Shadow AI governance gaps: what IAM and security teams need to know

TL;DR: Shadow AI is widening governance and visibility gaps as 44% of AI-using organisations report business units deploying AI without IT or security involvement, according to Delinea’s 2025 AI in Identity Security report. The central issue is not just unsanctioned tool use, but identity controls that do not reliably cover AI entities, agent access, and machine identity lifecycle management.

NHIMG editorial — based on content published by Delinea: Shadow AI risk: Navigating the growing threat of ungoverned AI adoption

By the numbers:

• 44% of organizations with at least some AI usage struggle with business units deploying AI solutions without involving IT and security teams
• 57% of organizations have an acceptable use policy for AI tools in place
• 61% of organizations claim to have full visibility into all machine identities for the purpose of monitoring for compromise

Questions worth separating out

Q: How should security teams govern shadow AI without blocking useful adoption?

A: Start by inventorying every AI tool, model, assistant, and API-connected workflow that can touch enterprise data.

Q: Why does shadow AI create more than a software approval problem?

A: Because the risk is not only that an unapproved tool is running.

Q: What do teams get wrong about machine identity security in AI programmes?

A: They often assume confidence means coverage.

Practitioner guidance

• Inventory every AI access path Identify all sanctioned and unsanctioned AI tools, the identities they use, and the data or systems they can reach.
• Bind AI entities to explicit governance controls Require access scope, logging, and review for any AI entity that can access sensitive data or invoke downstream systems.
• Review machine identity lifecycle evidence Validate that machine identities tied to AI use are discoverable, monitored, and revocable.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• Survey breakdowns showing how organisations are applying AI controls, acceptable use policies, and identity governance across different maturity levels.
• The article's specific recommendations for securing generative AI and extending identity practices to agentic AI use cases.
• The reported relationship between machine identity confidence, visibility, and lifecycle management in the 2025 research dataset.
• Examples of how security leaders can tighten monitoring and auditing around AI tools without blocking adoption.

👉 Read Delinea’s analysis of shadow AI risk and identity control gaps →

Shadow AI governance gaps: what IAM and security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →