Shadow Agents Are Spreading Through Your Org Faster Than IT Can Inventory Them, Three Layers the Discovery Audit Has to Cover

Open-source agent platforms are spreading through mid-market orgs faster than the inventory artifact catches them. The Securem read on the three-layer discovery audit, data layer, process layer, org structure layer, that surfaces the spread before the workflow becomes load-bearing on an unaudited middleware surface.

Why the network inventory misses the actual exposure The shadow AI briefing covered the network-exposure inventory artifact, the Censys-style count of agent instances reachable from the open internet, the Snyk credential-leakage rate in the skill marketplace, the four-column inventory the audit will ask for. The network-side discovery is necessary; it is not, by itself, what produces the operational exposure the buyer has to manage. The network inventory captures the agents IT can find. It does not capture what the agent has built up inside the buyer's org. An open-source agent platform installed by a user in a department, used daily for two weeks, will by the end of those two weeks have accumulated three layers of operational artifacts that the network inventory is structurally blind to. The first layer is data: the agent has assembled a working context of the user's documents, calendar, email threads, customer records, and clinical notes, frequently de-identified imperfectly or not at all, in the agent's persistent memory. The second layer is process: the agent has encoded, in its context and its skill chain, the decision sequence the user follows to do the work, which records to pull, in what order, with what filters, against what reference data, with what escalation pathway. The third layer is organizational structure: the user's daily work has restructured around what the agent does. The handoffs the user used to make to colleagues are now agent calls; the documentation the user used to produce for downstream functions is now in the agent's output format; the implicit knowledge the user used to apply is now in the agent's prompt context. Each of the three layers is exposure the network inventory does not capture. Each becomes load-bearing on the agent's continued operation. And when IT discovers the shadow agent and removes it, without an explicit migration plan that captures what the agent had become, the buyer's exposure is not just the data the agent had access to. It is the process knowledge the agent encoded and the org structure the workflow had restructured around. The remediation is harder than the discovery would suggest because the agent had become more than a tool; it had become a piece of the operating model. The twelve-day pattern We have walked through the pattern enough times across Q1 and Q2 2026 engagements to recognize it as a sequence. The sequence is consistent across engagement types, clinical, billing, customer operations, finance, and the timing is consistent enough to be a useful diagnostic. Day zero through three: an individual user in a department installs an open-source agent platform on their workstation. The install is frequently driven by a personal experiment with a public skill or template the user saw on social media or in a community forum. The install is not malicious; the user is trying to make their work faster. The agent has access to the user's email, calendar, file storage, and any messaging platforms the user authorized. Day four through seven: the user begins to encode their daily routine into the agent. They build a small set of skills, frequently from the platform's community marketplace, frequently with one or two custom modifications, that automate the parts of their workflow they handle most frequently. The agent's context window now includes records the user pulls regularly; the agent's persistent memory now includes the user's preferences, the format of the user's outputs, and references to the systems and people the user collaborates with. Day eight through twelve: the user shares the workflow with one or two colleagues in the same function. The colleagues install the platform on their own workstations. The skill set proliferates; the colleagues build their own variants. The departmental-team workflow now has a shared dependency on the agent platform that none of them have raised with IT, security, or compliance, because nothing has gone wrong, and the workflow improvement is real. Day thirteen onward: the workflow has a structural dependency on the agent platform. Removing it now would break the team's output cadence, would cost the team several days of process recovery, and would generate a difficult conversation with the team's manager about why the productivity improvement is being reversed. The longer the dependency holds, the harder the removal becomes; the team's process knowledge has been captured in the agent's prompts and skill definitions rather than in the team's documentation. By the time the security or IT function notices the platform, frequently from a network-scan finding, a credential-rotation event, or a vendor-renewal conversation that surfaces an unfamiliar tool, the team has built three weeks of operational memory inside it. The network inventory found the exposure surface. The discovery audit has to find what the team built on top of it. The three-layer discovery audit The three-layer audit is the artifact the Adopt-AI-Safely Diagnostic produces when an engagement surfaces a shadow agent platform with departmental adoption. The audit is not the removal plan; it is the diagnostic that determines whether the remediation is a cleanup or a controlled migration. Layer one, the data layer The audit's data layer establishes what the agent has had access to and what it has retained. The questions are concrete and the answers come from the agent's own logs (where they exist), the systems it called (where they have audit-log surfaces), and the operator interview. What records did the agent retrieve, and from which systems? What persistent memory does the agent maintain, and what records or summaries does it contain? Has the persistent memory been backed up, exported, or shared with any third party (for example, the agent platform's community marketplace, or a synced cloud service)? Has any record retrieved by the agent been transmitted off the buyer's trust boundary, to a hosted-API model under an inadequate BAA, to a third-party tool the agent integrated with, to a community service the operator did not flag as in-scope? The data-layer audit's output is a written content map: what data the agent saw, what it retained, where it went, and the BAA-chain status of every downstream surface. The map is the artifact the §164.408 breach assessment will use; it is also the input to the §164.404 breach notification timeline if the assessment determines a breach occurred. Layer two, the process layer The process layer establishes what the agent has encoded and what process knowledge has migrated from the team's documentation into the agent's prompts and skills. The questions are about the work itself. What workflows is the agent performing, and how are they decomposed into the agent's prompts, skills, or chain definitions? What decision logic exists in the agent's prompt context that does not exist in the team's documented procedures? What escalation logic does the agent encode? What reference data does it use, and where does that reference data come from? What outputs does it produce, and how do downstream consumers, other team members, downstream systems, customer-facing functions, depend on the format and frequency of those outputs? The process-layer audit's output is a process inventory: the workflows the team has captured in the agent that have to be re-captured somewhere defensible, in documented procedures, in a sanctioned tool, in a formally trained replacement workflow, before the agent's removal does not also remove the operational knowledge. Layer three, the org structure layer The org-structure layer establishes how the team's operating model has restructured around the agent's presence. The questions are about handoffs, dependencies, and roles. Which interactions between the team and other functions in the org now route through the agent? Which roles in the team have the agent absorbed responsibilities for? Which roles in adjacent teams have implicitly come to rely on the agent's outputs? Has the team's hiring or training plan changed in expectation of the agent's continued presence? Have any roles been eliminated or restructured because the agent's productivity improvement was projected forward? The org-structure layer's output is an organizational impact assessment: what the team's operating model assumes about the agent's continued operation, and what the assumption costs to reverse. The assessment is frequently the most consequential of the three audits because it captures the human-resources and capacity implications of the remediation that the data and process audits do not surface. What the discovery audit produces The three-layer audit's combined output is a remediation classification with three possible verdicts. Verdict one, clean removal. The data layer audit shows no exposure outside the buyer's trust boundary, the process layer audit shows the workflows are well-documented and re-captureable in sanctioned tooling, the org structure layer shows the team's operating model has not yet structurally restructured. The remediation is a clean removal with operator notification, sanctioned-tool migration, and a procedural-documentation refresh. Verdict two, controlled migration. The data layer audit shows manageable exposure (BAA-correctable downstream surfaces, no breach trigger) but the process and org structure layers show the team's operating model has captured non-trivial knowledge in the agent. The remediation is a controlled migration: a sanctioned replacement is identified, the agent's process knowledge is documented and ported, the team is trained on the replacement, and the agent is removed only after the replacement is operational. Verdict three, incident response. The data layer audit identifies a breach trigger, PHI transmitted outside the BAA chain, fiduciary records shared with a third-party surface, attorney-client material exposed to a service the privilege did not extend to. The remediation is the buyer's existing incident response posture extended to capture the agent identity and the operator identity; the §164.404 breach notification timeline runs on the standard clock; the post-incident review feeds into the buyer's broader trust-architecture posture. The verdict is the procurement-grade artifact. The same artifact also feeds the buyer's risk-register update, the next OCR or FFIEC investigation's first-question response, and the input to the buyer's policy on shadow-agent governance, which, for most regulated mid-market buyers, has not yet been written. What we recommend A regulated mid-market buyer with any indication that an open-source agent platform has been adopted in any department should run the three-layer discovery audit before the removal conversation begins. First: identify the surface. The network inventory artifact described in the shadow AI briefing is the entry point. The audit extends it to the data, process, and organizational layers. Second: run the three-layer audit. The data layer establishes exposure; the process layer establishes captured knowledge; the org structure layer establishes structural dependency. The audit is scopeable to a one-to-two-week engagement per affected department. Third: issue the remediation classification. Clean removal, controlled migration, or incident response. The classification determines the timeline and the artifacts. Fourth: update the buyer's shadow-agent governance policy. The policy names the categories of agent platforms that are sanctioned, the discovery and audit cadence, the operator-side disclosure requirements, and the remediation pathway. Most mid-market buyers do not yet have this policy as a written artifact; the discovery audit is the natural prompt to produce it. The discovery audit is the artifact that turns a shadow-agent finding from a network event into an operational one. The buyers who run it before the removal conversation are the buyers whose remediation does not also remove the operational memory the team had captured. The buyers who skip it are the buyers who learn, three weeks after the agent is gone, that the team's productivity has not recovered and the manager's question has reached the IT director's desk.