Shadow AI governance is outpacing enterprise IAM controls

At a glance

What this is: This is a shadow AI governance analysis showing that employee AI use is spreading faster than organisational oversight and policy enforcement.

Why it matters: It matters because IAM, data security, and compliance teams now have to govern unmanaged AI use alongside NHI, autonomous, and human identity controls.

By the numbers:

• 8 out of 10 employees are using unapproved AI tools.
• 44% of U.S. workers use AI tools without authorization.
• 45% of employees have used AI on the job without informing their manager.

👉 Read JumpCloud's analysis of shadow AI governance and employee tool use

Context

Shadow AI is the use of AI tools and GenAI services without formal approval, visibility, or governance. The primary issue is not the presence of AI itself, but the fact that usage is entering the business through personal accounts, browser extensions, and informal experimentation faster than controls can keep up.

For identity and access teams, shadow AI creates a governance problem that looks familiar but behaves differently from classic shadow IT. The tool may be personal, team-level, or browser-mediated, but the real risk sits in data exposure, unmanaged access paths, and the lack of lifecycle control over who can use what, when, and for what purpose.

Key questions

Q: How should security teams govern shadow AI in the enterprise?

A: Start by discovering where AI is already being used, including personal accounts, browser extensions, and informal team adoption. Then define which data classes are prohibited, which tools are approved, and who owns exceptions. Governance only works when policy, access, and employee workflow are aligned, otherwise users route around the control and the shadow surface expands.

Q: Why does shadow AI create more risk than ordinary shadow IT?

A: Shadow AI does more than introduce an unapproved application. It can ingest prompts, reshape content, and expose confidential information in ways that traditional software does not. The governance issue is therefore data flow, output review, and identity visibility, not only application inventory or procurement control.

Q: What do organisations get wrong about AI governance?

A: Many teams assume that a policy document or approved-tool list is enough. In practice, employees adopt the quickest tool available, so governance fails when it adds friction without offering a workable alternative. The common mistake is separating policy from the actual workflow where AI use happens.

Q: Who is accountable when employees use unapproved AI tools?

A: Accountability usually sits with the organisation that owns data handling, access policy, and employee education, but operational ownership should be assigned across IAM, security, and data governance. If no team owns discovery, approval, and exception handling together, shadow AI becomes a gap with no clear control point.

Technical breakdown

How shadow AI enters the enterprise through identity gaps

Shadow AI often begins outside approved procurement and access processes. Employees can sign up with personal accounts, install browser extensions, or use lightweight AI services that never pass through security review. That means the enterprise may not own the identity, the tenancy, or the data path. Unlike traditional software, GenAI tools can ingest prompts, retain context, and generate outputs that may contain confidential material. Identity governance becomes harder because the control point is not just the application, but the account, the browser session, the data being shared, and the downstream retention model.

Practical implication: teams need visibility into where AI use starts, not just which sanctioned apps exist.

Why AI governance needs to cover data flow and not just app approval

Approving an AI application does not by itself solve governance. The key question is how sensitive data moves into the tool, how outputs are reviewed, and whether the tool is allowed to retain or learn from enterprise content. This is where policy language often fails operationally. If users do not know which data classes are prohibited, or if the approved workflow is slower than informal use, shadow adoption continues. Effective governance therefore sits at the intersection of access policy, data handling, and user behaviour.

Practical implication: define data-handling rules for AI use before you expand approvals.

What shadow AI changes in identity governance

Shadow AI expands identity governance beyond human login and basic SaaS control. It creates unmanaged instances of tool use that may never appear in the normal application inventory, which means recertification, policy enforcement, and compliance reporting can miss the actual risk surface. The problem is not just unauthorised software. It is unauthorised use of identity, data, and decision support at the point where work is happening. That makes AI governance a control-plane issue as much as an application issue.

Practical implication: inventory AI usage as an identity and data-governance problem, not just an IT discovery task.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shadow AI is an identity governance problem before it is a tooling problem. The article shows that employees are not waiting for formal approval to use AI, which means the enterprise is losing visibility at the point of account creation and first use. That makes the control gap operational, not theoretical. Practitioners should treat unmanaged AI use as a governance layer that sits between human identity, SaaS access, and data security.

AI use without approved identity paths creates a governance blind spot that traditional SaaS inventory will miss. Personal accounts, browser extensions, and informal experimentation do not always show up in the systems IAM teams rely on for access reviews. The result is a fractured control surface where the user, the tool, and the data path are no longer aligned. Practitioners need to assume the real estate of AI use is larger than the sanctioned app list.

Shadow AI widens the gap between policy and behaviour because speed is now part of the access decision. Employees choose AI tools that are easiest to reach and fastest to use, which means governance that adds friction will be bypassed. This is not just user non-compliance. It is a programme design problem that must account for workflow convenience, approval latency, and the practical route by which work gets done.

AI governance must be integrated with lifecycle and data governance, not bolted onto app approval. The article’s core lesson is that a policy document is not a control. If access, data handling, exception approval, and monitoring are split across different teams, shadow AI becomes a structural condition rather than an edge case. Practitioners should align identity, data, and compliance ownership around the same AI usage surface.

Shadow AI is now a cross-domain issue that connects human behaviour, NHI-style access paths, and emerging autonomous workflows. Even when the user is human, the access pattern may resemble unmanaged machine identity because the tool acts as an opaque intermediary for sensitive data. That is why AI governance cannot stay confined to user training or app whitelisting. Practitioners should build a control model that spans discovery, data policy, and accountable ownership.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For a broader control lens, NIST Cybersecurity Framework 2.0 remains the best fit for mapping governance, protection, and detection responsibilities around shadow AI.

What this signals

Shadow AI is likely to become a standing governance category, not a temporary adoption spike. With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey, the control problem is already wider than most approval programmes assume.

Shadow AI discovery should be treated as a normal identity programme input. Once AI use starts appearing through personal accounts and browser extensions, access reviews and policy enforcement need a discovery layer that can feed recertification, exception management, and reporting.

The named concept here is AI visibility debt: the period in which AI use grows faster than the organisation can discover, classify, and govern it. That debt widens when sanctioned tools are slower than informal ones, and it closes only when identity, data, and governance teams work from the same usage inventory.

For practitioners

• Discover unsanctioned AI usage across the estate Inventory personal accounts, browser extensions, and department-level experimentation so AI use is visible before it becomes embedded in daily work.
• Define data classes that cannot enter AI tools Publish explicit rules for confidential, regulated, and customer data, and make those rules readable at the point of use rather than buried in policy documents.
• Align approval workflows with how employees actually work Reduce the gap between sanctioned and unsanctioned tools by making approved options faster to access, easier to find, and simpler to use in real workflows.
• Tie AI governance to recertification and exception review Bring AI tool access, data handling exceptions, and departmental adoption patterns into the same review cycle so unmanaged use cannot persist outside governance.

Key takeaways

• Shadow AI is primarily a governance and visibility failure, not just an employee-behaviour issue.
• The scale is already material, with unapproved AI use showing up across employee populations and daily workflows.
• Teams need discovery, data rules, and workflow-aligned approvals if they want policy to influence actual behaviour.

Key terms

• Shadow AI: Shadow AI is the use of AI tools in an organisation without formal approval, visibility, or governance. It often starts with personal accounts, browser extensions, or team experimentation. The security issue is not only the software itself, but the unseen data flow, access path, and accountability gap it creates.
• AI Visibility Debt: AI visibility debt is the growing gap between how quickly employees adopt AI and how slowly the organisation discovers and governs that use. It builds when sanctioned tools lag behind user demand, leaving security teams with incomplete inventories, weak policy enforcement, and limited evidence for access reviews.
• Approved AI Path: An approved AI path is a sanctioned route for using AI that includes known identity, defined data handling, and accountable ownership. It gives security teams a control point for discovery, policy enforcement, and exception management instead of leaving usage to ad hoc experimentation.
• Unmanaged AI Access: Unmanaged AI access is AI use that sits outside normal approval, monitoring, or lifecycle control. It may involve a personal account, an extension, or a team-shared tool. The problem is that access exists without a reliable owner, making revocation, review, and compliance difficult.

Deepen your knowledge

Shadow AI governance and AI tool discovery are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for unmanaged AI use, it is a practical place to start.

This post draws on content published by JumpCloud: shadow AI governance and the gap between employee adoption and organisational oversight. Read the original.