Notifications
Clear all
Topic starter
08/06/2026 4:26 pm
TL;DR: IBM’s 2025 Cost of a Data Breach Report found that 13% of organisations experienced an AI-related breach, 20% discovered Shadow AI, and 63% had no AI governance policy, while extensive security AI use cut mean time to intervene by about 80 days and saved $1.9 million. The real issue is not AI adoption itself but the lack of identity, access, and audit control around AI tools and the data they can reach.
NHIMG editorial — based on content published by Cyera: The Hidden Costs of Shadow AI: Why Access and Audit Controls Matter Now
Questions worth separating out
Q: How should security teams govern Shadow AI without losing visibility into data use?
A: Start with discovery, then bind each AI tool to the identities, tokens, and datasets it can reach.
Q: Why do traditional IAM controls struggle with AI tools and assistants?
A: Traditional IAM assumes access can be modelled in stable roles and reviewed later through static records.
Q: How do teams know whether AI governance is actually working?
A: Look for three signals: you can inventory AI tools, you can explain which identities use them, and you can prove what data they touched.
Practitioner guidance
- Inventory AI tools by identity and data path Map every approved and unapproved AI tool to the human users, tokens, service accounts, and datasets involved.
- Replace role-only access decisions with context-aware controls Use attribute-based policies and conditional rules where AI access depends on dataset sensitivity, task context, and approved business purpose, not just a broad role.
- Log prompts, outputs, and policy drift as audit evidence Preserve AI interaction records in a form that can support investigations, compliance review, and containment when the model or user behaviour crosses policy.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- IBM report context and the specific breach-cost metrics Cyera uses to frame AI risk
- Cyera’s AI Guardian feature breakdown, including posture management and runtime protection
- The article’s product-level explanation of how prompts, outputs, and policy drift are monitored
- Examples of how Cyera positions AI discovery across embedded, third-party, and homegrown AI tools
👉 Read Cyera’s analysis of Shadow AI, breach cost, and AI access controls →
Shadow AI and AI access controls: what IAM teams need now?
Explore further
08/06/2026 6:04 pm
Shadow AI is a governance failure before it is a technology failure. The article’s core point is that organisations lose control when AI usage outruns discovery, identity assignment, and audit coverage. That is not an exotic AI problem. It is the familiar IAM failure mode of unmanaged access appearing faster than the programme can classify it. The implication is that AI governance must begin with inventory and trust boundaries, not policy statements.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- In the same research, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, showing how often identity governance starts from incomplete inventory.
A question worth separating out:
Q: Who should own AI access and audit controls when Shadow AI is involved?
A: Ownership should sit across security, IAM, data governance, and the business units that approve AI use. Security can define control requirements, IAM can bind them to identities, and data teams can classify the information at risk. The important point is that no single team can own Shadow AI alone.
👉 Read our full editorial: Shadow AI exposes a governance gap in AI access and audit controls
