Notifications
Clear all
Topic starter
09/06/2026 11:51 pm
TL;DR: LLM adoption surged in 2023, with ChatGPT reaching over a million users in its first week, Bard drawing around 140 million monthly visitors, and Claude 2.1 expanding to a 200,000-token context window, according to Lasso Security. The governance problem is no longer model capability alone but Shadow AI, visibility, and policy design across human, machine, and emerging autonomous use cases.
NHIMG editorial — based on content published by Lasso Security: Wrapping Up 2023, Anticipating LLMs and GenAI Trends in the Year Ahead
By the numbers:
- Bard drew around 140 million monthly visitors.
Questions worth separating out
Q: How should security teams govern Shadow AI in the enterprise?
A: Start by inventorying every place GenAI can be used, including approved tools, embedded assistants, browser access, and API-connected workflows.
Q: Why do GenAI tools create new identity governance problems?
A: GenAI tools can move from isolated experiments into embedded workflows without a clear boundary between the user, the service account, and the system performing the action.
Q: How can organisations know if GenAI policy is actually working?
A: Look for proof that policy is enforced at the point of use: denied sensitive prompts, blocked data transfers, retained audit logs, and documented exceptions.
Practitioner guidance
- Inventory every GenAI entry point Map browser use, SaaS copilots, embedded assistants, and API-based model access into a single inventory so Shadow AI is visible to security, IAM, and compliance teams.
- Define GenAI data-handling policy Specify which data classes may be sent to models, which require masking, and which are prohibited, then enforce those rules at gateways and application controls.
- Add pre-production evaluation gates Test model-powered workflows for leakage, policy bypass, and unsafe outputs before they reach production, especially where prompts or retrieval sources can change behaviour.
What's in the full article
Lasso Security's full article covers the operational detail this post intentionally leaves for the source:
- The article’s year-ahead breakdown of where LLMs and GenAI are likely to move from experimentation into deployment
- Specific recommendations for building AI evaluation frameworks around emerging GenAI features
- The article’s practical guidance on identifying Shadow AI across employee and application use cases
- The cited policy and governance references, including NIST AI RMF, CISA, and OWASP guidance
👉 Read Lasso Security's 2024 outlook on LLM and GenAI security trends →
LLM and GenAI security: what do IAM teams need to prepare for?
Explore further
10/06/2026 2:23 am
Shadow AI is the first governance failure, not the last security symptom. The article’s central problem is uncontrolled GenAI adoption before policy and inventory are in place. Once users and applications start embedding LLMs into everyday work, the organisation loses line of sight into data flow, authorisation, and accountability. The practitioner conclusion is simple: if you cannot enumerate the model, you cannot govern the identity path that reaches it.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Should IAM teams treat GenAI as part of access governance?
A: Yes. GenAI is part of access governance whenever it can read, transform, or disclose enterprise data, because the key question is who or what is authorised to invoke the model and under what conditions. IAM teams should define identity ownership, access scope, logging, and review for each GenAI workflow before adoption scales.
👉 Read our full editorial: LLM and GenAI security is becoming a distinct governance problem
