Notifications
Clear all
Topic starter
12/06/2026 9:23 pm
TL;DR: AI adoption is accelerating faster than most identity programmes can classify, with 11% of organisations reporting formal agent production and 35% having no agentic strategy at all, according to JumpCloud findings cited from Deloitte and Gartner. The governance gap is now an identity problem, because unmanaged agents inherit human trust paths without human-scale controls.
NHIMG editorial — based on content published by JumpCloud: shadow AI, the silicon workforce, and identity-first security
By the numbers:
- A leading generative AI tool reached roughly twice 50 million users in just two months.
- The tool now has over 800 million weekly users, roughly 10% of the planet's population.
- By the end of 2026, many organisations will have more AI agents than human employees.
Questions worth separating out
Q: What breaks when shadow AI is not bound to a managed identity?
A: When shadow AI is not tied to a managed identity, security teams lose the ability to trace action, enforce least privilege, or revoke access with confidence.
Q: Why do AI agents complicate least-privilege governance?
A: AI agents complicate least-privilege because they often inherit the permissions of the human account or workflow that launched them.
Q: How do security teams know whether AI usage is actually under control?
A: Teams know AI usage is under control when every active tool or agent can be linked to an owner, a device, a policy, and a revocation path.
Practitioner guidance
- Discover shadow AI and bind it to identity records Inventory AI tools and agents already in use, then map each one to a managed user, device, and business owner so the access path is reviewable and revocable.
- Constrain agent access with the human account Limit the employee permissions that an AI tool can inherit, especially for repositories, data stores, and SaaS applications that do not belong in the task scope.
- Require managed-device posture before AI execution Block AI tooling on unmanaged or unpatched devices, and tie continued access to device compliance so a compromised endpoint cannot become an exfiltration route.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The specific Shadow AI Discovery workflow used to identify active AI tools across endpoints and user populations.
- The Unified Open Directory approach JumpCloud describes for binding AI usage back to managed employee identities.
- The access-control workflow for limiting inherited permissions when employees use AI coding or automation tools.
- The continuous-governance logic for revoking access when device compliance changes.
👉 Read JumpCloud's analysis of shadow AI, the silicon workforce, and identity control →
Shadow AI discovery and agent governance: are controls keeping up?
Explore further
12/06/2026 11:25 pm
Shadow AI is really shadow identity, because the access path matters more than the interface. The article shows that unmanaged AI use becomes dangerous when tools can read, write, and delete corporate data through valid credentials. That shifts the problem from application discovery to identity governance, because the security question is no longer whether AI is present, but whether the actor behind the action is known and managed. Practitioners should treat unauthorized AI use as an identity classification failure, not a tooling curiosity.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who should be accountable when an employee enables an AI tool that touches corporate data?
A: Accountability should sit with the managed employee identity, the device that executed the tool, and the team that approved the workflow. That shared accountability model matters because the agent itself usually has no independent governance record. Without clear ownership, the organisation cannot determine whether the access was intentional, excessive, or unauthorised.
👉 Read our full editorial: Shadow AI and the identity gap behind the silicon workforce
