CAISI

Independent research and operating notes on AI agent governance.

Home / Field Notes / Sprawl Series

CAISI Field Notes / Sprawl Report Series

What the Sprawl Report Means for AppSec, CISO, Engineering, and Platform Leaders

This four-part series stays anchored to one report and one locked run: sprawl-v2-top250-20260508a, built from 250 public GitHub targets scanned from local clones. The point is not to retell the report four times. It is to separate the strongest governance lessons for AppSec, CISOs, engineering leaders, and platform teams from the numbers that are easy to misread.

Public evidence, not runtime certainty AppSec, CISO, Engineering / Platform One report, four focused lessons
Read the report Open PDF

Why a separate sprawl series

The report is strongest on a specific question: what public repositories expose about AI tools, agent declarations, approval posture, evidence readiness, and control-aligned artifacts. That is a useful governance question, but it is easy for readers to over-rotate toward either complacency or alarm.

This series slows the read down. It explains why the report's strongest results are about proof and posture, why deployment signal is not the same as binding completeness, and what each audience should do with the signal.

The 4 posts

Sprawl Post 2

CISO / Security leadership

A 5.64:1 Approval Gap Is Still a Proof Gap

Why leaders should read the headline ratio as a machine-readable governance failure, not a claim that every unresolved tool is dangerous.