Employees are not waiting around for AI to happen in their company, they are making AI happen at their desks, whether or not it’s blessed by IT. All types of workers are finding and using AI tools that will make their work more efficient and help them move faster, and they’re likely being rewarded for this boost in productivity. 

It’s easier to ask for forgiveness than permission: the company is encouraging this behavior unwittingly even if it is against policy. It’s an invisible unspoken arms race in the office.

Companies are left with fractured environments where work is spread across approved platforms, unapproved tools, personal automations, copilots, and every other format of AI delivery that exists to date. Personalization of AI tooling makes these tools incredibly sticky for an end user, which helps foster the sprawl since no one wants to switch. Our own research found that 91% of enterprise employees are now using AI on the job. This bottom-up adoption creates a massive tracking problem, as employees deploy fragmented, self-designed AI systems that operate entirely outside of corporate oversight.

It’s 10 PM, do you know where your agents are?

The sprawl of AI tools, lack of tracking, and federation are part of the visibility problem, but one of the biggest holes in IT policy usually is the frequent use of AI talking to other systems: email, messaging, databases, CRMs, and everything else. People are using AI tools to take actions on their behalf on these systems, delegating their own user capabilities to an AI that doesn’t have the user’s brain as part of the context window. It kind of conjures up the old PSA, with a modern twist: “It’s 10 PM, do you know where your agents are?”

AI is the new integration mesh for everything, either explicitly or more often through a shaggy disconnected number of systems and events. Instead of IT teams creating integrations between apps, AI agents are now completing tasks dynamically across different systems. 

A single prompt can now trigger an agent to build project timelines in Asana, draft and send Slack messages, and query data in Snowflake, and so on. These multi-system workflows mean that “projects” are no longer linear processes managed in a single application; they are untracked, ephemeral, and everywhere. The challenge is making sure companies still have a way to see, govern, and explain those workflows without forcing everything back into one rigid project-management model.

For CIOs and CTOs, IT and security teams have effectively become the “HR department for AI.” Who can use it? How much? Where? When? IT is overburdened and angsty because the top-down directive is to use AI, but IT is left to pick up the pieces and answer questions that didn’t exist before ChatGPT. When non-human identities come into the mix, guidance is even more grey and vague, because these entities don’t map to traditional systems and no one has a perfect solution. 

Employees are using their personal AI accounts to authenticate directly with business applications like Salesforce, Slack, Gmail, and Notion using MCPs, which many AI tools advertise under the cover of “connectors,” “apps,” and “integrations.” It’s all MCP under the hood for the most part. Our research also found that 50% of knowledge workers using AI were giving it unsanctioned access to internal company tools and systems, with IT teams having zero visibility that these connections even exist. Because employees are spinning up unvetted MCP connections to get their jobs done, AI is now autonomously reading, writing, and making judgment calls inside corporate systems completely out of the IT department’s view.

Traditional IAM doesn’t work for agents 

Visibility breaks down at the Identity and Access Management (IAM) layer, because traditional security watches who is acting, not what they’re doing. That model works for people because people come with judgment. An AI agent inherits an employee’s permissions but none of their judgment.

Picture a sales director’s authorized agent that decides the most helpful thing it can do is clean up the database, and deletes a decade of historical sales data in the process. Traditional IAM sees exactly what it’s built to see: a valid user, valid credentials, a valid API call. It waves the agent right through the front door.

A misbehaving agent doesn’t look like an attacker. It looks like a model employee. Endpoint detection and network monitoring see normal traffic from a trusted account, so nothing fires.

Agents are fast and eager to help, and they have none of the institutional context a senior employee carries without thinking. So they need guardrails, inside and out. Prompting helps, but a prompt is a request, not a shut-off valve, and “please don’t delete the database” is not a control you can stake the business on.

The shift you’re really making is from advisor to operator. Summarizing a meeting is safe. Executing workflows and writing data is not, at least not without a governance layer that enforces limits deterministically rather than politely asking the model to behave.

Know what your AI is doing

Until an organization has a control plane that can distinguish between an AI’s read action and a destructive write action, they will remain paralyzed to unlock the true ROI of agentic AI. This is where Barndoor comes in. Barndoor enables every MCP server in your org under one control plane. Tool calls are governed by identity and granular policies, and sensitive data stays inside your perimeter.  Schedule a demo to learn more.