Procurement teams are deploying AI agents faster than they can track them. A category manager connects ChatGPT to a spend cube. A buyer runs supplier research through Claude. An accounts payable analyst builds a Zapier workflow that auto-approves invoices below a threshold based on GPT-generated confidence scores. Each of these decisions makes sense in isolation. Together they form a shadow agent estate — ungoverned, unauditable, and exactly the kind of liability conventional procurement controls were never designed to catch.

84%
Procurement leaders cite adoption and trust risk with AI agents
74%
Worry about incorrect or inappropriate autonomous decisions
72%
Identify data quality risk as a critical concern

The Hackett Group's 2026 research, reported via Zycus, surfaced these numbers from procurement leaders who have already begun deploying agentic AI. Amy Hillcox, Senior Research Director at Hackett, named the specific risks keeping procurement leaders awake: internal adoption and trust risk at 84%, incorrect autonomous decisions at 74%, and data quality risk at 72%. The research captures procurement at a pivot point: AI deployment has nearly doubled year-over-year, and for the first time AI-enabled technology ranks as a top-three procurement priority, according to the Hackett Group's 2026 Procurement Key Issues Study.


What a shadow agent estate looks like in practice

Shadow agents do not announce themselves. They arrive through individual productivity decisions that bypass IT governance, procurement policy, and audit controls entirely. The problem compounds because isolation is the default output of every path to agent creation unless someone explicitly fights against it, as Hackett's research notes.

Zycus documented this from inside its own organization: by early 2024, the marketing team could not produce an accurate list of every AI agent running in their name. The same dynamic is hitting procurement teams. A category manager connects an LLM to a supplier database and starts auto-generating RFPs. Nobody in IT knows the connection exists. Nobody in risk management has reviewed the prompts. Nobody in legal has seen the output. The agent is running procurement decisions with zero governance.

Shadow agent: no governance
Individual connects an LLM to spend data, writes a prompt, and starts auto-generating supplier evaluations. No audit trail. No human review. No policy guardrail.
Outcome: Incorrect supplier commitments with zero accountability
Governed agent: policy-bound
Agent is registered, scoped to a specific task, maintains an audit log, and requires human sign-off above threshold. Every decision is traceable to a named owner.
Outcome: AI accelerates work without creating audit exposure

The regulatory clock is ticking: EU AI Act classifies autonomous procurement as high-risk

Under the EU AI Act's procurement and employment classification, autonomous sourcing decisions fall into the high-risk category. This is not theoretical. The act requires human oversight, transparency, and accountability for high-risk AI systems. A shadow agent making supplier selections without documented human review creates two simultaneous liabilities: regulatory non-compliance if audited, and contractual disputes when a supplier challenges a decision made by ungoverned AI.

The Hackett 2026 study confirms that 80% of procurement executives identify AI as the most transformational trend affecting the function over the next five years. The same executives are deploying agents faster than their governance frameworks can keep up. The gap between deployment velocity and governance maturity is where shadow estates grow.


Shadow estates do not shrink as adoption expands — they compound

Over the next 12 to 18 months, Hackett predicts agentic AI in procurement will expand into sourcing, contracts, supplier onboarding, and accounts payable. Each new domain multiplies the governance surface area. Shadow estates grow not because organizations are careless but because every path to agent creation defaults to isolation. A sourcing team deploys Keelvar bots for tactical events. A contracts team connects an LLM to draft terms. An AP team builds invoice validation agents. None of these agents know the others exist.

"Shadow estates don't form because organizations are careless. They form because isolation is the default output of every path to agent creation unless someone explicitly fights against it."
— Amy Hillcox, Hackett Group

The operational risk is asymmetric. A shadow agent that incorrectly approves supplier terms is not caught by conventional procurement controls — three-way matching, budget checks, and approval workflows all assume a human made the decision. An agent's output looks identical to a human's output in the system. The difference is that when something goes wrong, there is no human to hold accountable.


What a governance framework for procurement AI agents looks like

Procurement organizations that are ahead of this problem have started building agent registries — not technology projects, but governance frameworks. The components are straightforward but must be implemented before, not after, agents are deployed.

First, agent identity precedes agent capability. Every AI agent operating in procurement must be registered with a unique identifier, a named human owner, and a defined scope of authority. Read-only agents that surface insights are lower-risk. Agents that recommend decisions require documented human review. Agents that execute decisions — approving suppliers, placing orders, committing funds — require pre-approved guardrails and a human-in-the-loop checkpoint above a defined threshold.

Second, every agent decision must leave an audit trail. This means logging the input prompt, the model response, the data sources accessed, the timestamp, and the human reviewer (if applicable). Without this, a supplier dispute or a regulatory audit has no fact base to work from.

Third, centralized orchestration eliminates shadow estates structurally. The Hackett Digital World Class research shows that organizations adopting governed agentic flows — where agents operate within a procurement orchestration layer rather than as isolated point solutions — achieve 2.6x higher ROI than peers. The governance value is even larger: governed flows are auditable. Isolated agents are not.


What this means in practice

  1. Inventory every AI agent in procurement today. Survey category managers, buyers, AP teams, and contract specialists. Ask: what tools are you using that generate, summarize, or decide? Most procurement leaders will find agents they did not know existed. Complete this within 30 days.
  2. Define three authority tiers for every agent. Read-only agents surface data (low risk). Recommend agents propose actions (medium risk — requires documented human review). Execute agents commit resources (high risk — requires pre-approved guardrails and human-in-the-loop above threshold).
  3. Build an agent registry before adding more agents. A simple table: agent ID, owner, scope, authority tier, data sources accessed, last audit date. If an agent is not in the registry, it does not operate. This is not a technology project — it is a policy project that takes two weeks to establish and pays back every quarter when audits and supplier disputes arise.
  4. Require audit logging for every agent decision above read-only. Input prompt, model output, data sources, timestamp, human reviewer. If the agent cannot produce this, it cannot operate in a procurement context.
  5. Adopt an orchestration layer that governs agent identity. Gartner's 2025 Hype Cycle positions procurement orchestration as the structural solution to agent sprawl: a single layer where every agent is registered, scoped, and audited. Start the vendor evaluation now — the governance gap widens every quarter.

What are shadow agents in procurement?

Shadow agents are AI bots that procurement teams deploy without central IT governance — individual buyers using ChatGPT for supplier research, category managers running autonomous sourcing scripts, or finance teams connecting LLMs to spend data without procurement oversight. They operate outside approved tooling and produce decisions that cannot be traced back to a human accountable owner.

What are the biggest risks of ungoverned AI agents?

Internal adoption and trust risk is the top concern, cited by 84% of procurement leaders. Incorrect or inappropriate autonomous decisions worry 74%, and data quality risk concerns 72%. The operational risk is that shadow agents make supplier commitments, pricing decisions, or compliance representations without audit trails.

How do governance frameworks address shadow agents?

A governance framework registers every AI agent, defines its scope of authority (read-only, recommend, or execute), maintains an audit log of every decision, and requires a named human owner. Agent identity precedes agent capability — you cannot govern what you cannot see.

What regulatory exposure do shadow agents create?

Under the EU AI Act's procurement classification, autonomous sourcing decisions are high-risk. Shadow agents that make supplier selections without human review create two liabilities: regulatory non-compliance if audited, and contractual disputes when suppliers challenge decisions made by ungoverned AI.

📊
Infographic Available
A visual summary of this article — key data, models, and frameworks in one view.
View Infographic →