Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI governance gaps: what IAM and security teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Shadow AI is widening governance and visibility gaps as 44% of AI-using organisations report business units deploying AI without IT or security involvement, according to Delinea’s 2025 AI in Identity Security report. The central issue is not just unsanctioned tool use, but identity controls that do not reliably cover AI entities, agent access, and machine identity lifecycle management.

NHIMG editorial — based on content published by Delinea: Shadow AI risk: Navigating the growing threat of ungoverned AI adoption

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI without blocking useful adoption?

A: Start by inventorying every AI tool, model, assistant, and API-connected workflow that can touch enterprise data.

Q: Why does shadow AI create more than a software approval problem?

A: Because the risk is not only that an unapproved tool is running.

Q: What do teams get wrong about machine identity security in AI programmes?

A: They often assume confidence means coverage.

Practitioner guidance

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

  • Survey breakdowns showing how organisations are applying AI controls, acceptable use policies, and identity governance across different maturity levels.
  • The article's specific recommendations for securing generative AI and extending identity practices to agentic AI use cases.
  • The reported relationship between machine identity confidence, visibility, and lifecycle management in the 2025 research dataset.
  • Examples of how security leaders can tighten monitoring and auditing around AI tools without blocking adoption.

👉 Read Delinea’s analysis of shadow AI risk and identity control gaps →

Shadow AI governance gaps: what IAM and security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shadow AI is an identity governance problem before it is an AI problem. The article’s core signal is that unsanctioned AI adoption bypasses the same control layers used to govern human, machine, and privileged access. That means discovery, policy enforcement, and lifecycle control must extend to AI-connected identities, not sit beside them. Practitioners should treat shadow AI as an access governance failure, not a tooling preference.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when shadow AI exposes data or credentials?

A: Accountability should rest with the business owner of the AI use case, the security team that approves or blocks the access path, and the identity team that governs the machine or user credentials involved. If no one owns discovery, review, and revocation, shadow AI becomes a standing governance gap rather than an isolated incident.

👉 Read our full editorial: Shadow AI governance gaps are exposing machine identity risk



   
ReplyQuote
Share: