In a five-week stretch this spring, three of the largest identity and infrastructure vendors in the world shipped agent-governance products, and all three reached, independently, for the same first move. Not a sandbox. Not a kill switch. A list. Microsoft's Agent 365 went generally available on May 1 with an Agent Registry at its center; Okta for AI Agents hit GA on April 30 leading with discovery of "known and unknown" agents; AWS published an MCP Gateway and Registry for governing agent assets at scale. When competitors converge on the same primitive at the same time, the primitive is telling you what the actual problem is.
The actual problem is that nobody can name the agents already running inside their own walls.
The shadow-IT rerun, with a twist#
If this rhymes, it should. A decade ago the enterprise discovered "shadow IT": employees signing up for unsanctioned SaaS apps faster than IT could catalog them, and the industry's first response was the CASB — a tool whose whole job was discovery, because you cannot govern what you have not enumerated. The agent era is replaying that cycle almost beat for beat. Microsoft's own framing at Build 2026 is that its registry "surfaces unmanaged local agents," and that it supports more than 20 types of local agent — coding agents, AI desktop applications, and both local and remote MCP servers — discovered jointly by Defender, Entra, and Intune. That is a CASB for agents, in everything but name.
But there is a twist that makes agent sprawl worse than the SaaS version, and it is the one non-obvious thing worth holding onto: the unit that multiplies has changed. Shadow IT multiplied applications. Agent sprawl multiplies identities. Every agent needs credentials — API keys, tokens, service accounts — to do anything useful, and agents mint and consume those credentials faster than the humans deploying them. GitGuardian's State of Secrets Sprawl 2026 counted 28.65 million new hardcoded secrets pushed to public GitHub in 2025, a 34% jump and the largest single-year rise it has recorded, with leaks of AI-service credentials specifically up 81%. Its diagnosis is blunt: as teams adopt AI tooling they "create more tokens, keys, and service identities, often without equivalent governance." Veza's identity research, meanwhile, puts non-human identities at roughly 17 to 1 against humans, and notes that a vanishingly small fraction of them control the overwhelming majority of cloud permissions.
So the thing the registry is trying to catch is not a static inventory of apps. It is a population of credentialed actors that grows on its own.
Why "rogue agent" is now a category, not a hypothetical#
The security community has already formalized the risk. In December 2025 the OWASP Gen AI Security Project published its first Top 10 for Agentic Applications, and three of its entries map directly onto sprawl: identity and privilege abuse (agents misusing inherited permissions), agentic supply-chain compromise (malicious tools, plugins, registries, and MCP servers — with a real GitHub MCP exploit cited as the worked example), and "rogue agents," which OWASP describes as authorized, trusted, but misaligned actors that keep operating — the ultimate insider threat. The phrase "authorized and trusted" is the whole problem. A rogue agent is not an intruder who broke in. It is an identity you provisioned, that you can no longer fully account for, doing something you did not intend.
That is why the vendor responses are converging on enumeration before enforcement. Microsoft pairs the registry with Entra Agent ID so each discovered agent gets a first-class identity; Okta's pitch is to discover unknown agents and then instantly revoke a rogue one; AWS routes agents through an MCP gateway and federates their identities back to the usual providers. You cannot revoke, scope, or rate-limit an identity you never recorded — so the registry has to come first.
What it means, and what it doesn't#
The scale is what turns this from hygiene into strategy. Gartner expects 40% of enterprise applications to ship task-specific agents by the end of 2026, up from under 5% a year earlier, and forecasts agent software spending north of $200 billion this year. A governance layer that was optional at five percent adoption is load-bearing at forty.
Two cautions, though. First, a registry is necessary, not sufficient — discovery is the easy part; the hard part is the policy you attach once you can see, and "you can now see your agents" is a long way from "your agents are governed." Second, watch where the registry lives. Whoever owns the inventory of your agents owns a chokepoint, and the same companies racing to enumerate your agents would also like to be the platform those agents run on. The MCP world has already learned that counting is political — nobody even agrees on how many MCP servers exist, and who controls the registry is a live fight.
The honest summary is that the industry has correctly diagnosed the disease and shipped the same first instrument to measure it. That instrument is a list. It is the right first move, and it is worth remembering why we keep arriving at it: across two technology cycles now, the binding constraint has not changed. You can't secure what you can't see — and this time, what you can't see is busy making more of itself. For the mechanics underneath, see how to authenticate an AI agent's identity, the OWASP MCP Top 10, and MCP tool poisoning and rug pulls.
