibility is the first step toward managing sprawl without suppressing innovation.

What Should an AI Governance Framework Include?

An effective AI governance framework should be flexible enough to accommodate rapid innovation while enforcing guardrails. Key components include: (1) an inventory of all AI tools and use cases, updated regularly; (2) risk classification based on data sensitivity and business impact; (3) clear policies for data privacy, bias mitigation, and transparency; (4) approval workflows that vary by risk level—low-risk experiments can be auto-approved, while high-risk ones require review; (5) monitoring and auditing mechanisms to ensure compliance; and (6) a feedback loop to update policies as technology evolves. Involve cross-functional teams—legal, security, compliance, and business unit leaders—in developing the framework. As Chris Drumgoole points out, the goal is to provide structure without creating friction that drives innovation further underground. A well-designed governance framework turns AI sprawl from a threat into an opportunity for organized growth.

What Does the Future Hold for Enterprise AI Management?

The future of enterprise AI management lies in automation and embedded governance. As AI tools become even more accessible, manual oversight will be impractical. We can expect the rise of AI governance platforms that automatically track, classify, and enforce policies across all AI assets. These platforms will integrate with development environments and low-code tools, providing real-time guardrails. Additionally, organizations will likely adopt a “responsible by design” approach, baking compliance into AI creation processes from the start. The McKinsey statistic—88% adoption—shows that AI is already pervasive; the question isn't whether to use it, but how. IT leaders must move from reactive containment to proactive enablement. By embracing this shift, companies can harness AI's full potential while maintaining control, ensuring that sprawl becomes a manageable part of a larger innovation strategy rather than a chaotic force.