AI agent deployment at enterprise scale is not an engineering problem — it’s a governance problem. Lowe’s learned this firsthand as it scaled two AI tools across 250,000 employees and millions of weekly customer interactions, and the lessons from their “AI Foundry” model are directly applicable to any organization trying to deploy agents without losing control. This guide breaks down exactly how Lowe’s structured its AI program, the four-parameter governance framework they use to vet every new agent, and the step-by-step process you can follow to build a disciplined agentic AI operation inside your own organization.
What This Is
Digiday’s March 2026 report documented Lowe’s active fight against what their SVP of Data, AI and Innovation — Chandhu Nair — calls “AI sprawl”: the uncontrolled proliferation of siloed AI agents built independently across business units, each with narrow scope, inconsistent performance, and no shared governance.
Lowe’s has deployed two production AI tools at significant scale:
-
Mylow (launched March 2025): A customer-facing virtual assistant embedded in Lowe’s shopping experience. It answers homeownership questions, guides customers through product selections, and assists with project planning. The system is designed around Lowe’s “Total Home” business strategy — connecting home improvement advice to actual product inventory and availability.
-
Mylow Companion (launched May 2025): An associate-facing tool deployed to all 250,000 Lowe’s store employees. When a customer asks a flooring associate a question about HVAC installation, that associate shouldn’t have to track down a specialist. Mylow Companion surfaces trade expertise — think plumbing diagnostics, electrical wiring guidance, HVAC troubleshooting — alongside real-time inventory data, regardless of which department the associate works in.
Together, these tools handle approximately one million questions per week, making them production-grade systems at genuine enterprise scale — not pilots or proofs of concept.
The architecture behind these tools relies on what Lowe’s internally calls an “AI Foundry”: a centralized platform that abstracts protocol complexity from individual engineering teams, enforces consistent governance across all agents, and provides observability and explainability for every interaction. Alongside the AI Foundry, Lowe’s established an “AI Transformation Office” — an organizational body responsible for maintaining a central taxonomy of approved agent applications and evaluating new AI use cases against consistent criteria.
This is not a story about a single chatbot deployment. It’s a blueprint for how to organize an enterprise AI program at the point where it becomes genuinely complex — when you have multiple agents, multiple teams building them, and the organizational pressure to ship more of them constantly.
The core challenge Nair articulates: individual engineers can spin up functional AI agents in days. The problem is doing it consistently. As he put it in the Digiday interview: “The sprawl is because it’s so easy to do… You could have multiple engineers build out agents, and suddenly you would have a list of agents without a purpose and not working consistently every time.” The operational requirement isn’t an agent that works 80% of the time — it’s an agent that works 100% of the time, every time, for every associate in every store.
Why It Matters
The Lowe’s case study matters because it’s one of the first public, data-backed accounts of a Fortune 500 company moving from AI experimentation into genuine AI operations — and discovering that the hard part isn’t building agents, it’s governing them.
Most organizations currently in AI deployment are sitting at an inflection point that Lowe’s has already passed. The build-vs-buy debate has largely resolved: organizations are building on top of LLM APIs and managed infrastructure, not training models from scratch. The next inflection point is governance: once you have more than two or three agents running in production, you need a coordination layer or you will end up with exactly the sprawl Nair describes.
For enterprise IT and platform teams, this matters because agent sprawl creates real operational risk. An agent that returns inconsistent answers damages customer trust. An agent that isn’t scoped correctly can expose inventory data, pricing logic, or internal systems to prompt injection attacks — a risk Lowe’s specifically guards against with multi-layered application security. The research report on enterprise AI strategy notes that the standard for enterprise systems isn’t 80% reliability — it’s 100%.
For marketing and CX teams, the Mylow deployment demonstrates that AI can now function as a meaningful touchpoint in the customer journey. Google Cloud VP Carrie Tharp noted that consumers delay purchasing decisions when they face information overload — and that AI agents can now serve as navigational guides across a journey that involves up to 10 distinct touchpoints. Lowe’s 300-basis-point improvement in Net Promoter Score since deploying Mylow Companion — a metric that correlates directly to sales outcomes — is the kind of business result that justifies continued investment.
For technology leadership and CTOs, the architectural lesson is the importance of the AI Foundry model. Rather than letting every team build their own infrastructure, Lowe’s centralized the orchestration layer. This is consistent with the broader industry trend toward what analysts call an “AI Operating System” approach — a tool-agnostic foundation that orchestrates multiple models and frameworks, allowing the organization to swap components without re-architecting the entire stack. As documented in the enterprise AI strategy research, platforms built on this model run within an enterprise’s own Virtual Private Cloud, providing isolation while remaining model-agnostic.
The organizations that will have functional, governed multi-agent systems in 12 months are the ones that start building the governance framework now — before agent count scales past the point where retrofitting governance becomes painfully expensive.
The Data
Lowe’s AI Program: Key Metrics and Architecture
| Dimension | Detail | Source |
|---|---|---|
| Mylow launch date | March 2025 | Digiday, Mar 2026 |
| Mylow Companion launch | May 2025 | Digiday, Mar 2026 |
| Employee reach | 250,000 store associates | Digiday, Mar 2026 |
| Weekly query volume | ~1 million questions/week | Digiday, Mar 2026 |
| NPS improvement | +300 basis points | Digiday, Mar 2026 |
| Governance body | AI Transformation Office | Digiday, Mar 2026 |
| Core infrastructure | AI Foundry (internal platform) | Digiday, Mar 2026 |
| Safety controls | Human-in-the-loop + model guardrails + anti-injection | Digiday, Mar 2026 |
Enterprise AI Approach Comparison
| Approach | Control | Flexibility | Cost (Year 1) | AI Sprawl Risk | Best For |
|---|---|---|---|---|---|
| Build from scratch (DIY) | Full | Full | $1M–$2M | High (no central layer) | Orgs with deep ML talent |
| Walled garden vendor (Palantir, C3.ai) | Low | Low | Variable | Medium (centralized but rigid) | Orgs needing fast deployment |
| AI OS / Foundry model | High | High | Medium | Low (central governance layer) | Enterprise with multiple teams |
| Uncoordinated agent deployment | None | High | Low upfront | Very High | Not recommended at scale |
Build vs. Buy cost estimates and sprawl risk analysis from enterprise AI strategy research.
Step-by-Step Tutorial: Building an AI Agent Governance Framework
This tutorial walks through the process of establishing an AI agent governance program at your organization, using Lowe’s model as the reference implementation. Whether you’re managing five agents or fifty, this framework prevents sprawl before it starts.
Prerequisites
Before beginning, you need:
– At least one AI agent already in production or active development
– Executive or senior leadership sponsorship (the AI Transformation Office model requires organizational authority)
– Access to your current agent inventory (even if it’s just a spreadsheet of what’s been built)
– A designated platform or infrastructure lead who will own the AI Foundry component
Phase 1: Audit Your Current Agent Landscape
Step 1: Create a complete agent inventory.
Before you can govern agents, you need to know what exists. Survey all engineering teams, data science teams, and any business units with technical capability. For each agent, document:
- Name and description
- Business unit that owns it
- Data sources it accesses
- External APIs or models it calls
- Current uptime/reliability metrics (if tracked)
- Whether it has any security review on record
In organizations that have been building freely, this audit is often sobering. You’ll find agents that duplicate functionality, agents that access the same data through different abstractions, and agents with no documentation at all.
Step 2: Classify agents by risk tier.
Not all agents carry the same risk. An internal agent summarizing meeting notes is categorically different from an agent with write access to inventory systems or one that handles customer-facing financial queries.
Define three tiers:
– Tier 1 (Low risk): Internal, read-only, no customer data exposure
– Tier 2 (Medium risk): Customer-facing or read/write access to business systems
– Tier 3 (High risk): Financial transactions, PII handling, or brand-sensitive customer interactions
Lowe’s human-in-the-loop framework applies primarily to Tier 3 scenarios — where the research identifies tasks like invoice reconciliation or purchase orders as requiring human observation and intervention capability.
Phase 2: Establish the Four-Parameter Vetting Framework
This is the core of Lowe’s governance model, as described by Chandhu Nair in the Digiday report. Every proposed new agent must pass evaluation against four parameters before receiving development resources.
Step 3: Define your ROI threshold.
Parameter one is meaningful ROI. This doesn’t mean every agent needs a 90-day payback period, but it does mean the business case must be explicit and measurable before a single line of code is written. Document:
– What metric does this agent improve?
– How will you measure it? (Lowe’s tracks NPS, which correlates to sales)
– What’s the baseline before deployment?
– What’s the target improvement threshold?
Vague ROI (“this will help associates be more productive”) is not a passing answer. Specific ROI (“this will reduce the time an associate spends locating product inventory from 4 minutes to under 30 seconds, across 40,000 associates per day”) is a passing answer.
Step 4: Assess capital investment requirements.
Parameter two is capital planning. This includes:
– Model API costs at projected query volume
– Engineering hours to build and maintain
– Infrastructure costs (compute, storage, monitoring)
– Ongoing evaluation and fine-tuning budget
The enterprise AI research notes that DIY AI platforms can cost $1M–$2M in year one alone when infrastructure is built from scratch. The AI Foundry model reduces this by centralizing infrastructure so individual agent teams don’t each rebuild common services.
Step 5: Complete a four-part risk assessment.
Parameter three is risk — and Lowe’s breaks this into four categories:
– Brand risk: Could this agent say something that damages Lowe’s reputation?
– Privacy risk: Does it handle customer PII? If so, what are the data retention and access controls?
– Security risk: Is it exposed to prompt injection? Does it have appropriate input sanitization and output filtering?
– Sprawl risk: Does this agent duplicate an existing agent? Does it address a use case already covered in the taxonomy?
For customer-facing agents, Lowe’s implements model-level guardrails that limit responses to Lowe’s-relevant contexts. This is the technical implementation of the brand and privacy risk mitigation — the model literally cannot respond to questions outside its defined domain.
Step 6: Identify the change management leader.
Parameter four is the change leader. An AI agent without a human champion who owns driving adoption, measuring outcomes, and iterating on the system will atrophy or become unused even if it works perfectly. This person isn’t the engineer who built it — it’s the business-side leader who is accountable for the agent delivering its stated ROI.
Phase 3: Build the AI Foundry Infrastructure
Step 7: Centralize your agent orchestration layer.
The AI Foundry is the technical backbone of Lowe’s governance model. At its core, it provides:
- Observability: Every agent interaction is logged, traceable, and reviewable. You can see what prompt went in, what context was retrieved, what the model returned, and how the output was used.
- Explainability: For regulated or high-stakes decisions, the system can surface why the agent produced a given output.
- Protocol abstraction: Engineers building individual agents don’t need to implement security controls, authentication, or logging themselves — the Foundry handles it centrally.
If you’re starting from scratch, evaluate whether a managed platform or your own infrastructure makes sense. The research report describes the “AI OS” model — platforms that run within your own VPC and orchestrate over 200 best-of-breed tools — as a viable middle path between pure DIY and locked-in vendor solutions.
Step 8: Implement the coordination patterns for multi-agent environments.
When multiple agents run in parallel — especially in development environments — coordination failures cause real problems. The enterprise AI research documents six patterns that prevent these failures:
1. Spec-Driven Decomposition → Define agent scope before building
2. Git Worktree Isolation → Each agent gets its own directory
3. Role Splits → Coordinator / Specialist / Verifier architecture
4. Model Routing (BYOA) → Match model capability to task risk level
5. Quality Gates → Automated tests, not "looks right" reviews
6. Sequential Merges → One branch integrated at a time
For Tier 3 agents, human-in-the-loop controls should be implemented at the workflow level — not as an afterthought. Identify the specific decision points where human intervention can occur and build the UI and alerting to make that intervention fast and clear.
Step 9: Establish the agent taxonomy and central registry.
The AI Transformation Office maintains a living document: the taxonomy of approved agent applications. This serves two purposes: it prevents duplication (if Customer Service already has an agent for returns processing, Operations doesn’t need to build another one), and it provides a map of the agent ecosystem that leadership can use to understand the organization’s actual AI surface area.
Your central registry should include, for each approved agent:
– Canonical name and description
– Owning team and change leader
– Tier classification
– Data sources and API connections
– Approved use cases (explicit list — anything not on the list is out of scope)
– Current performance metrics vs. target
Phase 4: Monitor, Iterate, and Expand
Step 10: Track leading and lagging indicators.
Lowe’s 300-basis-point NPS improvement is a lagging indicator — it tells you the system is working but it arrives weeks or months after the interactions that drove it. Leading indicators tell you whether your agents are on track before you see the lagging results.
Leading indicators for AI agents:
– Query volume (are employees actually using it?)
– Containment rate (what percentage of queries get resolved without escalation?)
– Response latency (are users waiting too long?)
– Guardrail trigger rate (how often is the model refusing to respond?)
Lagging indicators:
– NPS or CSAT scores
– Task completion rates
– Revenue or conversion impact
– Associate productivity metrics
The research report specifically recommends tracking leading indicators to drive productivity ROI and customer loyalty as lagging outcomes.
Expected Outcomes:
After completing this framework implementation, you should have: a complete inventory of existing agents with risk classifications, a vetting process that prevents ungoverned agent proliferation, a centralized infrastructure layer providing observability and security, and a measurement system that connects agent performance to business outcomes.
Real-World Use Cases
Use Case 1: Retail Chain Associate Enablement
Scenario: A 500-location home improvement or specialty retail chain with associates who have varying expertise across product categories.
Implementation: Deploy an associate-facing agent similar to Mylow Companion, scoped to product knowledge, inventory lookup, and project guidance. Anchor the agent to a centralized AI Foundry so every location gets identical performance. Apply model-level guardrails limiting responses to in-scope product categories. Route Tier 3 queries (e.g., special orders, financing questions) to human specialists.
Expected Outcome: Associates in any department can answer customer questions outside their primary expertise. Reduced specialist escalations, higher customer satisfaction scores. The Lowe’s deployment achieved 300 basis points of NPS improvement at this scale, per the Digiday report.
Use Case 2: Enterprise IT — Multi-Team Agent Governance
Scenario: A technology organization with 15+ engineering teams each spinning up AI agents for internal tooling, customer support automation, and data analysis.
Implementation: Establish an AI Transformation Office with authority to maintain the central agent taxonomy. Require all new agent proposals to pass the four-parameter vetting framework. Implement a shared AI Foundry with centralized logging, security controls, and model routing. Use git worktree isolation and sequential merge strategies for agent development to prevent code breakage, as documented in the enterprise AI research.
Expected Outcome: Reduction in duplicated agent functionality, improved security posture (no ungoverned agents with access to production data), and a clear map of the organization’s AI surface area for leadership review.
Use Case 3: E-Commerce Customer Experience
Scenario: An online retailer experiencing high cart abandonment and customer service escalation rates due to decision fatigue during product discovery.
Implementation: Deploy a customer-facing agent similar to Mylow focused on product recommendation and purchase guidance. As Google Cloud’s Carrie Tharp noted, consumers delay decisions when they face information overload across up to 10 touchpoints — an agent that contextualizes the decision can reduce abandonment. Scope the agent strictly to product-relevant responses using model-level guardrails. Monitor containment rate and conversion rate as leading and lagging indicators respectively.
Expected Outcome: Reduced decision fatigue, higher purchase completion rate, and lower volume of human-handled customer service contacts for pre-purchase questions.
Use Case 4: Healthcare or Financial Services — High-Compliance Agent Deployment
Scenario: An organization in a regulated industry deploying AI agents where responses can have legal or financial consequences.
Implementation: Apply the full Tier 3 framework: mandatory human-in-the-loop controls at decision points, complete interaction logging with explainability, and strict model guardrails. Use the four-parameter vetting framework with heightened emphasis on privacy risk (HIPAA/FINRA compliance assessment) and brand risk. Follow the research report’s recommendation to maintain human observation capability for high-risk tasks like invoice reconciliation or case evaluation.
Expected Outcome: Compliant AI deployment with full audit trail, manageable regulatory risk, and the ability to demonstrate to regulators exactly what the agent did and why for any given interaction.
Use Case 5: Agency or Consulting Firm — Client AI Program Buildout
Scenario: A digital agency tasked with standing up an AI agent program for a mid-market client who has started building agents ad hoc.
Implementation: Lead with the audit (Phase 1) to surface the existing agent landscape before recommending new investments. Use the four-parameter framework as a client-facing tool to facilitate stakeholder alignment on ROI and risk before scoping any development work. Propose an AI Foundry architecture that fits the client’s existing cloud infrastructure. Deliver the central agent registry as a governance artifact the client owns and maintains.
Expected Outcome: A defensible AI program with clear ROI accountability, reduced technical debt, and a governance structure the client can maintain and expand without the agency’s ongoing involvement.
Common Pitfalls
1. Building Governance After the Sprawl Has Already Happened
The most expensive mistake is treating governance as something you retrofit after deployment. Once agents are running in production across multiple teams, the political cost of centralizing them under new oversight is significant. As Chandhu Nair’s quote makes clear — the sprawl happens because it’s easy to build, not because teams are reckless. Avoid this by establishing the AI Transformation Office and four-parameter framework before your third agent goes live, not after your fifteenth.
2. Treating “Works in Testing” as “Ready for Production”
Enterprise systems require 100% reliability, not 80%. An agent that performs well in controlled testing can fail at scale in ways that don’t appear until production load — especially when users probe the edges of the guardrails with unexpected query types. Implement quality gates (automated tests, not manual review) as documented in the enterprise AI research, and stage rollouts carefully with clear rollback procedures.
3. Skipping the Change Management Leader Assignment
The fourth parameter in Lowe’s vetting framework is often the one organizations skip. An agent without a business-side owner who is accountable for driving adoption and measuring ROI will atrophy. Engineers move on to the next project; without a designated change leader, no one is watching whether the agent is actually delivering its stated value or whether users have found workarounds because the agent doesn’t quite meet their needs.
4. Underestimating Prompt Injection Risk
Model-level guardrails are not the only security layer needed. Lowe’s deploys multi-layered application security specifically to prevent prompt injection attacks — where a malicious user attempts to override the agent’s instructions through crafted input. Consumer-facing agents are particularly exposed. Treat security as a mandatory layer, not an optional enhancement.
5. Using a Single Metric as the Only Success Measure
NPS is a strong lagging indicator, but it arrives too slowly to catch problems in real time. Organizations that deploy agents and only monitor customer satisfaction scores can miss systemic failures (high guardrail trigger rates, rising latency, declining containment rates) for weeks before the downstream impact shows up in satisfaction data. Build a monitoring stack that includes both leading and lagging indicators from day one.
Expert Tips
1. Anchor every agent to an existing business strategy, not to an AI initiative. Lowe’s doesn’t run an “AI strategy” — it runs a “Total Home” strategy that AI executes. When agents are positioned as technology experiments, they’re vulnerable to budget cuts. When they’re positioned as execution infrastructure for a named business strategy, they’re protected.
2. Use model routing to match compute cost to task risk. Not every query requires the highest-capability (and most expensive) model. The enterprise AI research recommends BYOA (Bring Your Own Agent) model routing: direct high-complexity, high-risk queries to reasoning-optimized models and route simple lookups to faster, cheaper models. This can reduce inference costs by 40-60% at scale without degrading user experience.
3. Build your observability stack before your first agent goes live. Retrofitting logging and traceability into a production agent is significantly harder than building it in from the start. Define your logging schema, your alert thresholds, and your review process before deployment — not after the first incident.
4. Standardize on open interoperability protocols. The research report recommends supporting Agent2Agent (A2A) and Model Context Protocol (MCP) — open standards that allow agents from different providers to communicate securely. Building on open protocols gives you the flexibility to swap underlying models or vendors without rebuilding integration layers.
5. Treat your agent taxonomy as a living document, not a one-time exercise. The taxonomy needs a quarterly review cycle. New business priorities create new use cases; old agents may become redundant as capabilities expand. The AI Transformation Office at Lowe’s maintains this as an ongoing function, not a one-time governance exercise.
FAQ
Q: How do you prevent individual engineering teams from building unauthorized agents?
The Lowe’s model addresses this through the AI Transformation Office, which maintains the canonical taxonomy of approved agent applications. Governance only works if it has organizational authority — the Transformation Office needs executive sponsorship and the ability to say no to ungoverned deployments. In practice, most teams will comply when they understand the framework exists to protect them (from sprawl, security incidents, and wasted investment) rather than to slow them down.
Q: What’s the minimum team size to justify building an AI Foundry?
If you have more than three agents in production or active development across more than one team, the coordination overhead of ungoverned deployment already justifies a Foundry. The infrastructure doesn’t need to be complex — a shared logging layer, a central secrets manager for API keys, and a common authentication pattern can serve as the foundation of a basic Foundry. Scale the infrastructure as the agent count grows.
Q: How do you handle agents from different vendors that need to communicate with each other?
This is precisely what the Agent2Agent (A2A) protocol is designed for. As documented in the enterprise AI research, Google’s A2A protocol is an open standard for communication between heterogeneous agents — agents built on different underlying models or frameworks. Complementing MCP (Model Context Protocol), A2A ensures that agents can collaborate across vendor boundaries without requiring custom integration code for every combination.
Q: When should human-in-the-loop controls be mandatory vs. optional?
Mandatory for any Tier 3 use case: financial transactions, PII handling, healthcare decisions, legal determinations, or any output that triggers a business action with material cost or regulatory exposure. Optional but recommended for Tier 2 use cases during the first 90 days of production deployment, until you have enough data to calibrate the agent’s reliability envelope. The Lowe’s implementation applies human-in-the-loop as a safety layer regardless of how well the agent performs in testing.
Q: What’s the biggest difference between a well-governed AI program and an ungoverned one, 18 months after deployment?
The research report captures this precisely: governed programs have agents that work 100% of the time, consistently, with measurable ROI and clear ownership. Ungoverned programs have a proliferation of agents that work 20–80% of the time, with overlapping scopes, no clear owner when something breaks, and no mechanism to measure whether they’re delivering business value. The 18-month gap between these outcomes is typically not visible at month three — it becomes visible when a critical agent fails in a way no one is equipped to diagnose or fix.
Bottom Line
Lowe’s AI program demonstrates that the central challenge of enterprise AI is no longer building agents — it’s governing them. The four-parameter vetting framework (ROI, capital investment, risk, and change leadership), the AI Foundry infrastructure, and the AI Transformation Office together constitute a replicable model for any organization managing more than a handful of AI agents across multiple teams. The 300-basis-point NPS improvement and one million weekly queries handled are the business results that validate the investment, but they’re only achievable because the governance structure was built to support consistent, reliable performance at scale. Organizations that treat AI governance as a late-stage concern are building toward exactly the sprawl Lowe’s has spent significant engineering and organizational capital to prevent. Start with the audit, establish the vetting framework, and build the Foundry before you need it — not after you’ve already lost control.
0 Comments