Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Department-specific AI sprawl: what IT teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Product and Engineering use 200+ AI tools, Sales and Marketing 170+, and Support 140+, while traditional discovery methods catch less than 20%, according to Zluri’s analysis of 3,000+ AI applications across 160+ organisations and 400,000+ users. The real issue is not tool count but decentralised adoption that bypasses identity, procurement, and data controls.

NHIMG editorial — based on content published by Zluri: Miscellaneous AI Sprawl by Department and what IT must do

By the numbers:

Questions worth separating out

Q: How should security teams discover shadow AI across departments?

A: Use multiple discovery paths at once: identity provider logs, expense data, endpoint telemetry, browser extension inventory, and cloud API monitoring.

Q: Why do departmental AI tools create governance gaps for IAM teams?

A: Departmental AI tools create gaps because adoption happens in parallel, with different users, different data types, and different approval paths.

Q: What should organisations do when employees use AI tools outside approved channels?

A: First, classify the usage by data sensitivity and identity path, then decide whether the tool should be approved, restricted, or replaced with a sanctioned alternative.

Practitioner guidance

  • Build multi-channel AI discovery Combine SSO logs, expense exports, endpoint telemetry, and browser extension inventory so discovery does not depend on a single enterprise control plane.
  • Classify AI tools by department and data sensitivity Map each discovered tool to the department using it, the identity path used to reach it, and the sensitivity of the data it can process.
  • Tie approvals to identity and data context Do not approve AI tools on functionality alone.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Department-by-department tool categories and examples for Engineering, Marketing, Support, Operations, and Design
  • The four-method detection playbook, including log analysis, expense review, network monitoring, and browser extension inventory
  • Specific risk-based approval tiers and timing targets for low-risk versus high-risk AI requests
  • A practical consolidation model for reducing overlapping AI tools while preserving team autonomy

👉 Read Zluri's analysis of department-specific AI sprawl and discovery gaps →

Department-specific AI sprawl: what IT teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Departmental AI sprawl is an identity governance problem disguised as a software adoption story. The article shows that Engineering, Marketing, Support, Design, and Operations are each building separate AI inventories through different acquisition paths and different risk profiles. That breaks the assumption that discovery can be done once, centrally, and then governed uniformly. Practitioners should treat departmental AI adoption as a federated identity surface, not as isolated SaaS noise.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, followed by inadequate monitoring and logging at 37%, according to the same report.

A question worth separating out:

Q: How can teams reduce shadow AI without blocking useful work?

A: Create an approved catalog for common use cases, fast-track low-risk requests, and reserve stricter review for tools that process sensitive data or introduce broader access. If the approved path is slower than the shadow path, users will bypass it. The practical answer is to make safe adoption easier than unmanaged adoption.

👉 Read our full editorial: AI sprawl across departments is outpacing identity controls



   
ReplyQuote
Share: