TL;DR: Unapproved AI tools are already widespread, with 61% of organisations encountering unsanctioned or unmonitored use, according to JumpCloud research, while breaches involving unmanaged applications add an average of $670,000 and 97% lack basic access controls. The real gap is governance, not experimentation, and it spans IT, security, and legal ownership.
NHIMG editorial — based on content published by JumpCloud: The AI Mandate, securing autonomous agents before they secure you
By the numbers:
- 61% of organizations report encountering unsanctioned or unmonitored use of AI tools by employees.
- 97% of these breaches involve a complete lack of basic access controls.
Questions worth separating out
Q: How should security teams govern AI agents that can access company tools and data?
A: Security teams should treat AI agents as governed identities, not as informal automation.
Q: Why do unsanctioned AI tools create so much identity risk?
A: Unsanctioned AI tools bypass the directory, policy, and audit paths that make identity governance work.
Q: What do teams get wrong about least privilege in AI workflows?
A: Teams often apply least privilege only at account creation, then forget that AI workflows can call multiple tools and inherit broader access through tokens or delegated permissions.
Practitioner guidance
- Define a sanctioned AI access path Require employees to use approved AI tools that inherit directory-backed identity, logging, and policy enforcement before they can touch company data.
- Assign every AI agent a named owner Register each automated agent with a business owner, technical custodian, and review cadence so accountability survives turnover and reuse.
- Restrict token scope and lifetime Limit app tokens and delegated credentials to the narrowest task scope possible, and remove standing access wherever sessions can be made shorter.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- Role-specific guidance for IT, security, and legal teams that explains who owns each part of the AI governance process
- Operational examples of how approved sandboxes and dynamic identity controls are meant to contain AI tool risk
- The full incident discussion behind the Replit and Drift examples, including the governance lessons drawn from each case
- Practical policy language for acceptable use, data handling, and accountability expectations across AI workflows
👉 Read JumpCloud's analysis of AI governance roles, risk, and shadow AI →
AI agent governance: what IAM teams are missing?
Explore further
Shadow AI is not a usage problem, it is an identity problem. When employees adopt unmonitored tools, the organisation loses the ability to tie access, ownership, and auditability to a governed identity path. That is why the issue sits across IAM, security, and legal at the same time. Practitioners should treat unsanctioned AI use as a control-plane failure, not a training gap.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when an AI agent or unapproved tool causes a breach?
A: Accountability should sit with the business owner of the workflow, the technical custodian of the identity path, and the legal or compliance function that approved usage boundaries. If those roles are not defined up front, incident response becomes a debate about ownership instead of a containment exercise.
👉 Read our full editorial: AI agent governance is failing where teams lack ownership
Shadow AI is not a usage problem, it is an identity problem. When employees adopt unmonitored tools, the organisation loses the ability to tie access, ownership, and auditability to a governed identity path. That is why the issue sits across IAM, security, and legal at the same time. Practitioners should treat unsanctioned AI use as a control-plane failure, not a training gap.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when an AI agent or unapproved tool causes a breach?
A: Accountability should sit with the business owner of the workflow, the technical custodian of the identity path, and the legal or compliance function that approved usage boundaries. If those roles are not defined up front, incident response becomes a debate about ownership instead of a containment exercise.
👉 Read our full editorial: AI agent governance is failing where teams lack ownership