Fighting Tool Sprawl: The Case for AI Tool Registries

by ai-intensify
0 comments
The case of AI tool registries - O'Reilly

As enterprise adoption of AI agents scales, the absence of centralised, organisation-level tool infrastructure is creating compounding costs. When teams optimise purely for deployment speed, organisations expose themselves to a familiar combination of risks: duplicated engineering effort, security gaps and operational opacity. A growing argument holds that the answer is a shared internal AI tool registry — a single, organisation-wide record of the tools that agents are allowed to use.

The case is specific. Each enterprise needs its own registry, reflecting its particular regulatory environment, security posture and operational conventions. This is not an argument for a public package manager such as npm, PyPI or Maven. The infrastructure in question is internal, scoped to one organisation’s teams, data, policies and domain. Extending the scope beyond a single organisation would amount to premature standardisation in a fast-moving, still-emerging field.

Why AI tool registries matter

A shared registry is framed here not as an optimisation but as basic infrastructure, in the same way identity providers became standard for managing access. As agent deployment spreads beyond isolated pilots, the lack of a registry produces fragmented Model Context Protocol configuration, hard-coded and siloed tools across teams, fragmented integration and limited organisation-wide visibility.

This fragmentation is not a sign of poor engineering. It is the predictable result of asking individual teams to solve an infrastructure problem at the application level. Tools get built ad hoc, undocumented and ungoverned, invisible to the rest of the organisation, so teams rebuild what already exists, security reviews miss tools that were never registered, and when something breaks no one has a complete picture of what is running.

The visibility problem

Independent survey data underlines the stakes. Gravitee’s State of AI Agent Security 2026 report, based on responses from more than 900 executives and technical practitioners, found that 88% of organisations reported confirmed or suspected AI-agent security incidents in the past year, while only 14.4% said all of their agents went live with full security and IT approval. The same report found that just 21.9% of organisations treat agents as independent, identity-bearing entities, and that 45.6% still rely on shared API keys for agent-to-agent authentication. With more than 80% of teams already past the planning stage, that governance gap can turn agents from productivity boosters into high-velocity liabilities capable of taking unauthorised actions or leaking sensitive data before a human can intervene.

How a registry enables governance

Permission-by-default, replicated across dozens of independent agent deployments, creates an attack surface that grows with adoption. Reversing that requires a coordination point — a shared, organisation-wide reference. The registry is not itself a governance layer, but it makes governance possible: when every tool an agent can use is registered with its owner, version and review status, the governance layer finally has something concrete to enforce. Without that shared context, every consumer team has to re-implement policy, and consistency becomes impossible.

Frameworks for AI-agent governance, such as the one published by Frontegg, describe what the policy layer looks like operationally: agent actions mapped to clear, granular guardrails that define operational boundaries for any attempted execution. Those guardrails sit outside the registry but depend on it — a guardrail that references a tool the security team has never heard of cannot be enforced.

Review and access control work the same way. Security review still happens through an organisation’s existing tooling; the registry’s contribution is making the results of that review visible at the moment a team decides whether to adopt a tool. Likewise, an access-control policy can read from the registry to determine which tools exist and who owns them, letting authorisation be applied consistently across agent identity, team, environment and action type rather than reinvented by each team.

The compounding cost of inaction

None of this is achievable when every team maintains its own separate tooling stack. Platform teams already understand why identity providers exist; the underlying logic is no different in the agent context. Left unaddressed, the costs accumulate quietly — redundant work, widening security exposure and a steadily shrinking ability to see what agents are actually doing.

Limitations and what to watch

The argument is a vendor-and-practitioner perspective rather than an independent standard, and the registry concept is still emerging; there is no settled, widely adopted specification for what an enterprise AI tool registry must contain. The survey figures come from a single 2026 study and, like any vendor-published research, reflect its sample and framing, so they are best read as directional indicators of a real governance gap rather than precise universal rates.

A registry is also necessary but not sufficient. It records what tools exist and who owns them, but it does not by itself review code, enforce policy or detect misuse — those depend on the surrounding security tooling actually being wired to it and kept current. A registry that is incomplete or stale can create false confidence. Organisations considering this approach should treat the registry as one component of a broader agent-governance programme, and weigh the maintenance burden of keeping it accurate against the coordination costs it is meant to remove.

The original analysis is published on O’Reilly Radar, and the survey data is detailed in Gravitee’s State of AI Agent Security 2026 report. The same governance-first theme runs through the related discussion in Data quality is AI strategy.

Related Articles