What this is
A public-artifact governance report
This report measures visible AI tool and agent posture across an 890-target public GitHub subset with a focus on approval evidence, deployability signals, and governance readiness.
CAISI
Independent research and operating notes on AI agent governance.
Published Research Report
Public AI Adoption Is Easy to See. Governed Use Is Much Harder to Prove.
Across an `890`-target publication subset, CAISI found widespread AI tool and agent declarations, but much weaker public evidence for approval, deployability, and control-aligned governance. The strongest signal is not visible runtime abuse. It is evidence and approval opacity.
On this page
Quick read
What this is not
Not a runtime exploit census
The strongest conclusions are about discovery, approval opacity, and evidence posture in public artifacts, not about private production privilege or direct runtime abuse.
Who should read it
CISO, AppSec, and platform buyers
Start here when you need a public baseline for AI-tool visibility, approval gaps, and what public repositories can and cannot prove.
Four headline numbers
98.2%
Targets with declared agents
11:1
Not-baseline-approved to approved tool ratio
47.08%
Targets without verifiable evidence
17.19%
Targets with Article 50 proxy gap
What we found
The completed subset exposed `7,984` declared agents across `874` of `890` targets. Only `36` targets showed any deployable-agent signal, and every detected agent was missing at least one declared binding. In plain terms, public repositories often advertise agent frameworks and agent concepts, but usually do not expose enough operational wiring to prove that those agents are fully deployed and governed.
The tool-approval story was also weak. In headline scope, the subset contained `780` non-source AI tools. Only `65` were baseline-approved. `715` were outside that approved baseline, which is why the report frames the core issue as approval proof and evidence readiness rather than panic about one visible exploit class.
The compliance proxies point in the same direction. EU AI Act proxy coverage averaged one of three current controls. SOC 2 and PCI DSS proxy coverage were effectively absent in the public artifact set. These are not legal conclusions. They are measurements of what public repositories do and do not evidence.
What this means for leaders
For AppSec
The first problem is usually not visible exploitation. It is weak proof of what AI is present, what is approved, and whether the repo exposes enough evidence to support review and incident work.
For CISOs
The `11:1` ratio is not a danger score. It is a governance signal showing how often public AI usage appears without machine-readable approval proof.
For platform leaders
A repo that declares agents is not the same thing as a repo that exposes a deployable, bound, and evidence-backed agent surface. Platform contracts still matter.
For all three
Public `0%` write-capable and exec-capable agent findings are not proof of low internal runtime risk. They show that public repos underexpose those paths.
What this report is, and what it is not
This report is tied to the `890` completed targets from a frozen `1,000`-target publication cohort. The unfinished `110` targets are all AI-native, so the measured subset likely understates some AI-native-heavy problems such as transparency gaps and weak evidence posture.
It is also a public-repository report, not a production-runtime report. That means the strongest conclusions are about discovery, approval visibility, evidence readiness, and control-aligned artifact coverage. It is weaker as a direct measure of internal privilege or active runtime abuse.
Three takeaways
01 - Declaration outruns proof. Agent and tool signals are common. Evidence of governed use is much less common.
02 - Approval needs to be machine-readable. Most visible AI posture problems in the subset are unresolved approval and evidence questions, not explicit negative approvals.
03 - Public discovery is a starting point. It gives leadership a measurable baseline, but it does not answer every runtime question.
From the CAISI blog
Sprawl report series
What the Sprawl Report Means for Security and Platform Leaders
A four-part series for AppSec, CISOs, and platform leaders on how to read the report without overclaiming and what to fix first.
Sprawl Post 1
For AppSec, the First AI Agent Problem Is Evidence Before Exploitation
Why weak evidence posture is often the first concrete control problem visible in public AI adoption.
Sprawl Post 3
Declared Agents Are Not Deployed Agents
Why declaration volume and deployable-agent evidence need to be separated in governance conversations.
Methodology and artifacts
Subset design
One repository per owner, public GitHub targets, deterministic baseline scan, and a rebuilt aggregate from the completed `890/1000` targets.
Validation status
Relaxed validation passed. Required threshold checks passed `6/6`. The report remains explicit that this is a completed subset, not the full intended cohort.
Primary assets
Report PDF, rebuilt campaign summary, claims artifact, and appendix exports are all in the public repository.
Reference links
For media
Need the short version first? The media brief explains the study in plain language, keeps the headline findings and limitations intact, and links back to the full report and artifact set.