There's a particular kind of confidence that should make you nervous, and a lot of Fort Wayne business owners have it right now. Ask the typical Northeast Indiana operations manager whether the AI tools running inside their company are under control, and they'll say yes. Ask them to name the person responsible for the Copilot agent summarizing client emails, the Zapier automation moving leads between systems, or the one-off script a sales rep “vibe-coded” last quarter to clean up a spreadsheet — and the room goes quiet.
That gap between belief and reality just got measured. According to VentureBeat's reporting on new Ivanti research, 85% of IT teams say every AI agent in their environment is under control — but only 42% can actually say who owns each one. The survey reached roughly 3,900 employees across six countries, and the takeaway is uncomfortable: most organizations are governing AI agents they cannot even name.
This isn't a security-exploit story. It's an accountability story, and it's arguably more dangerous because it's invisible. An agent without a named owner doesn't trip an alarm. It just quietly accumulates access, makes decisions, and waits for the day someone asks “who approved this?” — and nobody can answer.
Key Takeaways
- 85% of IT teams believe every AI agent is under control, but only 42% can name who owns each one — a measurement-versus-reality gap, per Ivanti research.
- “Agent sprawl” happens when agents get spun up across Copilot, Zapier, CRM add-ons, and ad-hoc scripts with no inventory and no owner of record.
- The fix is a discipline, not a product: every agent needs a named human owner, a documented purpose, scoped credentials, and a review cadence.
- A simple five-column agent registry closes most of the gap without an enterprise IT department.
- For NE Indiana SMBs, a secure AI gateway turns “who owns what” from a spreadsheet you forget to update into an enforced control point.
- Ownership is the foundation every other AI control — security, cost, compliance — depends on.
Why Do 85% of Teams Think They're in Control When Only 42% Know Who Owns Each Agent?
The honest answer is that “under control” and “accountable” feel like the same thing, and they aren't. A team can have antivirus, single sign-on, and a written AI policy — all the trappings of control — and still have no idea that the marketing coordinator wired an autonomous agent into the CRM three weeks ago.
The Ivanti data hints at why the gap is so wide. The same Ivanti research found that organizational leaders are nearly twice as likely to hide their AI use as other employees — 42% versus 23% — and among the leaders who conceal it, 52% said they do it to keep a “secret advantage.” When the people setting policy are also quietly running unsanctioned tools, the inventory was never going to be accurate. The picture you have of your AI footprint is a self-report, and self-reports are optimistic.
This pattern isn't unique to one survey. VentureBeat's separate reporting on what it called the AI governance mirage found that roughly 72% of enterprises don't actually have the control and security they believe they have. And the consequences aren't hypothetical: VentureBeat's survey on stage-three agent threats reported that 88% of enterprises experienced an AI agent security incident in the prior year. The belief gap and the incident rate are the same story told from two ends.
We've written before about how your AI tools are already ahead of your AI policies — the maturity gap where capability outruns oversight. Ownership is the most basic layer of that gap. If you can't name the owner, every downstream control is built on sand.
What Is Agent Sprawl, and How Did Your Fort Wayne Business Get It?
Agent sprawl is what happens when the cost of creating an AI agent drops to nearly zero and the discipline of tracking one doesn't keep up. Five years ago, deploying automation meant a project, a budget line, and at least one person who owned it. Today an employee can stand up a capable agent in an afternoon from inside tools you already pay for.
Here's where the agents in a typical Northeast Indiana small or mid-sized business actually come from:
- Microsoft Copilot and Copilot Studio. Staff build agents that read mailboxes, draft documents, and summarize meetings. Useful — and often invisible to whoever runs IT.
- Zapier, Make, and Power Automate. Operations teams chain together “if this, then that” automations that increasingly include an AI step making judgment calls about your data.
- CRM and SaaS add-ons. Your CRM, help desk, and accounting tools now ship AI agents as features. Turning them on rarely involves a governance conversation.
- Vibe-coded scripts. A technically curious employee uses an AI coding assistant to generate a script that touches real systems. It works, so it stays — undocumented.
None of these is reckless on its own. Collectively, they create an environment where agents hold credentials, move data, and act on your behalf with no central record. That's the same dynamic behind shadow AI as a data risk: the danger isn't that the tools are malicious, it's that nobody is accountable for what they can reach. And the scale is real — VentureBeat reported that 85% of enterprises are now running AI agents, even as only 5% trust them enough to ship to production. Plenty of agents are running that nobody fully trusts and nobody clearly owns.
For a Fort Wayne professional-services firm, a DeKalb County manufacturer, or an Allen County home-services company, the exposure is concentrated, not diluted. You don't have a 40-person security team to absorb the mess. One unowned agent with broad CRM access is a meaningfully larger share of your total risk than it would be at a Fortune 500.
What Does an AI Agent Registry Actually Look Like?
The single most effective fix is also the least glamorous: write down what you have. An AI agent registry is a living inventory where every agent has a named human owner, a stated purpose, a documented credential scope, and a review date. It's the artifact that turns “we think we're in control” into “here is who is accountable, and for what.”
You can start in a shared spreadsheet today. Copy this structure:
| Agent / Tool | Where it lives | Named owner | What it's allowed to touch | Review cadence |
|---|---|---|---|---|
| Email triage agent | Microsoft Copilot | Dana (Office Manager) | Read-only on shared inbox; no send | Quarterly |
| Lead-routing automation | Zapier | Marcus (Sales Ops) | Write to CRM "leads" only | Monthly |
| Invoice-matching agent | Accounting SaaS add-on | Priya (Controller) | Read AP records; no payments | Quarterly |
| Website chat agent | CRM add-on | Sam (Marketing) | Public site data only; no PII export | Monthly |
| Reporting script | Internal (vibe-coded) | Alex (Analyst) | Read-only on data warehouse | Quarterly |
Notice what each row forces you to confront. The “named owner” column ends anonymous ownership — “IT owns it” is not an answer; a person's name is. The “what it's allowed to touch” column surfaces over-privileged agents, which is exactly the problem we cover in zero-trust AI agents and credential isolation: an agent should hold the narrowest credentials its job requires, never a borrowed admin key. And the “review cadence” column makes the registry a habit instead of a one-time audit that's stale by next quarter.
This discipline maps cleanly to established frameworks. The NIST AI Risk Management Framework organizes AI governance around knowing your systems, mapping their context, and continuously measuring and managing them — and you cannot do any of that for an agent you haven't written down. The registry is the precondition for everything NIST recommends.
How Do You Assign a Named Owner Without an Enterprise IT Department?
The objection we hear most from NE Indiana owners is fair: “We don't have a governance team. Who's supposed to own all this?” The answer is that ownership doesn't require a department — it requires a decision and a default.
Make ownership a condition of creation. The rule is simple: no agent goes live without a named owner. If someone wants to build a Copilot agent or a Zapier flow that touches company data, the price of admission is putting their name in the registry. This costs nothing and stops the sprawl at the source.
Default ownership to the closest accountable human. The owner isn't whoever is most technical — it's whoever is accountable for the outcome the agent produces. The lead-routing agent belongs to sales ops, not to “IT,” because sales ops lives with the consequences when leads route wrong. This is the same logic behind a cross-app agent approval pattern: the human who owns the result owns the agent.
Give every owner a short, real responsibility list. An owner should be able to answer four questions about their agent: What is it for? What can it access? How would we know if it misbehaved? When was it last reviewed? If an owner can't answer those, the agent shouldn't be running. Our broader AI Employee Governance Playbook expands this into full policy language, but four questions per agent is enough to start.
Don't let ownership die when people leave. Reassign agents during offboarding the same way you'd reassign accounts. An orphaned agent — owner gone, access intact — is one of the most common ways a perfectly governed environment quietly decays back into sprawl.
How Does a Secure AI Gateway Turn the Registry Into an Enforced Control?
A spreadsheet is a good start and a poor finish. The problem with any manual registry is the same problem that created sprawl in the first place: it depends on people remembering to update it. The agents that hurt you are precisely the ones nobody wrote down.
This is where a secure AI gateway changes the math. Instead of asking every employee to self-report, a gateway sits between your agents and the systems they want to reach, so the inventory is generated by what's actually happening rather than by what people remember to log. The gateway becomes the single point where you can see every agent's identity, scope each agent's credentials, and require human approval for sensitive actions — the enforcement layer your spreadsheet can't be.
The practical wins for a smaller team are concrete. You get a real-time list of which agents are active instead of a stale document. You can revoke or re-scope an agent's access from one place instead of hunting through five SaaS admin panels. And you get an audit trail, so when someone finally asks “who approved this?”, the answer is recorded rather than reconstructed from memory. That's enterprise-grade accountability without an enterprise IT department — which is exactly what Cloud Radix builds for Northeast Indiana businesses. If you want a structured way to pressure-test your current state, our AI Employee Security Checklist and our Fort Wayne AI Agent Authorization Audit playbook walk through it step by step.
Why Fort Wayne and Northeast Indiana Businesses Can't Wait on This
It's tempting to read national survey numbers and assume the agent-sprawl problem belongs to coastal enterprises with thousands of employees. The opposite is true. The same forces that let a global company lose track of its agents are stronger at the scale of a Fort Wayne firm — fewer people wearing more hats, more reliance on the AI features baked into off-the-shelf SaaS, and no dedicated security staff to notice when a new agent appears.
Northeast Indiana's economy runs on exactly the industries where unowned agents do the most damage: professional services and legal firms handling privileged client files, healthcare practices bound by HIPAA, manufacturers protecting proprietary process data, and home-services companies sitting on customer payment information. In every one of those, an agent with the wrong access isn't an inconvenience — it's a compliance event. And because Allen County and DeKalb County businesses tend to adopt the same Microsoft, CRM, and automation stacks, the sprawl tends to look similar from one company to the next, which means the fix is repeatable. A named-owner registry plus a gateway is a pattern any NE Indiana operator can stand up in weeks, not quarters. The businesses that do it now will spend 2026 building on a foundation of accountability while their competitors are still answering “who owns this?” with a shrug.
Take Back Control Before Agent Sprawl Owns You
You don't need a six-month governance program to close the 85-versus-42 gap. You need to know what you have, name who owns it, scope what it can touch, and put a control point in front of it. That's a project a Northeast Indiana business can finish this quarter — and it pays for itself the first time an auditor, a client, or your own team asks a question you can now actually answer.
Cloud Radix helps Fort Wayne and NE Indiana businesses build an AI agent registry and stand up a secure AI gateway that enforces it — named owners, scoped credentials, and an audit trail, without hiring an enterprise IT department. Talk to us about a secure AI gateway and agent governance review and we'll help you find the agents you didn't know you had.
Frequently Asked Questions
Q1.What is AI agent sprawl?
AI agent sprawl is the uncontrolled growth of AI agents and automations across a business — created inside tools like Microsoft Copilot, Zapier, CRM add-ons, and ad-hoc scripts — with no central inventory and no named person responsible for each one. It's dangerous because unowned agents accumulate access and make decisions while staying invisible to whoever is responsible for security.
Q2.Why do most companies not know who owns their AI agents?
Because agents are now trivially easy to create, often by non-technical staff inside everyday tools, while the discipline of recording each one hasn't kept pace. Ivanti research reported by VentureBeat found 85% of IT teams believe every agent is under control while only 42% can name each owner — a gap widened by the fact that leaders themselves often hide their AI use.
Q3.What is an AI agent registry?
An AI agent registry is a living inventory of every AI agent in your business. Each entry records the agent, where it runs, its named human owner, exactly what data and systems it's allowed to touch, and how often it gets reviewed. It's the foundational control that makes security, cost, and compliance oversight possible.
Q4.How do I assign an owner to an AI agent if I don't have an IT team?
Make a named owner a condition of any agent going live, and default ownership to the person accountable for the outcome the agent produces — not the most technical person. Each owner should be able to state the agent's purpose, its access, how they'd detect misbehavior, and when it was last reviewed. No department required.
Q5.What does a secure AI gateway do for agent governance?
A secure AI gateway sits between your AI agents and the systems they access, so it can inventory every active agent automatically, enforce scoped credentials, require human approval for sensitive actions, and produce an audit trail. It turns a manual registry that people forget to update into an enforced control point.
Q6.How is this different from a general AI security audit?
A security audit looks for vulnerabilities and exploits; agent ownership is about accountability — knowing who is responsible for each agent and what it's allowed to do. Ownership comes first. You can't meaningfully secure, budget for, or comply around agents you haven't even inventoried and assigned.
Q7.Where should a Fort Wayne business start?
Start with a one-page registry listing every agent you can find and its named owner — even an incomplete list beats none. Then scope down any over-privileged agent, set a review cadence, and put a gateway in front of the agents that touch sensitive data. Cloud Radix can run the discovery and stand up the gateway with you.
Sources & Further Reading
- VentureBeat: venturebeat.com/security/85-of-it-teams-claim-every-ai-agent-is-under-control — 85% of IT teams claim every AI agent is under control. Only 42% actually know who owns them.
- VentureBeat: venturebeat.com/orchestration/the-ai-governance-mirage — The AI governance mirage: Why 72% of enterprises don't have the control and security they think they do.
- VentureBeat: venturebeat.com/security/85-of-enterprises-are-running-ai-agents-only-5-trust-them-enough-to-ship — 85% of enterprises are running AI agents. Only 5% trust them enough to ship.
- VentureBeat: venturebeat.com/security/most-enterprises-cant-stop-stage-three-ai-agent-threats — The enforcement gap: 88% of enterprises reported AI agent security incidents last year.
- NIST: nist.gov/itl/ai-risk-management-framework — AI Risk Management Framework (AI RMF).
- Ivanti: ivanti.com/company/press-releases — Ivanti Research and Press Releases.
Find the AI Agents You Didn't Know You Had
Cloud Radix will run the discovery, build your AI agent registry with named owners, and stand up a secure AI gateway that enforces it — no enterprise IT department required.
Schedule a Governance ReviewServing Fort Wayne, Auburn, DeKalb County, Allen County, and Northeast Indiana.
