Saved To My Saved Content

With enterprises racing to adopt generative AI capabilities, mostly through deployment of agentic solutions, CIOs must anticipate and manage the inevitable explosion of complexity. Two developments are already accelerating complexity risk as companies scale agentic: business-led agent sprawl, where value proofs and experimentation multiply into thousands of ungoverned agents; and the engineering productivity paradox, where AI-enabled software development boosts output and improves many aspects of software development and maintenance but risks piling on technical debt.

Adding to the CIO’s challenge is that agentic tools and frameworks can become outdated in less than a year. Long-term, stable platform partnerships must now sit alongside a fast-moving agentic layer where tooling, models, and frameworks evolve in months. This requires that CIOs retrofit their existing architecture and governance to create a scalable AI backbone operating on four pillars: GenAI platform services, AI graduation pathways, continuous refactoring, and IT service management (ITSM) adapted for an Agent Development Life Cycle (ADLC).

It’s urgent that CIOs tackle this project within the next six to twelve months or risk having agentic adoption outpace their company’s ability to retrofit governance and architecture. Every organization running services from companies such as AWS, Google, Microsoft, Salesforce, or ServiceNow has agent-building capabilities. The question is not whether agents will scale, but how well organizations govern those agents as they proliferate across the enterprise.

The Acceleration of Complexity

Scaling agentic adoption differs from prior technology waves in two critical ways. One is that anyone—not just software engineers—can use agentic. This is driving adoption at unprecedented speed. The other is a fundamental shift in the services created, from deterministic with clear human-machine boundaries to a more probabilistic pattern that defies traditional technology management. Combined with the ongoing convergence of digital transformation and cloud-native architectures, agentic AI complexity will soon explode at enterprise scale.

Further amplifying complexity is the emerging wave of broad-spectrum autonomous agents and orchestration platforms, from open-source frameworks like OpenClaw to enterprise offerings like Microsoft’s Copilot Cowork and Nvidia’s NemoClaw, and orchestration wrappers like Paperclip. These new agents are characterized by persistent, multilayered memory, a recursive agentic loop; broad-spectrum access to tools, systems, and skills; and behavioral drift over time—all driven by accumulated memory, evolving context, and occasional fine-tuning. This is often described as “self-improvement,” but the governance problem is more accurately framed as drift management: Agents’ behavior changes because context changes, and that drift is what must be detected and controlled.

This complexity will overwhelm the traditional Software Development Life Cycle (SDLC), which is akin to an industrial process: built once, then maintained. It cannot cope with thousands of agents emerging across the enterprise; constantly shifting codes, underlying models and capabilities; and, management of live-generated code and solutions, including self-learning systems. These factors point to a revolution, not an evolution, in software management.

Consider a 2028 scenario (see Exhibit 1). A typical enterprise has 300 to 400 core processes, resulting in up to 1,300 subprocesses. In an agentic model, each subprocess could be underpinned by five to seven agents with authority to transact into the technology estate, each consuming a wide array of technical components, including APIs, context stores, tools, and telemetry. The result: over 100,000 new technology assets. Even if only a third of processes are covered by agents—a typical midterm goal—the enterprise still faces thousands of agents spread across in-house, vendor, SaaS, and low-code platforms, with logic that shifts as models and dependencies evolve.

Agentic AI Complexity Explodes at Enterprise Scale

And the enterprise technology estate is only one frontier in this scenario. Platform ecosystems like Anthropic, OpenAI, and Google Vertex already host agents in the hundreds of thousands, alongside a fast-growing tail of personal-use agents that employees adopt outside any IT remit. These remain self-contained as long as they do not transact with the enterprise technology estate; the moment they do, every governance question above applies. This means that enterprise guardrails, including responsible AI guidelines, must be embedded at the platform layer rather than imposed after the fact.

The operational, compliance, and technical implications of this scenario are significant. Agentic workflows tie business SLAs directly to technology SLAs, surfacing every underlying tech risk of an agent autonomously executing the activity, into the business. Operationally, probabilistic workflows complicate efforts to optimize processes to certain levels of resilience and consistency (imagine pursuing Six Sigma SLAs when outputs vary on each run). Compliance and control frameworks will require far deeper observability than today. And technically, thousands of agents will drive pressure on networks, back ends, and data platforms, demanding a fundamentally different approach to capacity management, monitoring, and incident response.

But tackling these operational, compliance, and technical issues is not possible without clean, accessible, well-governed data—a precondition most enterprises have not met. Data platform maturity is the foundation the four pillars sit on. Agents reason over whatever data they can reach, and they produce confident outputs regardless of input quality. An enterprise with poor data architecture cannot succeed at agentic adoption no matter how mature its platform services or IT service management.

In other words, the challenges agentic solutions pose and the vulnerabilities they create are not just a CIO’s problem, they are C-suite-level concern. These include:

Monthly Newsletter Subscription
Tech + Us: Harness the power of technology and AI

Managing Complexity

Traditional ITSM and governance was designed for slower, more predictable environments with an emphasis on managing the estate for stability. ITSM platforms have evolved significantly over the past decade to cope with the shift from fixed, on-site physical assets to software-defined, dynamic environments in the cloud, but agent-built solutions represent another shift entirely.

With agentic deployment poised to increase at an exponential rate, net-new IT assets could quickly outnumber traditional enterprise applications (see Exhibit 2). CIOs must react quickly to manage this complexity explosion with a new IT backbone adapted for ADLC.

Traditional ITSM Will Be Overwhelmed by Agentic AI in 6-12 Months

ADLC treats the whole technology estate, not just agents, as a living product, tracked through lineage, evaluation, and cost, with guardrails-as-code enforced at machine speed. It requires a new scalable AI backbone operating on four pillars: GenAI platform services, AI graduation pathways, continuous refactoring, and ITSM adapted for ADLC (see Exhibit 3). Together, these transform the CIO’s remit from technology delivery to enterprise resilience engineering. Without this shift, organizations risk agentic deployments that result in unmaintainable systems.

A New IT Backbone to Support Agentic AI Is Built on Four Pillars

To secure funding for this transition, CIOs must bring enterprise risk management and CFOs into the journey. Instead of warning about what “might happen” (which senior leaders often find unpersuasive), CIOs should focus on business risk mitigation and value delivery. This will help reframe the discussion around shared investment in enterprise resilience, not a technology request. Today, only around 15% of companies have this enterprise backbone in place—and the gap closes more slowly than agentic adoption grows. For their part, the C-suite must empower CIOs with the resources to build the right technical foundations now or watch today’s investments harden into tomorrow’s brittle legacy.

GenAI Platform Services: Building a Federated Control Fabric. In the agentic era, enterprises no longer operate within a single controlled environment. Business users and developers deploy solutions across multiple ecosystems—internal AI backbones, vendor marketplaces, and low-/no-code orchestration tools. Each ecosystem is a walled garden with its own telemetry, data policies, and identity standards.

The GenAI platform team builds a federated control fabric across all these walled gardens over time (see Exhibit 4). Its mandate is twofold: Ensure all agentic solutions operate within the same policy guardrails regardless of origin; and develop reusable agent scaffolds and context frameworks that accelerate self-service adoption. Success is measured by the proportion of agentic solutions consuming platform services and adhering to governance.

Graduation Pathways for AI and Agentic Deployments. Users should be free to experiment and deploy agents in contained contexts. But any agentic solution that touches enterprise systems must be graduated into managed technology with a machine-readable agent identity, explicit ownership, telemetry, and linked runbooks. To this end, operational teams can use several graduation pathways to provide a continuous mechanism to enable rapid, scalable experimentation while enforcing rigorous service acceptance and ongoing technology management (see Exhibit 5).

Graduation Pathways Harden Agentic Solutions from Value Proof to Enterprise-Grade

Agentic solutions behave as service-like actors; that is, logical artefacts with short-lived running instances. They should not be treated exactly like technology assets nor like human users—they are a bit of both. A key graduation artefact is therefore a compact, machine-readable agent ID that links ownership, component inventories, data and model references, telemetry rollups, and a verified record of where each agent is running. With this, operational teams can reliably trace and manage behavior while technology teams have the traceability needed for incident response and continuous assurance.

Agentic solutions should not be treated exactly like technology assets nor like human users—they are a bit of both.

The agent ID enables the GenAI/AI services platform team to operate as an “immune system” without becoming a bottleneck to adoption. It holds funded authority to sweep the technology estate; onboard off-platform assets; detect shadow IT, cost drift, and policy breaches; and hand the relevant teams a ranked list of issues with predefined fix steps for each.

Graduation outcomes vary. Value proofs are refined into enterprise-grade solutions, agents are kept and tightened within stronger guardrails, or, most importantly, agentic logic is converted to deterministic code. Success is measured by the completeness and validation of these artefacts, and by how quickly an incident can be traced back to the specific live agent instance that caused it, not by how many agent IDs have been registered.

A federated, business-unit-led operating model scales adoption faster than a central team can. Whoever owns GenAI services centrally is already stretched across building the platform, delivering priority solutions, and enabling business teams. Making the enterprise depend on a central team turns self-service into a shared-service bottleneck—the exact pattern that breeds shadow IT and slow adoption.

Continuous Refactoring: The Enterprise’s Complexity Insurance. To scale safely, the enterprise must treat its technology, data, and agentic solutions as a living, continuously evolving product.

On the agentic side, disciplined oversight across multiple steps and interactions prevents data chaos, ensuring that agents reason over current state and transact only when conditions are met. Without this, agents acting on stale or inconsistent data will produce confident but wrong outputs at enterprise scale.

Without disciplined oversight, agents acting on stale or inconsistent data will produce confident but wrong outputs at enterprise scale.

On the data platform side, liberating data from silos and providing clean, accessible services is mandatory. Much of the complexity in agentic adoption stems not from the solutions but from poor data quality and access. This will become increasingly either a bottleneck or an enabler, as companies move from managing data flows for agent consumption to governing and securing the memory and enterprise intelligence that agents accumulate and act on (instruct transactions rather than consuming data) directly inside the technology estate.

On the technology side, the enterprise must continuously refactor the underlying app and technology infrastructure estate. Disciplined architecture, coding standards, and DevSecOps practices should be part of the ongoing assessment and verification of code, not reserved for one-off projects. Without this, and without automated assessment and verification of code quality, security, and compliance embedded into continuous integration and continuous deployment pipelines, human-based code review and testing alone will be overwhelmed.

ITSM Supports ADLC, Redefining Service Management for “Living Systems.” As agentic solutions become a larger proportion of the technology estate (and will soon outnumber traditional applications), companies must shift from SDLC, which governs discrete, deterministic releases, to ADLC, which governs living, adaptive systems that learn and change post-deployment (see Exhibit 6).

Transition of ITSM to Support Agent Delivery Life Cycle

ADLC turns ITSM from a periodic control tower into a real-time safety system. Governance must be guardrails-as-code with runtime enforcement, and agent registries must feed ITSM so assets are enrolled into continuous service acceptance. By embedding the agentic capability to monitor other agents and auto-triage, organizations can compress years of manual improvement into months (see “ITSM Priorities to Support ADLC”).

ITSM Priorities to Support an Agent Development Life Cycle
To support ADLC, IT operations must shift from a sample- and ticket-based model to one built on continuous observability. Telemetry should be streaming across the technology estate in real time, with mature AIOps handling first-line triage, correlation, and containment. Telemetry itself must move beyond logs to behavioral signals—including prompts, model signatures, embeddings, action traces, cost tags, and drift indicators—so detection, correlation, and remediation can keep pace with how agents actually fail. Probabilistic systems behave differently on every run; waiting for a ticket to fire is too late to catch drift, errors, or policy breaches. The shift is less like checking the speedometer of a passenger car and more like the live telemetry cockpit running a Formula 1 race, where every signal is streamed, every anomaly visible the moment it appears.

The work is not a broad rewrite of every IT service, but organizations do need to prioritize ITSM improvements and carefully manage where agentic behavior and business impact collide. Monitoring and event management (to ensure traceability for incident response) should get initial priority, along with asset inventory and access management, which is critical for near-real-time controlled access to tools, skills, and enterprise services. After that companies should progressively improve observability and standardized service composition as platform services such as agent registry, policy-as-code, and AIOps mature.

Moreover, ITSM should classify incidents by their source in agentic systems—including failures of the model, the data, the underlying infrastructure, or the agent’s own behavior—and have predefined response steps for each. It also needs to contain incidents automatically through mechanisms such as targeted kill switches, fallback routing to a safe-mode version, and circuit breakers that cut off failing components.

The Window to Act Is Closing

For CIOs and senior technology leaders, the challenge is not just about adopting agentic capabilities, it’s about ensuring the enterprise can scale them responsibly, efficiently, and sustainably. We believe CIOs have a six- to twelve-month window before agentic complexity outpaces their ability to manage it.

CIOs need the support of the C-suite and the resources to invest in platform-native controls and radically improved service management. Done right, agentic AI backbones unlock new business models, faster innovation, and operational resilience. Done wrong, they create a new legacy architecture that drags the entire enterprise into fragility, cost, and reputational risk. Managing agentic complexity is not a technical hygiene task; it is a core leadership responsibility shared across the C-suite.

Acknowledgements
Special thanks to BCG alumnus Sesh Iyer for his contributions to the development of this article. 

The authors would like to thank Julien Marx, David Heurtaux, Daniel Martines, Nicholas Debellofonds, Dan Sack, Djon Kleine, and Michael Grebe for their contribution.