Notifications
Clear all
Topic starter
12/06/2026 9:43 pm
TL;DR: Shadow AI is the unsanctioned use of AI tools, models, or agents inside an organisation without security review, and Lasso Security argues it creates data leakage, compliance exposure, and untraceable decisions as adoption accelerates. The core issue is that existing governance assumes AI use is visible and reviewable, but shadow AI often operates outside those controls.
NHIMG editorial — based on content published by Lasso Security: What is Shadow AI? Risks, Tools, and Best Practices for 2026
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams govern shadow AI in the enterprise?
A: Security teams should govern shadow AI by treating it as an identity and access issue, not only a technology preference.
Q: Why does shadow AI create more risk than shadow IT?
A: Shadow AI creates more risk because it does not just add an unmanaged application.
Q: What breaks when AI tools are used without security review?
A: What breaks is the organisation's ability to control data flow, prove acceptable use, and reconstruct decisions later.
Practitioner guidance
- Inventory AI-enabled access paths now Map browser-based tools, embedded assistants, plugins, and model APIs that can touch corporate data, then classify them by approved, restricted, or prohibited use.
- Separate sanctioned AI from unmanaged AI Create a formal approval list for AI tools, model endpoints, and embedded assistants with clear data-handling rules.
- Add prompt and output controls to monitoring Extend logging beyond application access to capture prompts, model outputs, and data categories where the tool touches enterprise content.
What's in the full article
Lasso Security's full guide covers the operational detail this post intentionally leaves for the source:
- Practical examples of where shadow AI appears in marketing, HR, legal, and analytics workflows.
- A side-by-side comparison of shadow AI and shadow IT with the control differences practitioners need to understand.
- Implementation guidance for discovery, alerting, and audit routines across browser tools and embedded assistants.
- Examples of policy language and rollout steps for organisations defining approved AI use.
👉 Read Lasso Security's guide to shadow AI risks, tools, and best practices →
Shadow AI and the governance gap teams are missing?
Explore further
13/06/2026 12:00 am
Shadow AI is an identity governance problem before it is an AI governance problem. The article describes tools that enter the enterprise without approval, oversight, or auditability, which means the primary failure is uncontrolled identity and data access rather than model quality alone. That places shadow AI squarely within IAM, IGA, and NHI governance, because the governance question is who or what is allowed to act with data, not just which model is in use. Practitioners should treat unmanaged AI as an access channel that must be governed like any other enterprise identity surface.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when shadow AI causes a compliance failure?
A: Accountability usually spans the business owner, the data owner, security, and the team that approved or ignored the tool's use. The key governance test is whether the organisation defined who could authorize the tool, who could see its data, and who would revoke access when risk changed.
👉 Read our full editorial: Shadow AI is expanding the enterprise attack surface for 2026
