At RSAC 2026, a security vendor mentioned that a Fortune 500 client had discovered more than 600 AI agents running inside its environment that nobody in the organization knew existed. The audience didn't gasp. Nobody asked follow-up questions. The non-reaction is the story.

The agents drawing attention right now are the visible ones: chat interfaces, coding copilots, things with names and product pages and demo videos. The actual deployment trajectory, though, points somewhere much quieter. Stellantis uses AI to schedule and load 85% of its European vehicle logistics. When the system detected a 25% spike in battery costs, it autonomously recommended alternate suppliers, preventing significant budget impact. No human prompted the recommendation. The system detected the cost spike, evaluated alternatives, and surfaced a supplier switch on its own, a procurement recommendation with real budget consequences, generated entirely without human involvement. AstraZeneca runs lab agents that monitor equipment and place supply orders without researcher involvement. Lloyd's Bank deflects up to 90% of HR cases through agents that handle routine inquiries while humans take the complex ones. None of these wait for prompts. They're background processes running on event triggers, operating continuously across supply chains, compliance pipelines, financial monitoring.

One major enterprise platform has formalized this as a product category it calls the Autonomous Workforce, beginning with fully autonomous IT service desk agents. The framing from its product leadership is blunt: move from task-level AI to autonomous, end-to-end work.

Now look at the governance data. Fewer than a quarter of organizations have visibility into what their agents communicate to each other. Fewer than 15% send agents to production with full security approval. Deployment intent, meanwhile, is near-universal. The distance between those numbers is where things get uncomfortable.

The vendor response has been predictable: centralized monitoring dashboards, control towers, agent registries. These are reasonable product answers to an unreasonable structural problem. Governance, as we've practiced it for decades, assumes a human somewhere in the loop whose actions can be audited and whose decisions leave a trail. Background agents remove the human from the loop, and often the loop itself. A compliance monitoring agent scanning transaction patterns for regulatory deviations doesn't wait for someone to ask it a question. It runs. Continuously. The value is precisely that nobody has to think about it.

Oversight for a system whose entire purpose is to not require attention remains, at this point, genuinely undefined. The control tower products are placeholders. They make invisible agents legible to a dashboard. But a dashboard is still a thing someone has to look at, and the organizational habit of looking at dashboards degrades in direct proportion to how well the underlying systems work. The better the agents perform, the less reason anyone has to check. Governance for visible software could rely on friction, on the natural interruptions that forced human review. Invisible software has to generate its own friction, its own reasons to look, inside an environment optimized to eliminate reasons to look.

Those 600 undiscovered agents were a deployment success. Someone built them, they worked, and they kept working so well that nobody had reason to notice. The governance gap widens because the value of background agents and the difficulty of overseeing them grow from the same root. And right now, value is growing faster.