Notifications
Clear all
Topic starter
14/05/2026 6:12 pm
TL;DR: Shadow AI is creating an identity blind spot because unsanctioned agents can operate with valid credentials outside IT visibility, and Saviynt says 75% of CISOs have already found such tools in production. The governance problem is now structural: discovery, accountability, and continuous access control must extend to agents, not just people.
NHIMG editorial — based on content published by Saviynt: Shadow AI Is Creating the Largest Identity Blind Spot in Enterprise Security
By the numbers:
- 75% of CISOs have already discovered unsanctioned AI tools running in their production environments.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern shadow AI before it spreads across the enterprise?
A: Start by treating each AI agent as a governed identity with an owner, scope, and revocation path.
Q: What is the difference between shadow AI and shadow IT from an IAM perspective?
A: Shadow IT is usually an unauthorized application that leaves spend, network, or procurement evidence.
Q: Why do AI agents create more governance risk than ordinary service accounts?
A: AI agents can make decisions, chain actions, and expand their own reach across systems in ways service accounts usually do not.
Practitioner guidance
- Inventory every AI agent in production Scan approved platforms, embedded assistants, low-code builders, and MCP-connected workflows for agents that have not been formally registered or owned.
- Bind each agent to an accountable owner Require a named business and technical owner for every agent, with review dates, approved use cases, and revocation criteria.
- Track inherited credentials and service accounts Map every service account, API key, token, or certificate an agent can invoke, then classify whether that NHI is overprivileged, shared, or long-lived.
When AI agents can be created inside approved platforms, security teams need continuous discovery that spans agent platforms, connected NHIs, and the data stores those agents can query?
👉 Read Saviynt's analysis of shadow AI as an identity blind spot →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:14 pm
Shadow AI is becoming an identity problem before it becomes a model problem. The security failure is not limited to unsafe prompts or untrusted output. When agents are created outside governance, they become unmanaged non-human identities with real access rights and no durable ownership. That shifts the control discussion from content safety to identity lifecycle control, which is where most enterprise programs are least mature.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why hidden agent access and secret sprawl tend to compound together.
A question worth separating out:
Q: Should organisations prioritise discovery or access restriction first for shadow AI?
A: Discovery comes first, because teams cannot restrict what they cannot enumerate. Once agents, credentials, and data paths are visible, organisations can decide which permissions to remove, which workflows to register, and which use cases to ban. Restriction without discovery usually pushes the problem deeper into the environment.
👉 Read our full editorial: Shadow AI creates the largest identity blind spot in enterprise
