Agent Sprawl Isn't the Problem. Your Governance Strategy Is.

The Wall Street Journal recently published a piece that I think every CIO should read: Companies Have a New AI Problem: Too Many Agents.

In the article, the author highlights some of the challenges enterprise teams are facing as a result of rapid agent expansion.

Siloes. Security risks. Runaway token costs. The headline frames this as a proliferation problem. And that’s definitely part of the problem! But it’s not the whole story.

The real issue isn’t the number of agents these teams are deploying—it’s their inability to control them effectively at scale.

And here’s the really interesting part: every company mentioned, from Lyft to FICO, is building the same expensive and unscalable internal solution to try to solve it. Sounds familiar? It should. We did the same thing with containers ten years ago. But, the answer wasn’t a home-built solution for orchestration and scheduling.

It wasn’t until Kubernetes came along and established the architectural layer that containerized applications finally became manageable at scale. Now agents are having their Kubernetes moment.

The problem isn't that companies have too many agents; it’s that they don’t have a centralized control plane to manage and govern them.

So, what does that mean exactly? Let’s talk about it.

DaVita has 10,000 agents currently in production. FICO has 3,500 employees creating dozens of new agents each day. There’s no question that agent creation is expanding—and quickly. And in the deluge of agents, every company in the article is discovering the same four gaps:

No managed registry. You can't govern what you can't see. Agents run on everything from laptops to cloud environments, and the IT departments responsible for controlling them have no idea how many there are, who created them, or what they're doing in their environments.

No cost attribution. Magnum Ice Cream's CIO addresses the question directly: tokens cost money, but nobody knows which agent is spending what. DaVita built an internal platform specifically to manage token costs. That's an enterprise creating custom infrastructure (and tech debt) where his team lacks expertise, to solve a universal problem that’s clearly better served with a targeted and vendor-managed solution.

No governance. FICO's chief customer officer says they're "instituting governance practices" to improve reliability and trust. But that gap isn’t specific to FICO by a long shot. According to Gartner, only 13% of organizations think they have adequate AI agent governance in place. That means the other 87% are flying blind.

No centralized control. Lyft is building a centralized platform with IT controls. DaVita built an internal platform for cost management. These are two enterprises, independently, building the same missing layer. That's not a coincidence. That's a category.

According to Gartner, the average Fortune 500 will manage over 150,000 AI agents within the next two years. Most are struggling with fewer than 15 today.

If you believe those numbers, that’s a 10,000x increase in scale in the next 24 months with only 13% governance readiness today. I’m no mathematician, but those numbers are more than a little concerning.

But again, we’ve been here before. The companies that figured this out for containers didn't solve it with better containers. They solved it with Kubernetes — an infrastructure layer that sits outside the containers and manages identity, scheduling, networking, and lifecycle from a single control surface.

If we run this scenario across any infrastructure category — servers, containers, microservices, APIs — the answer is always the same: you need a control plane.

The same pattern applies to agents.

A control plane for AI agents doesn't slow down agent creation. It makes agent creation safe to scale. Every agent gets an identity. Every action gets logged. Every credential gets scoped. Every dollar gets attributed.

DaVita built an internal token-cost platform. Lyft is building a centralized agent management platform. These are serious engineering organizations making rational decisions. But there are three reasons why the build-it-yourself approach breaks down:

It only solves your problem. DaVita's internal platform manages DaVita's agents. It doesn't benefit from every other enterprise learning the same lessons. Kubernetes won because it was a shared infrastructure layer that improved for everyone, not because Google kept its container orchestration internal.

It lags behind the agents. When FICO's 3,500 employees are creating dozens of agents daily, a governance system built by a small internal team will always be behind. The agents move faster than the controls.

It doesn't cross boundaries. The moment you need to share agents across teams, with partners, or with customers, an internal-only platform hits a wall. You need an infrastructure layer designed for multi-tenant, cross-organizational agent management from the start.

This is the same realization the industry had with API gateways, service meshes, and container orchestration. The governance layer needs to be external, shared, and purpose-built — not a side project inside every IT department.

If Gartner is right — and the DaVita and FICO numbers suggest they're on track — every Fortune 500 enterprise needs four things in place before the scale hits:

1. Per-agent identity. Every agent needs a unique, verifiable identity tied to a human owner. Not a shared API key. Not the developer's credentials. The agent itself. When agent #47,000 does something unexpected at 3 am, the first question is "which agent, who owns it, and what was it authorized to do?" Without per-agent identity, that question has no answer.

2. Scoped credentials. An agent that summarizes emails should not have access to production databases. Permissions need to be scoped to specific tools, specific environments, and specific actions — enforced at the moment the agent acts, not at deploy time.

3. Cost attribution. Magnum Ice Cream's CIO is right to worry about cost. The solution is knowing exactly which agent, on which task, for which team, consumed which tokens. Per-agent cost attribution turns "our AI bill is too high" into "agent X on team Y is spending 40% of our Anthropic budget on low-value summarization tasks." That's actionable.

4. Complete audit trails. Every input, every tool call, every LLM interaction, every decision, every output — logged with the agent's identity attached. Not sampled. Not summarized. Complete. Because agents are non-deterministic, you can't rerun them and expect the same result. The audit log is the only ground truth.

These four primitives — identity, scope, cost, audit — are what  companies are independently discovering they need. The question is whether each enterprise builds them from scratch or adopts the infrastructure layer purpose-built to provide them.

The WSJ article mentions that DaVita doesn't allow "consumer-grade" AI tools into its corporate environment. That's a governance decision — and a good one. But it only addresses the agents you can see.

The deeper risk is shadow AI: agents created by employees using personal accounts, running on laptops, accessing company data through APIs that IT never approved. When an employee can spin up a Claude agent in two minutes and connect it to Salesforce, the agent exists whether IT knows about it or not.

The 10,000 agents DaVita knows about are the agents DaVita can govern. The dangerous ones are the agents nobody counted.

A control solves shadow AI by making the governed path easier than the ungoverned path. When creating an agent through the control plane takes the same two minutes — but comes with identity, credentials, logging, and cost tracking built in — the incentive to go around IT disappears entirely.

The WSJ article captures a moment. Gartner projects the scale. The gap between the two is the next 18 months of enterprise AI infrastructure.

Three things will determine which companies navigate this well:

• Speed of governance adoption. The 13% with adequate governance today will compound their advantage. The 87% without it will hit the same wall DaVita and FICO already hit — just with 10x more agents.
• Build vs. buy. Every enterprise currently building internal agent governance platforms will face the Kubernetes decision: keep building internally, or adopt the purpose-built infrastructure layer. The longer you build internally, the more expensive the migration.
• Agent-native vs. bolted-on. Governance bolted onto agents after deployment is monitoring — it tells you what happened. Governance built into the infrastructure layer is enforcement — it controls what can happen. The distinction matters when you have 150,000 agents.

The companies in this article are the canaries in the coal mine. They're causing a governance cave-in with hundreds or thousands of agents. The problem is the same at 150,000.

It's just more expensive to fix.

Need to get your agent governance under control? Learn more at guild.ai.