CAISI

Independent research and operating notes on AI agent governance.

Home / Research / AI Tool and Agent Sprawl 2026

Published Research Report

Public AI Adoption Is Easy to See. Governed Use Is Still Hard to Prove.

A public-artifact governance report from a locked 250-target GitHub cohort. The main result is not that public repos hide all deployment signal. It is that AI adoption, deployment evidence, approval proof, and binding completeness do not mature together.

Read the full report (PDF) | See the artifact set (GitHub) | Read the sprawl field-note series

On this page

For leaders Headline numbers What we found Scope Methodology For media
All research | Related series

Quick read

What this is

A locked 250-target public cohort

This replacement publication uses local clone-sourced scans across 125 AI-native, 75 developer-platform, and 50 security-platform repositories.

What changed

Current scanner, strict full-lane validation

The report now uses the refreshed `wrkr` pin, calibrated publication artifacts, and a strict full-lane validation pass.

What the result means

Detection is ahead of proof

Public repositories often reveal agent presence and deployment signal before they reveal binding completeness or machine-readable approval evidence.

What this means for leaders

AppSec

Public deployment evidence is common enough to justify deeper review

The gating issue is not whether agents are visible. It is whether tool, data, and auth bindings are complete enough to support a clean authority model.

CISO / Security leadership

Approval posture still lags discovery

The 5.64:1 ratio is still a proof problem: visible AI use without durable, machine-readable approval evidence.

Platform / Engineering

Deployment markers are not enough

A repo can look operational and still be governance-incomplete if bindings, approval records, and evidence continuity are weak.

Headline numbers

Declared agents

91.6%

229/250 targets exposed at least one declared agent.

Approval gap

5.64:1

1845 not-baseline-approved non-source tools to 327 approved.

Evidence gap

54.4%

136/250 targets did not clear the verifiable evidence threshold.

Article 50 gap

90.4%

226/250 targets showed the current transparency-proxy gap.

What we found

The updated run surfaced 2172 headline-scope tools and 2222 declared agents. 220 targets exposed deployed-agent signal, but no detected agent was binding-complete. That is the central structural result: deployment evidence is visible more often than control-ready proof.

The public privilege signal is also non-zero. 16 targets exposed write-capable agents, 17 exposed exec-capable agents, 45 exposed credential-access agents, and 24 exposed agent-linked attack paths. These are public-artifact detections, not private runtime guarantees or complete threat models.

Regulatory proxy outputs remain thin. Framework rollups were emitted for 249 targets. Average deterministic proxy coverage was 33.33% for EU AI Act and 0% for both SOC 2 and PCI DSS.

The named proxy controls are narrow: EU AI Act uses Article 9 Risk Management, Article 12 Record-Keeping, and Article 14 Human Oversight; SOC 2 uses CC6 Logical Access, CC7 System Operations, and CC8 Change Management; PCI DSS uses Requirement 10 Logging and Monitoring.

The run can therefore say something about public governance evidence for EU AI Act, SOC 2, and PCI DSS proxies. It does not support broader claims about frameworks outside the current v2 headline-eligible mapping set.

Scope

Cohort

Locked publication denominator

250 public repositories selected under the v2 publication profile and scanned from local clones to avoid API-driven cohort drift.

Interpretation boundary

Public evidence, not private runtime certainty

The report measures what public repositories expose about tools, agents, approval posture, deployment markers, and governance evidence. It does not claim direct visibility into private runtime authority.

Failure handling

One parser failure carried fail-closed

One target produced zero posture counts and no framework rollup after a scanner parser failure. It stayed in the locked cohort and the aggregate denominator.

Methodology

Run ID: sprawl-v2-top250-20260508a
Candidate file: internal/repos-v2-publication-250_candidates.csv
Target file: internal/repos-v2-publication-250.md
Aggregate artifact: runs/tool-sprawl/sprawl-v2-top250-20260508a/agg/campaign-summary-v2.json
Claims artifact: runs/tool-sprawl/sprawl-v2-top250-20260508a/artifacts/claims-finalized-v2.json
Deterministic queries: jq '.campaign.metrics.orgs_with_agents_pct', jq '.campaign.metrics.not_baseline_approved_to_approved_ratio', jq '.campaign.metrics.orgs_without_verifiable_evidence_pct', jq '.campaign.metrics.article50_gap_prevalence_pct'

The report validates in strict full mode. Required thresholds passed 6/6. Recommended thresholds passed 11/11. Recommended calibration metrics for deployment and privilege recall remain advisory.

For media and verification

Report PDF | Media brief PDF | Report package | Run artifacts