Agregátor RSS

The trend shows no sign of slowing. McKinsey’s latest The State of AI report suggests that 88% of organizations now use AI in at least one business function. As adoption expands, so too will experimentation and tool creation — much of it occurring outside traditional IT processes and often beyond formal oversight.

For IT leaders, the implications are significant. They are no longer managing a closed, centrally controlled environment, but one where technology can emerge anywhere, spread rapidly, and influence core business processes in ways that are difficult to predict or contain.

“Shadow usage is dramatically outpacing production,” said Chris Drumgoole, president of global infrastructure services at IT service provider DXC Technology. In many organizations, unofficial AI usage already exceeds sanctioned deployments by several multiples. Worse, he said, IT teams often have very little visibility into where and how these tools are being used.

From rollout to invisible adoption

What’s happening inside enterprises doesn’t resemble a coordinated rollout. It looks more like a distributed shift in how work gets done.

Employees are experimenting with AI assistants and no-code tools, building apps and automating workflows — often independently and without IT’s knowledge. In many cases, these efforts start as small productivity experiments but quickly evolve into shared tools that influence team-level or even business-critical processes.

In earlier waves of technology adoption, that activity was constrained by budget and formal approval processes. Those constraints have largely disappeared, replaced by tools that are easy to access, inexpensive, and often already familiar from personal use.

“The world used to have a finite number of software products you could buy,” said Jonathan Tushman, CTO and chief AI officer at Hi Marley, an AI platform for the insurance sector. “Now we have access to an infinite amount of software.”

Instead of selecting tools from a catalog, employees can now create what they need on demand. Andrea Malagodi, CTO at Sonar, which makes software to boost developers’ code quality and security, sees this across business functions. A finance employee experimenting with generative AI can assemble a working internal application in days — something that once required a development team, formal requirements, and months of work.

“The challenge isn’t that this is entirely new,” he said. “It’s that it’s happening much, much faster.”

Why AI sprawl is harder to contain

Speed alone does not explain the scale of the problem. What makes AI sprawl different is how it manifests — and how it enters the organization.

In the SaaS era, applications were still tied to vendors, contracts, and systems of record. AI, by contrast, appears in fragments: scripts, agents, workflows, and embedded features that may not be visible as standalone systems.

Alla Valente, principal analyst at Forrester Research, sees AI sprawl emerging from multiple directions. Some of it is driven by formal initiatives, but a growing share comes from unsanctioned employee usage or as new features added to existing software and services.

Many vendors are adding AI capabilities to products companies already use, often without those features being fully tracked or categorized. In some cases, these capabilities are enabled by default or introduced through routine updates, making them easy to miss.

“AI is entering organizations as embedded features of existing software as much as through structured procurement of AI tools,” Valente said.

That creates a fundamental inventory problem. Even when applications are known, the AI functionality within them may not be vetted, documented, or understood. And beyond enterprise systems, employees are also using free or low-cost tools that never go through procurement processes. As a result, organizations may be using AI in far more places than they realize.

Organizations are trying to regain visibility using indirect signals such as expense reports, network traffic, and employee surveys, but those methods only capture part of the picture.

“I’ve yet to see any organization take a serious look at how AI is being used internally and not be surprised,” DXC’s Drumgoole said.

Employees are not necessarily trying to bypass IT, but they are often reluctant to disclose their use of AI tools if they believe access might be restricted or taken away.

“They’re afraid they’re going to get shut down,” he said.

Risk is scaling faster than governance

As Valente notes, the pace of AI innovation is outstripping governance. Risks are evolving faster than policies and controls, leaving organizations to manage them in real time rather than through established frameworks.

One of the most immediate concerns is data exposure. Employees experimenting with AI tools may upload sensitive information including financial data, engineering designs, or customer records without fully understanding how that data is handled or where it might end up.

“A financial analyst trying to do the right thing might upload non-public information into a model,” Drumgoole said. “Now it’s out there.”

There is also growing concern about AI-generated outputs. These systems often produce responses that sound authoritative but are incorrect (colloquially known as “hallucinations”), increasing the risk that flawed information enters business decisions or operational workflows.

Cost is another factor. As AI usage spreads organically across teams, expenses can escalate quickly, often in ways that are difficult to track or attribute to specific business value.

Malagodi from Sonar points to a different issue that often surfaces later: ownership. When employees create tools independently, it is not always clear who is responsible for maintaining them, validating outputs, or answering for failures. Over time, these tools can become embedded in workflows, even as their creators move on.

“If an auditor asks why a number is what it is, and the answer is ‘because someone built a tool,’ that’s a problem,” he said.

The IT balancing act

The challenge is not just managing risk, but balancing it against the need for innovation.

Traditional governance models rely on review and approval before deployment. That approach breaks down when tools are created and adopted faster than those processes can operate.

By the time IT becomes aware of a tool, it may already be in use — and shutting it down can have unintended consequences, including disrupting productivity or pushing usage further underground.

“The organizations that are managing risk really well, from a traditional standpoint, may actually be the ones losing,” Drumgoole said. “That’s because they’re not getting the innovation.”

Rather than trying to prevent AI usage, many organizations are shifting toward defining how it can occur safely, accepting that some level of experimentation is both inevitable and necessary.

“Instead of saying no, you have to show up as the Department of Yes,” Drumgoole said.

As organizations begin to understand the scope of the problem, attention is shifting from diagnosis to action.

5 ways to bring AI sprawl under control

While no organization has fully solved AI sprawl, patterns are emerging in how forward-thinking companies are responding. Those responses point to five practical steps CIOs can take now.

1. Build real visibility, not just inventories.

Traditional inventories are no longer enough. AI is being used through personal accounts, embedded in third-party tools, and created internally in ways that rarely appear in standard systems.

As Valente notes, much of the challenge stems from not knowing where AI is operating — particularly when it enters through third-party applications or is used outside formal procurement processes.

Leading organizations are starting to combine telemetry, identity systems, and usage data to build a more dynamic view of AI activity. Some are introducing internal registries to track applications, agents, and workflows as they emerge.

2. Replace control with enforceable guardrails.

Blocking AI usage outright is impractical. Instead, organizations are defining clear rules around data use, model access, and acceptable use cases, and enforcing those rules through technical controls.

“It’s a lot of rudimentary stuff,” Drumgoole said, pointing to basic but critical measures such as restricting access to sensitive data and setting clear usage boundaries.

The shift, he added, is toward enabling safe use rather than trying to prevent it altogether.

3. Formalize what works.

Employees can now build useful tools in days. Turning those into enterprise assets requires structured intake processes that evaluate what has been created and determine what should be scaled.

As Malagodi emphasized, organizations need a way to take employee-built tools and bring them into a managed environment, with defined ownership, auditability, and governance. Without that step, useful innovations risk becoming unmanaged liabilities.

4. Build infrastructure for continuous creation.

AI sprawl reflects a deeper shift: software is no longer built only by IT.

Organizations need to provide internal platforms, hosting environments, and standardized patterns that allow employees to build safely within the enterprise. Tushman at Hi Marley points to the need for new infrastructure layers — including internal registries, hosting environments, and AI operations capabilities — to support this model.

5. Extend governance to vendors and third parties.

A growing share of AI is not built internally at all; it is introduced through vendors, partners, and existing software providers.

Valente warns that many organizations are already using AI through third parties without realizing it, because those capabilities are embedded in tools they already trust. “You are likely not classifying them as AI vendors,” she said, even as those tools process enterprise data.

Leading organizations are responding by tightening vendor oversight: adding AI-specific questions to RFPs, updating contracts to address data use and model behavior, and aligning third-party expectations with internal AI policies.

AI sprawl is no longer a future risk. It is already part of the enterprise — and increasingly, part of how work gets done. The challenge for CIOs is not to stop it, but to shape it, building enough structure to manage risk without slowing the innovation that makes it valuable in the first place.

Related reading:

• Gartner sees untamed growth in agentic AI
• New agentic AI tools bring new threat: agent sprawl
• Taming agent sprawl: 3 pillars of AI orchestration

Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is

Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is [email protected]

Microsoft has finally brought back the resizable taskbar and Start menu to Windows 11 in the latest preview version rolling out to Insiders in the Experimental channel. [...]

Na GitHubu byl publikován reprodukovatelný návod, jak rozchodit Adobe Lightroom CC na Linuxu a Wine. Návod byl vytvořený pomocí AI Claude Code.

Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code. Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks. "External control of a file name

Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code. Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks. "External control of a file name Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Britain's F-35 fighter fleet is set to carry US-made glide bombs as an interim measure until delayed F-35 software updates from Lockheed Martin add support for the SPEAR 3 mini-cruise missile intended for the aircraft. The news comes in an official response from the Ministry of Defence (MoD) to Parliament's Public Accounts Committee (PAC), which published a scathing report last year on the MoD's management of the F-35 program. That report noted that the stealth fighter force lacks essential capabilities, one of which is a stand-off weapon to attack ground targets from a safe distance. The SPEAR missile is intended to fulfil this requirement, but although it is ready and passed test firings in 2024, the F-35 is not currently able to operate it. This capability should have been delivered by now through the Block 4 software update from F-35 prime contractor Lockheed Martin, but this has met with a series of delays. It is now expected in 2031, five years behind schedule. One of the PAC's recommendations was that the MoD should set out in the Defence Investment Plan (DIP) how it will ensure a stand-off capability until SPEAR 3 is fully integrated onto the aircraft. Permanent Secretary at the MoD Jeremy Pocklington wrote back in a letter that approval has been given to proceed with a Foreign Military Sales (FMS) procurement of the precision-guided munition, Small Diameter Bomb (SDB II). "This acquisition will provide the F-35 with an interim stand-off capability until the introduction of SPEAR 3 into service," he stated. SDB II, designated GBU-53/B StormBreaker in US service, is a roughly 200-pound (93 kg) bomb with fold-out wings to allow it to glide to a target up to 69 miles (111 km) away. It has a tri-mode seeker in the nose that lets it use radar, infrared, or laser tracking to home in. Other criticisms leveled at the MoD were that it lacked suitably qualified engineers, and the department's pattern of delaying purchases to meet annual budget targets, which the PAC claimed has the effect of inflating total program costs while reducing operational capacity. Pocklington conceded that not enough spares were available to support the F-35 squadrons aboard aircraft carrier HMS Prince of Wales during the eight-month Operation Highmast deployment last year. "The surge to 24 F-35B aircraft during Operation HIGHMAST exceeded the Afloat Spares Pack capacity of 12. This was mitigated by supplementing with the Deployable Spares Pack [designed for land-based deployments] and taking additional spares from the RAF Marham Base Spares Pack," he wrote. "The Lightning Force is collaborating closely with the Royal Navy to optimise joint scheduling between home and embarked operations, given the current limitation of two front-line squadrons. The Department also plans to double the capacity of the Afloat Spares Pack and procure an additional Deployable Spares Pack for land operations, subject to the DIP." In response, PAC chair Sir Geoffrey Clifton-Brown MP commented on the "entirely unacceptable incompetence that flies in the face of any kind of sensible planning from the Ministry of Defence." "At the heart of any military planning is sound logistics. The UK sent an aircraft carrier with 24 F-35 fighter jets on it to the Middle East – with not enough spare parts to support them." "In an increasingly dangerous world, our military and the country need more than this half-baked approach from the MoD. Our brave fighting men and women, before being sent into potential harm's way, must have absolute certainty that they are well-supported in their equipment, with clear and reliable supply lines," he added. Pocklington's letter also said a short-term reduction in the availability of F-35 aircraft was likely due to the MoD stepping up corrosion awareness and prevention practices. While corrosion can be an issue for all aircraft, this is especially true for those operated from carriers, and it can also impact the F-35's radar-defeating stealth capabilities. The PAC report had noted that the MoD is behind in delivering a UK Aircraft Signature Assessment Facility, needed to check that the F-35's stealth technology is still doing its job and has not been compromised. On the lack of qualified engineers, Pocklington claimed that steps were being taken to address this by increasing available posts to 168. "The RAF has plans in place to fill its remaining engineering posts by 2032. This date is driven by the amount of time (up to three years) it takes to make engineers fully competent on an aircraft type," he said, adding that "the number of personnel recruited into the Engineering Profession, who are now in the training system, has already increased." However, the government's Defence Investment Plan (DIP) was due in autumn 2025, but there is currently no official publication date for it, despite the fact that many key projects are in limbo until it is delivered. ®

Už jste určitě viděli webový emulátor Windows XP, ale co takhle zcela jiný software, který se pouze jako tento operační systém tváří? Vývojářka Sami Smith navrhla zvláštní čtečku Wikipedie, která se ovládá jako tento 25 let starý systém. Na úvod vidíte plochu, nabídku Start, několik složek a ...

Pokud by někdo potřeboval Wayland kompozitor uvnitř počítačové hry Minecraft, aby mohl zobrazovat okna desktopových aplikací přímo v herním prostředí, může sáhnout po Waylandcraftu. Ukázka na YouTube.

Mozilla has warned Britain not to turn VPNs into collateral damage in the government's increasingly desperate hunt for ways to stop kids dodging Online Safety Act age checks. In a submission to the Department for Science, Innovation and Technology's "Growing up in the online world" consultation, Mozilla argued that VPNs are "essential privacy and security tools" used by millions of ordinary people, from those securing public Wi-Fi and remote work traffic to journalists, activists, and other vulnerable users. "VPNs serve as critical privacy and security tools for users across all ages," said Svea Windwehr, policy manager at Mozilla. "By hiding users' IP addresses, VPNs help protect users' location, reduce tracking and avoid IP-based profiling." Windwehr added that people rely on VPNs for everything from connecting remotely to school or work networks to avoiding censorship and "simply protecting their privacy and security online." The filing lands in the middle of an increasingly strange UK debate where privacy tools are being recast as a threat to online safety enforcement. VPN usage in the UK surged almost immediately after Online Safety Act age checks started rolling out last year, as users scrambled to avoid handing sensitive identity data to adult websites and platforms demanding facial scans or ID verification. Child safety advocates and officials then turned their attention to VPNs themselves, with the Children's Commissioner for England even suggesting the government should explore ways to stop children from using them altogether. Mozilla's response argues the government is chasing the wrong target. The company pointed to research from Internet Matters suggesting that relatively few children use VPNs in the first place, and that only a small minority use them specifically to bypass age restrictions. Mozilla instead argued that most successful workarounds involve fake birth dates, borrowed accounts, weak age assurance systems, or laughably fragile facial estimation tools that children have reportedly fooled with drawn-on facial hair. Mozilla also pointed out a central problem with age-gating VPNs: users would first need to hand over personal information before accessing software intended to reduce tracking and data collection. Britain is not the only country suddenly developing strong opinions about VPNs. Denmark recently floated anti-piracy legislation broad enough to trigger fears that VPN usage itself could become legally risky, before ministers hurriedly insisted nobody was trying to ban VPNs. Across Europe, VPNs are being treated less like routine security software and more like an obstacle to enforcement as users turn to them to bypass restrictions. Unfortunately for regulators, the technology industry appears to be moving in the opposite direction. Mozilla has already been testing built-in VPN functionality directly inside Firefox, joining a wider browser trend toward integrating privacy features that previously required separate software. Blocking standalone VPN apps is one thing, but trying to untangle VPN functionality from modern browsers is a much bigger problem. Mozilla's submission repeatedly argues Britain is drifting toward "safety through surveillance" instead of addressing the recommendation systems, engagement algorithms, and platform incentives that actually drive online harms. ®

Chytré kamery nepřetržitě sledují okolí kolejí a detekují divokou zvěř • Při rozpoznání zvířete umělá inteligence aktivuje speciální odstrašující zvuky • Toto řešení aktivně snižuje riziko srážek a zlepšuje plynulost dopravy

Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver,

Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver, Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte)

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte) Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Skotský Fyne Audio dosud stavěl hlavně na klasických pasivních reprosoustavách pro tradiční Hi-Fi. Teď ale firma poprvé výrazněji vstupuje do stále populárnější kategorie aktivních „all-in-one“ reproduktorů. Novinka Cubitt 5 kombinuje zesilovač, DAC, Bluetooth i HDMI ARC v kompaktních regálových ...

Microsoft has confirmed that the May 2026 Windows 11 security update (KB5089549) fails to install on some systems and triggers 0x800f0922 errors. [...]

Ač se může zdát, že osobní počítače se sotva dopatlaly k rozumnému rozšíření PCIe 5.0, na papíře již existuje PCIe 6.0, PCIe 7.0 a připravuje se i PCIe 8.0. To má být hotové již za dva roky…

Alzácká klávesnice Rapture Kilo V2 HE zlevnila na 800 Kč, loni stála třikrát tolik. • Ani v Číně nekoupíte levněji model s magnetickými spínači. • Rapture láká na tichý chod, rychlé reakce a české/slovenské popisky.