TL;DR: Shadow AI is creating invisible governance and data-exfiltration risk as employees adopt unsanctioned AI tools faster than security teams can inventory or control them, according to SailPoint. The core failure is not adoption itself but the assumption that identity and access programmes can govern tools they cannot see.
NHIMG editorial — based on content published by SailPoint: We are Customer Zero, how SailPoint secured its own shadow AI
Questions worth separating out
Q: What breaks when Shadow AI is not visible to security teams?
A: When Shadow AI is invisible, identity and security teams cannot classify the tool, assess its data handling, or enforce consistent policy.
Q: Why does Shadow AI complicate IAM and IGA programmes?
A: Shadow AI complicates IAM and IGA because those programmes depend on knowing what applications exist and which controls apply to them.
Q: How can security teams measure whether Shadow AI governance is working?
A: They should look for reduction in unknown AI tool usage, faster onboarding of approved tools, fewer cases of sensitive data reaching unmanaged services, and lower friction when policy response is triggered.
Practitioner guidance
- Build discovery for Shadow AI use cases Instrument browser, endpoint, and proxy telemetry so security teams can identify unsanctioned AI tools before they become normalised work patterns.
- Classify AI tools by data exposure risk Separate low-risk productivity use from systems that ingest sensitive data, then apply stricter review for tools with opaque retention or training behaviour.
- Tie AI governance to policy enforcement Make approved-tool redirection, application flagging, and access policy triggers part of the same workflow so remediation happens during active use.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How SailPoint's browser-extension rollout was phased across internal teams and scaled to 3,400 users.
- What the Shadow AI Remediation workflow actually surfaced about user behaviour, LLM usage, and application onboarding gaps.
- Which remediation actions were used in practice, including real-time redirection and policy application.
- How the team connected identity governance with SOC workflows to create a tighter feedback loop.
👉 Read SailPoint’s blog on how it found and remediated Shadow AI internally →
Shadow AI governance gap: are your controls keeping up?
Explore further
Shadow AI is now an identity governance problem, not an app preference problem. Employees can introduce AI tools faster than traditional approval and inventory processes can absorb them. That means the control question is no longer whether the organisation likes the tool, but whether identity governance can even see the tool before data moves through it. Practitioners should treat discovery of Shadow AI as a prerequisite to any meaningful governance model.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- The same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which underscores how quickly visibility gaps become governance gaps.
A question worth separating out:
Q: What is the difference between Shadow AI control and simple application approval?
A: Application approval is a one-time governance step. Shadow AI control is a continuous visibility and response function that detects usage, assesses risk, and applies policy while the tool is being used. Approval alone is insufficient because employees can adopt new AI services outside the sanctioned path and move sensitive data before review occurs.
👉 Read our full editorial: Shadow AI visibility gaps are widening enterprise identity risk