AI governance and shadow AI: what IAM teams need to see

TL;DR: AI governance is already colliding with shadow AI, missing API specs, and unpredictable token costs as enterprises deploy agents faster than controls can centralise, according to Kong. The real issue is not AI enthusiasm but the fact that governance, security, and cost control are still being treated as add-ons instead of foundation design.

NHIMG editorial — based on content published by Kong: The AI Governance Wake-Up Call

By the numbers:

• 84% of companies report a hit to gross margins from AI costs.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents that can call APIs and models directly?

A: Security teams should govern AI agents through central policy enforcement, scoped access, and complete logging at the gateway or control plane.

Q: Why do AI agents create new identity and access management risks?

A: AI agents create new identity and access management risks because they can initiate actions, select tools, and consume data at runtime across multiple systems.

Q: What breaks when AI governance is left to individual teams?

A: What breaks is accountability.

Practitioner guidance

• Map every AI entry point to an owner Inventory direct model calls, MCP servers, agent runtimes, and gateway paths, then assign a single accountable owner for each path.
• Bind AI access to policy at the gateway Enforce allowlists, scopes, request validation, and logging at the point where agents reach models or downstream APIs.
• Classify AI traffic by identity, not just application Track which service accounts, API clients, or agent identities are invoking workloads, and tie each one to a lifecycle record for review, offboarding, and audit.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

• Specific examples of how teams are centralising AI traffic through gateways and control points.
• Implementation details on LLM request validation, routing, and rate limiting for enterprise AI traffic.
• Customer examples showing how governance, observability, and cost controls were applied in practice.
• The article's full discussion of organisational ownership, including where AI governance should sit.

👉 Read Kong's analysis of AI governance, shadow AI, and token cost control →

AI governance and shadow AI: what IAM teams need to see?

Explore further

View Full Forum →  |  NHI Foundation Course →