Shadow AI governance needs identity-aware zero trust controls

At a glance

What this is: Pomerium argues that shadow AI is already embedded in enterprise workflows and that visibility plus identity-aware policy enforcement are required to control data leakage risk.

Why it matters: IAM, PAM, and NHI teams need to treat AI usage as an access problem because unmanaged prompts, plug-ins, and internal agents can move sensitive data outside policy without any reliable review trail.

By the numbers:

• 55 percent of employees use GenAI without approval.
• 67 on average, 90 percent lack approval.
• 11 percent of all pasted content

👉 Read Pomerium's analysis of shadow AI governance and zero-trust controls

Context

Shadow AI is any generative AI tool, plug-in, or internal agent that employees use outside formal approval and visibility. The governance problem is not just that these tools exist, but that they can receive sensitive data without the identity, device, policy, and request-path context security teams need to evaluate access in real time.

For IAM and NHI programmes, that makes shadow AI an access governance issue rather than only a data loss issue. Once prompts, API calls, or browser interactions happen outside sanctioned control points, the organisation loses the ability to distinguish approved use from policy violation, and audit evidence becomes fragmented.

Key questions

Q: How should security teams govern shadow AI without blocking productive use?

A: They should govern shadow AI with identity-aware policy, not blanket bans. The practical goal is to distinguish approved from unapproved use by user, device, data class, and destination, then enforce decisions at the request layer. That approach preserves legitimate productivity while reducing the chance that sensitive material reaches uncontrolled models or plug-ins.

Q: Why do unsanctioned GenAI tools create an IAM problem?

A: Because access is happening outside the normal control loop. If prompts, plug-ins, and internal agents can move sensitive data without identity context, security teams lose the ability to apply least privilege, prove authorization, or review who did what. The problem is not only exfiltration, but the collapse of governable access evidence.

Q: What breaks when security teams rely on prompt filtering alone?

A: Prompt filtering breaks when the user can paste data through another route before inspection happens. Browser copy-paste, IDE extensions, API calls, and phone-tethered sessions often bypass content-only controls. That leaves organisations with partial enforcement and weak auditability, especially when the tool path is invisible to the security stack.

Q: How can organisations prove shadow AI controls are working?

A: They need evidence that every AI request is logged with identity, policy, and destination context. If you can only count blocked prompts, you do not have proof of governance. A working control plane should show approved use, denied use, and the reasons for both across users, devices, and tools.

Technical breakdown

Why prompt filters miss shadow AI activity

Prompt filtering only sees text after a user has already decided to send it. That means the control sits too late in the workflow to answer the real question: who is sending what, from which device, through which tool, and under what policy. In practice, shadow AI often appears in browser sessions, IDE plug-ins, API calls, and internal agents, each of which can bypass simple URL or regex-based monitoring. Identity-aware enforcement binds the request to the user and the context before the data leaves the environment.

Practical implication: security teams need request-level policy enforcement, not just content inspection.

Short-lived credentials reduce one exposure path but do not solve governance

Long-lived API keys embedded in scripts, agents, or plug-ins are a persistent risk because they can be reused well after the original user action. Short-lived credentials help, but they do not by themselves tell you whether the tool is sanctioned, whether the data classification is allowed, or whether the request path is trusted. The control problem is broader than token lifetime: it is about linking identity, policy, and destination so the organisation can govern AI use as an access decision, not a network event.

Practical implication: pair ephemeral credentials with policy tied to identity and data class.

Zero trust for AI workflows needs decision logs, not raw traffic logs

Zero trust in AI workflows means every outbound request is evaluated against identity, device posture, destination, and policy before it is allowed to proceed. Raw traffic logs are not enough because they record movement but not the decision rationale, which is what auditors and incident responders need. The architecture should preserve proof of who queried which tool, when, and why. Without that context, security teams can neither enforce least privilege nor show whether controls are actually working across sanctioned and unsanctioned AI usage.

Practical implication: retain enriched logs that capture user, policy decision, and request context.

Threat narrative

Attacker objective: The objective is to extract sensitive enterprise data into uncontrolled AI systems where it can be retained, reused, or exposed outside policy boundaries.

1. Entry occurs when employees paste sensitive material into unsanctioned GenAI tools, IDE plug-ins, or internal agents outside approved control points.
2. Escalation follows when the same tools retain or transmit that data, allowing proprietary code, customer data, or road-map information to leave the organisation's governance boundary.
3. Impact is data leakage, audit findings, and loss of intellectual property, with the added risk that staff will move to personal devices or alternate tools when blocks are too blunt.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shadow AI is an identity governance problem before it is a data governance problem. The core failure is that the organisation cannot reliably answer who used which AI service, under what policy, and with what data. That means discovery, approval, and enforcement sit outside the normal IAM control loop. Practitioners should treat unsanctioned AI use as a governance gap in access control, not as a separate IT side issue.

Identity-aware enforcement is the missing control plane for AI usage. Endpoint blocks and text filters cannot govern browser paste events, plug-ins, phone-tethered sessions, or API-driven workflows because they lack request context. The practical gap is not visibility alone but the ability to bind user, device, destination, and data class into a single decision point. Security teams need to assume that AI access will evade simple perimeter controls unless identity is part of enforcement.

Ephemeral credentials do not eliminate trust debt in shadow AI. Short-lived access helps reduce exposure duration, but it does not solve the underlying question of whether the AI workflow was ever authorised to see the data in the first place. The named concept here is prompt-path trust debt: the cumulative risk created when data is repeatedly sent through AI interactions that have no durable governance trail. Practitioners should treat that debt as a programme-level exposure.

Zero trust for AI workflows must include human, NHI, and agent activity in one policy model. The article shows that shadow AI spans employees, service-like integrations, and internal agents, which means governance cannot stay limited to human login controls. The strongest posture is one policy layer that evaluates identity, request path, and destination across all three actor types. Practitioners should collapse separate review processes into a single access decision framework.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For a broader lifecycle view, Ultimate Guide to NHIs shows why visibility, rotation, and offboarding need to be governed together.

What this signals

Prompt-path trust debt: shadow AI creates a cumulative governance burden when sensitive data is repeatedly sent through unmanaged tools with no durable decision trail. That burden grows faster than traditional approval workflows can absorb, which is why IAM teams need to shift from post hoc review to request-time enforcement.

The practical signal for security leaders is that AI use will keep leaking around single-control defenses unless policy is tied to identity, data classification, and destination. In environments where unmanaged access is already widespread, the question is not whether a user will find another route, but whether the programme can prove every request was either authorised or stopped.

With 90 percent of organisations lacking approval for their GenAI apps and plug-ins, according to Pomerium, the operational signal is clear: discovery and enforcement must be treated as a unified identity control problem rather than separate monitoring tasks.

For practitioners

• Inventory all AI access paths Map browser use, IDE plug-ins, API calls, and internal agents so you can see where sensitive data may leave sanctioned controls. Include shadow entry points that bypass proxy-only inspection, such as personal laptops and mobile-tethered sessions.
• Bind AI policy to identity and data class Write policies that decide based on user role, device context, destination, and the sensitivity of the content being sent. Allow approved internal services while blocking or transforming requests that carry confidential code, customer data, or regulated records.
• Issue short-lived credentials for every AI request path Replace standing keys in scripts and agents with ephemeral credentials that expire with the session or task. This reduces the lifespan of leaked secrets and makes misuse easier to detect in logs and access reviews.
• Retain enriched decision logs for audit and response Log the user, policy outcome, destination, and request context for every AI interaction so audits can distinguish approved use from policy violation. Feed those logs into SIEM and identity analytics to identify outliers and repeated bypass attempts.

Key takeaways

• Shadow AI is governed access risk, not just unsafe prompting, because unsanctioned tools can move sensitive data outside the IAM control plane.
• Visibility gaps are already large enough that endpoint filters and raw traffic logs cannot provide reliable assurance across users, plug-ins, and internal agents.
• Identity-aware policy, short-lived credentials, and enriched decision logs are the minimum controls for making AI usage auditable and enforceable.

Key terms

• Shadow AI: Shadow AI is any generative AI application, plug-in, or internal agent used without formal approval or visibility. In practice, it creates governance blind spots because security teams cannot reliably see who used it, what data was sent, or whether the workflow was ever authorised.
• Identity-aware enforcement: Identity-aware enforcement is the practice of making access decisions using user identity, device context, destination, and policy together. For AI workflows, it ensures the organisation can allow, block, or transform requests before sensitive data leaves controlled environments.
• Prompt-path trust debt: Prompt-path trust debt is the accumulated risk created when sensitive data is repeatedly sent through AI interactions that lack durable governance and audit context. The more often those pathways are used outside formal controls, the harder it becomes to prove authorization or limit downstream exposure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pomerium: Shadow AI Is Already in Your Org. Here’s the 5-Minute Playbook to Secure It. Read the original.