The numbers are stark. In 2025, the average Fortune 500 company ran fewer than 15 AI agents. By 2028, Gartner predicts that number will exceed 150,000 — a 10,000x jump in three years.

Released on April 28, 2026, Gartner’s new research identifies six concrete steps enterprises should take to manage this coming wave — and the firm is not pulling punches about the urgency. Only 13% of organizations believe they have the right AI agent governance in place today. That means 87% of enterprises are already behind, and the flood of agents hasn’t even fully arrived yet.

The Problem: Agent Sprawl Is Already Here

AI agents are different from traditional software. They don’t sit in one place and wait for instructions. They connect to systems, take actions, access data, and in some cases spin up other agents. Every team in a company can now build one with tools like Microsoft Copilot Studio, Salesforce Agentforce, or any number of low-code platforms.

The result is what Gartner calls agent sprawl: a messy accumulation of agents running across an enterprise, often with overlapping functions, inconsistent permissions, no centralized record of what they’re doing, and no clear owner when something goes wrong.

Max Goss, Senior Director Analyst at Gartner, has been direct about the stakes. Organizations need to find a balance where they can govern agents and manage sprawl, while also safely empowering employees to innovate with these tools. Get it wrong and you end up with security risks, compliance gaps, and a tangle of redundant automation that nobody fully understands.

Gartner’s Six Steps

Gartner’s framework gives enterprise leaders a practical starting point. Here’s what they recommend:

1. Establish agent governance and policies Define the rules upfront — who can build agents, who can share them, what external connectors they’re permitted to use. Without this foundation, every team makes its own call and the governance problem compounds.

2. Build a centralized agent inventory You cannot govern what you cannot see. Gartner recommends using AI trust, risk, and security management (AI TRiSM) tools to discover and catalog agents across the organization — including the shadow AI ones that teams have deployed outside official IT channels.

3. Define agent identity, permissions, and lifecycle Each agent should have a defined identity with explicit access permissions, a review schedule, and a clear retirement path. Agents that outlive their purpose become a governance liability.

4. Develop AI information governance Agents need data to function. That means every agent deployment must come with a clear answer to: what data can this agent access, who controls that access, and what happens when the data is no longer relevant or accurate?

5. Monitor and remediate agent behavior Build visibility into what agents are actually doing — not just what they were designed to do. Agents can drift from their intended scope over time. You need the ability to detect anomalous behavior and course-correct before it becomes a serious problem.

6. Foster a culture of responsible AI usage Governance infrastructure is only half the equation. Training, community of practice, and shared best practices across teams are what turn policies into habits. Agent governance cannot live only in the IT department.

What This Means for Business

The Gartner framework reflects a broader shift happening in enterprise AI right now. The first wave of AI deployment was about proving value in isolated use cases. The second wave — the one most large organizations are entering now — is about scale. And scale without governance creates risk.

This plays out in three ways business leaders should be thinking about:

Security exposure. An agent with broad data access and no lifecycle review is an attack surface. The more agents you run, the more potential entry points for adversarial manipulation, data leakage, or unintended actions.

Compliance complexity. Regulated industries — finance, healthcare, legal — face particular pressure here. If an agent makes a decision that triggers a compliance issue, who is accountable? Gartner’s framework puts the answer squarely on the organization, not the vendor.

Operational waste. Without centralized inventory, you end up with dozens of agents doing overlapping work. Teams rebuild solutions that already exist because they don’t know those solutions are running elsewhere. That’s a direct cost to the business.

For small and mid-sized businesses, the picture looks different but the principle holds. You may not be running 150,000 agents, but even five or ten agents with unclear ownership and no review process can cause headaches at the scale of your operations.

The Governance Window Is Now

There’s a window right now where setting up proper agent governance is still manageable. The companies that establish clear policies, build inventory systems, and train their teams before the agent count explodes will be in a fundamentally stronger position than those who try to retrofit governance onto an already chaotic estate.

The 150,000-agent prediction is not a distant future problem. The trajectory is already underway. Gartner published this in April 2026 because most organizations are actively adding agents now — and building governance as an afterthought.

If you’re currently deploying AI agents and have not established a centralized inventory or formal governance policy, that is the starting point. The six steps in Gartner’s framework aren’t complex — but they require someone to own them.

That’s the missing piece in most organizations today.

---

Enterprise DNA helps organizations build, deploy, and govern AI agent workforces through Omni Ops. If you’re scaling AI agents and need a strategic partner, book a discovery call with the team.