Your AI Agent Is Building Shadow IT and Nobody Noticed
Every enterprise has a version of the same problem: the tools people are given don’t quite match the work they actually do. For decades, the gap between “what I need” and “what IT approved” has been bridged by workarounds: a spreadsheet here, an unauthorized SaaS signup there. We call this shadow IT, and most organizations have learned to manage it reasonably well.
But something structurally different is emerging. AI coding agents (Claude, Gemini, Copilot, and what’s coming next) are beginning to collapse the cost of building custom software toward zero. Today, this is mostly visible at the edges: technical power users generating scripts and prototypes, early adopters building personal dashboards. It’s easy to look at the current state and see it as niche.
It’s worth remembering that the AI tools we have right now are as bad as they’ll ever be. The interfaces are converging on a model where the user doesn’t need to think of themselves as building software at all. They just describe what they need, and the agent builds what it needs to get the job done. When that becomes seamless, people will stop adapting to their tools and start generating new ones.
The result won’t look like shadow IT. It will look like shadow development: thousands of bespoke applications and workflows emerging organically, created by people who never intended to write software and may not even realize they have. The organizations that see it coming will build for it. The rest will spend years cleaning up.
The invisible builder
Previous waves of “democratized development” (no-code platforms, end-user programming, even VBA macros) consistently landed narrower than predicted. The reason was always the same: building tools requires you to think of yourself as a builder, and most people don’t want that identity. They want to do their actual job.
The reason this wave will land differently is that it removes the identity barrier entirely. A sales rep isn’t going to open a development environment and build a client intelligence tool. But they will tell their AI assistant, “Pull together a briefing for my call with Acme tomorrow: recent interactions, open issues, and anything relevant from the news.” The agent queries the CRM, scans email threads, checks support tickets, pulls recent press coverage, and assembles a clean summary. In practice it’ll do this however it can: APIs where they exist, scraped UIs where they don’t, and copies of data wherever the agent can work with it. The rep experiences this as a smart, helpful assistant. Under the hood, the agent built a bespoke data pipeline: queries across multiple systems, custom aggregation logic, and architectural choices that nobody consciously made.
With traditional shadow IT, someone made a deliberate decision to adopt an unauthorized tool. They knew they were going off-script. With agent-built software, the user may have no idea that software was created at all. The agent decided where to store data, which systems to query, and how to transform the results. The user just asked a question. You can’t govern what people don’t know they’re creating.
AI won’t kill SaaS. But it will change its shape.
When people argue about whether AI will disrupt enterprise SaaS, they tend to focus on economics: if agents can build custom tools for free, why pay for Salesforce? That’s a real question, but it understates what’s actually changing. Building custom software is expensive, so buying one tool for everyone has always been cheaper than building ten for ten teams, even if each team only gets 70% of what they need. Agents don’t just make the initial build cheap. They make iteration ambient and continuous: the tool keeps adapting without the user thinking of it as software at all. That changes the calculus entirely.
But the economic argument misses the harder problem. Shared enterprise tools don’t just save money; they give leadership visibility into what the organization is actually doing. Salesforce doesn’t just sell workflow. It sells the reporting layer that lets a VP of Sales understand pipeline health across fifty reps. Shared tools are observation tools. They’re how organizations maintain coherence at scale.
This doesn’t mean Salesforce or Workday or ServiceNow disappear. But their role shifts. The value migrates from “the tool everyone uses” toward “the system of record and coordination layer that every tool, including agent-built ones, must respect.” The SaaS product that tries to own the entire workflow is vulnerable. The one that positions itself as the authoritative data layer and governance API has a future.
The deeper risk is to visibility. When thirty teams are getting work done through tools that nobody in IT has ever seen, leadership stops being able to see what’s actually happening. The weekly pipeline report has gaps because half the team’s actual workflow lives in bespoke tools that don’t feed back to the shared system. The instinct will be to compensate with more sync meetings, manual reporting, and aggregated decks, all of which are expensive, slow, and defeat the purpose of the productivity gains the agents provided.
What’s at stake
Having spent the past few years building internal tools at Google, I’ve seen how quickly coordination breaks down when teams optimize locally without shared constraints. AI agents accelerate this dramatically.
Consider a company like Google, where dozens of product teams share the same pool of customers. A researcher asks their agent to find recently upgraded customers for a usability study. The agent does exactly what it’s told: pulls account data, filters for upgrades, produces a clean list. What it doesn’t know is that three of those customers have already opted out of research contact. That preference lives in a shared database the agent never consulted, because it built its own list from purchase data. Now you’ve contacted people who explicitly told you not to. That’s not a data hygiene issue. It’s a trust violation with potential regulatory consequences, and neither the researcher nor the agent knew it happened.
To be clear, this mess already exists. People already copy customer data into personal spreadsheets, build one-off trackers, and maintain side channels that don’t feed back to the system of record. Agents don’t create the problem. They accelerate it and make it invisible, because the person never had to make a conscious decision to go off-script.
The same dynamic plays out in sales. When a solutions specialist’s agent builds a custom pipeline tracker, it might be optimizing outreach to the same accounts the field rep is working, without either of them knowing. The overlay team runs a targeted campaign that blindsides the account owner. Multiply that across a large sales org and you have reps walking into calls surprised by what their own company has been saying to their customer.
And the security dimension makes all of this worse: agent-built tools working with customer data mean sensitive information flowing through unreviewed code, running in environments with no audit trail, built by people who don’t even know they’ve built something. Every one of those tools is a potential data leak.
The instinct will be to lock it down: ban agent development, restrict access, route everything through IT. Some constraints are necessary. But trying to ban this outright usually just pushes it underground. The productivity gains are too large, and the people creating these tools aren’t trying to circumvent policy — they’re trying to do their jobs. When the ban fails, and it will, you’ll have the same ungoverned tools without any organizational awareness that they exist. And over a year or two, the gap between companies that learned to channel this safely and companies that tried to prevent it will compound. Thousands of small efficiencies embedded in how every team works, not a single system you can swap out.
Core and edge
This is where I keep coming back to a simple framing: distinguish core from edge, and invest accordingly.
Today, “core platform” usually refers to the shared tools everyone uses. In a world of agent-built tooling, core isn’t about the tools. It’s about the shared state and the rules around it: the handful of APIs, data boundaries, security policies, and resource limits that every tool, centrally built or agent-generated, has to respect.
This shared state isn’t one uniform layer. There’s the organizational core that nobody disputes: authentication, security, compliance, audit logging. Then there are domain-level cores (a shared customer database that tracks contact history and consent across product teams, for instance) that are invisible to most of the company but absolutely critical within their scope. The customer’s experience demands that every tool, including agent-built ones, respects these constraints.
The job of the core shifts from “provide the tool everyone uses” to “protect the shared state and expose the contracts every tool has to honor.” Build whatever interface and workflow you want. But you query customers through the API that enforces contact frequency limits, consent status, and cross-team deduplication.
The edge, meanwhile, should be liberated rather than controlled. Provide sandboxed environments, approved agent access, starter templates. The productivity gains are real, and suppressing them creates exactly the adversarial dynamic that made shadow IT so hard to manage in the first place.
This reframes the job of internal tooling teams. The goal is no longer to build the one perfect workflow that everyone adopts. It’s to protect the handful of shared truths the company depends on, and make it easy for everyone’s bespoke tools to plug back into them. The good news is that the same AI capabilities creating this challenge can help manage it: agents can be taught to discover and respect data contracts, register what they create, and flag conflicts before they cause damage.
The pattern is familiar
If you’ve worked through previous technology transitions, this dynamic is recognizable. Every time the cost of creation drops sharply, the same sequence plays out: rapid proliferation, a coordination crisis, and the eventual emergence of new standards and shared infrastructure.
Cheap websites gave us web standards. SaaS sprawl gave us SSO mandates and procurement automation. Microservice proliferation gave us platform engineering and service meshes. Each time, the winning response wasn’t to restrict creation; it was to invest in the governance and coordination layers that make unrestricted creation sustainable.
AI agents making internal tool-building effectively free is the next turn of this cycle. The mistake would be to treat it as unprecedented. The opportunity is to build the core layer before the mess arrives.
