“It’s a lot of rudimentary stuff,” Drumgoole said, pointing to basic but critical measures such as restricting access to sensitive data and setting clear usage boundaries.
The shift, he added, is toward enabling safe use rather than trying to prevent it altogether.
3. Formalize what works.
Employees can now build useful tools in days. Turning those into enterprise assets requires structured intake processes that evaluate what has been created and determine what should be scaled.
As Malagodi emphasized, organizations need a way to take employee-built tools and bring them into a managed environment, with defined ownership, auditability, and governance. Without that step, useful innovations risk becoming unmanaged liabilities.
4. Build infrastructure for continuous creation.
AI sprawl reflects a deeper shift: software is no longer built only by IT.
Organizations need to provide internal platforms, hosting environments, and standardized patterns that allow employees to build safely within the enterprise. Tushman at Hi Marley points to the need for new infrastructure layers — including internal registries, hosting environments, and AI operations capabilities — to support this model.
5. Extend governance to vendors and third parties.
A growing share of AI is not built internally at all; it is introduced through vendors, partners, and existing software providers.
Valente warns that many organizations are already using AI through third parties without realizing it, because those capabilities are embedded in tools they already trust. “You are likely not classifying them as AI vendors,” she said, even as those tools process enterprise data.
Leading organizations are responding by tightening vendor oversight: adding AI-specific questions to RFPs, updating contracts to address data use and model behavior, and aligning third-party expectations with internal AI policies.
AI sprawl is no longer a future risk. It is already part of the enterprise — and increasingly, part of how work gets done. The challenge for CIOs is not to stop it, but to shape it, building enough structure to manage risk without slowing the innovation that makes it valuable in the first place.
Related reading:
