AI security maturity: what breaks when policy outpaces visibility?

TL;DR: The 2026 Verizon DBIR and Push data show AI adoption is already broad, with 45% of employees using AI on corporate devices, 67% using personal accounts, and 38% of file uploads coming from shadow accounts. SANS’ maturity model argues the real barrier is not awareness but the lack of inventory, telemetry, and controls needed to move from policy to operational governance.

NHIMG editorial — based on content published by Push Security: Most organizations know they have an AI security problem. A new SANS framework shows why so few are making progress

By the numbers:

• 45% of employees are now regular AI users on corporate devices, up from 15% the prior year.
• The average organisation now has 16 unique AI apps, 17 AI browser extensions, and 17 AI OAuth integrations in active use.

Questions worth separating out

Q: How should security teams implement AI governance without pushing usage underground?

A: Start with automated discovery, not a blanket ban.

Q: Why do AI tools create problems for IAM and identity governance programmes?

A: AI tools expand the identity surface into browser sessions, personal accounts, and consented integrations that are often outside normal review cycles.

Q: What breaks when organisations block AI use without visibility?

A: A block-only strategy usually relocates usage into shadow accounts and unmanaged tools instead of eliminating it.

Practitioner guidance

• Build automated AI inventory Discover AI apps, browser extensions, and OAuth integrations continuously, including usage through personal accounts and unmanaged sessions.
• Classify AI activity by data sensitivity Differentiate benign usage from high-risk behaviour by looking at source code, structured data, and document movement into AI tools.
• Instrument browser-layer controls Collect telemetry from the browser where AI prompts, file uploads, phishing lures, OAuth consent, and extension activity all converge.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• The full stage-by-stage SANS maturity model with the specific expectations for Stage 1 through Stage 5.
• The browser-layer control approach for discovering AI apps, extensions, OAuth integrations, and shadow account usage.
• The practical distinction between governance controls and protective controls across AI risk scenarios.
• The article’s implementation-oriented examples for moving from blocking to graduated response modes.

👉 Read Push Security's analysis of the SANS AI security maturity model →

AI security maturity: what breaks when policy outpaces visibility?

Explore further

View Full Forum →  |  NHI Foundation Course →