When a Third of Your Staff Can Build Agents
Problem
What is sitting on your network right now that you have never inventoried, that someone outside IT assembled, and that is making decisions today? For one infrastructure operator the answer arrived as a number that stops a CISO cold. They had handed roughly 500 of their 1,500 employees access to a low-code AI builder, while the official AI register listed only a few dozen use cases. The true figure was unknown, because most of the real AI in the building consisted of agents that ordinary employees had quietly built themselves.
This is shadow AI, and it carries more danger than shadow IT ever did, because each of these agents can take actions and the organization inherits the liability for every one of them. Whatever an employee builds on a hosted platform, the company owns the consequences while the platform vendor disclaims responsibility. You cannot govern what you cannot see, and a register maintained as a hopeful spreadsheet sees almost none of it. Discovery had to come before assessment, because there was nothing reliable to assess.
Solution
It turns out a policy memo solves none of this, because the proliferation moves faster than any manual process can track. The mechanism that works is a direct integration with the low-code platform that syncs every agent an employee creates into the governance system automatically, so discovery happens by connection rather than by survey. Modulos surfaces the shadow estate first, then carries each discovered use case into the same risk assessment and control workflow as every sanctioned system, with the Risk Agent putting a monetary figure on the ones that warrant it.
Discovery converts an invisible liability into a managed inventory. Each agent gets classified and assessed, then either approved with controls or flagged for remediation, and the CISO moves from "we think we have a few dozen use cases" to "we know what every one of our people has built, and we are governing it." Discovery alone treats the symptom, so the engagement paired it with training that taught employees what shadow AI is, why a self-built agent carries real liability, and when to bring a use case into the governance process. The estate shrinks at the source as the workforce learns to route AI through the front door. The risk did not disappear, because risk never does. It became visible, which is the one state in which it can be controlled.
We discovered that a third of our workforce could spin up AI agents, and our register knew about almost none of them. Modulos gave us automatic discovery, so the systems our people build show up and get governed instead of hiding until something breaks.
— Chief Information Security Officer, Critical Infrastructure Operator