Notifications
Clear all
Topic starter
07/06/2026 7:53 pm
TL;DR: Knowledge workers are already using AI tools at scale, but only 18% know their company’s AI policy and 78% are bringing their own tools, according to ConductorOne. The real failure is not model access but the lack of identity, policy, and lifecycle controls that make governed AI easier than shadow AI.
NHIMG editorial — based on content published by ConductorOne: Your AI Strategy Has a Blind Spot
By the numbers:
- 75% of knowledge workers are already using AI tools.
- 78% are bringing their own.
- Only 18% know their company's AI policy.
Questions worth separating out
Q: How should security teams stop employees from bypassing governed AI access?
A: Make the approved path faster than the bypass path.
Q: Why do AI tools create identity governance problems for IAM teams?
A: Because AI tools introduce new identities, delegated permissions, and tool-call decisions that must be governed like other access objects.
Q: What breaks when organisations treat AI governance as a separate security program?
A: They usually create a second control plane that cannot keep pace with real usage.
Practitioner guidance
- Measure time-to-governed-access for AI tools Track how long it takes a non-technical employee to request, approve, and use an AI tool through the sanctioned path.
- Define tool-level entitlements for AI identities List the exact tools, data sources, and parameters an AI identity may use, then apply policy checks at each call.
- Split personal assistants from enterprise agents Assign different ownership, approval, and lifecycle rules to user-scoped assistants and organisation-scoped automation.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- The end-to-end self-service workflow for AI tool provisioning, including where approval automation sits.
- The policy-aware proxy model for authenticating agent calls and logging audit events.
- The distinction between personal assistants and enterprise agents in the vendor's governance model.
- The detailed credential-vaulting and revocation flow used to eliminate local secret exposure.
👉 Read ConductorOne's analysis of the AI governance gap and shadow AI →
AI governance and shadow AI: what IAM teams are missing?
Explore further
07/06/2026 9:37 pm
Shadow AI is a control-plane failure, not an adoption side effect. The article shows that employees bypass governed access when the approved path is slower than self-service sign-up. That is a governance breakdown, because policy without usable enforcement simply creates parallel, unmanaged identities and tool connections. The implication is that identity teams must treat AI access speed as part of the control design, not as a separate UX problem.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly unmanaged identity exposure becomes systemic.
A question worth separating out:
Q: How do you know if AI access governance is actually working?
A: Look for three signals: users request access through the sanctioned path, approvals complete quickly enough to prevent bypass, and every tool call is tied to a specific identity and audit event. If employees still prefer external tools, governance is too slow or too hard to use.
👉 Read our full editorial: AI governance’s blind spot is identity, not model quality
