Hidden AI in SaaS: what it means for IAM and shadow AI

TL;DR: Embedded AI features are now appearing inside approved SaaS applications, making static app categories unreliable for discovery and governance, according to JumpCloud. The governance problem is not just visibility, but the assumption that application identity and risk profile stay fixed after approval.

NHIMG editorial — based on content published by JumpCloud: hidden AI labels for shadow AI discovery and MCP readiness

By the numbers:

• 92% of SaaS vendors plan to increase their use of AI in the coming year.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern hidden AI inside approved SaaS apps?

A: They should treat embedded AI as a capability change that can alter data handling, user experience, and exposure without changing the app's category.

Q: Why do static SaaS categories fail for AI governance?

A: Static categories fail because they describe the product family, not the current behaviour of the application.

Q: What breaks when MCP-supported applications are not tracked separately?

A: The organisation loses sight of which tools can connect AI models to data sources and action endpoints.

Practitioner guidance

• Add capability-drift review to SaaS governance Track when approved applications gain embedded AI features after procurement.
• Separate AI capability from application category Use a secondary metadata layer for AI-powered and MCP-supported apps so security and procurement teams can filter by function without losing ownership or budget context.
• Inventory MCP-supported tools for downstream access paths Review which SaaS platforms can connect to models, data sources, and APIs, then map those connections to the entitlements already granted to the app.

What's in the full article

JumpCloud's full post covers the operational detail this post intentionally leaves for the source:

• How the Shadow AI Dashboard groups AI Powered apps and MCP Supported apps in the console.
• Where the App Detail page surfaces label context for each SaaS application.
• How the filterable UI is used to isolate agent-ready tools across the catalogue.
• Why the labels are system-defined metadata rather than manual category changes.

👉 Read JumpCloud's analysis of hidden AI labels and Shadow AI discovery →

Hidden AI in SaaS: what it means for IAM and shadow AI?

Explore further

View Full Forum →  |  NHI Foundation Course →