TL;DR: Shadow AI is widening governance and visibility gaps as 44% of AI-using organisations report business units deploying AI without IT or security involvement, according to Delinea’s 2025 AI in Identity Security report. The central issue is not just unsanctioned tool use, but identity controls that do not reliably cover AI entities, agent access, and machine identity lifecycle management.
NHIMG editorial — based on content published by Delinea: Shadow AI risk: Navigating the growing threat of ungoverned AI adoption
By the numbers:
- 44% of organizations with at least some AI usage struggle with business units deploying AI solutions without involving IT and security teams
- 57% of organizations have an acceptable use policy for AI tools in place
- 61% of organizations claim to have full visibility into all machine identities for the purpose of monitoring for compromise
Questions worth separating out
Q: How should security teams govern shadow AI without blocking useful adoption?
A: Start by inventorying every AI tool, model, assistant, and API-connected workflow that can touch enterprise data.
Q: Why does shadow AI create more than a software approval problem?
A: Because the risk is not only that an unapproved tool is running.
Q: What do teams get wrong about machine identity security in AI programmes?
A: They often assume confidence means coverage.
Practitioner guidance
- Inventory every AI access path Identify all sanctioned and unsanctioned AI tools, the identities they use, and the data or systems they can reach.
- Bind AI entities to explicit governance controls Require access scope, logging, and review for any AI entity that can access sensitive data or invoke downstream systems.
- Review machine identity lifecycle evidence Validate that machine identities tied to AI use are discoverable, monitored, and revocable.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns showing how organisations are applying AI controls, acceptable use policies, and identity governance across different maturity levels.
- The article's specific recommendations for securing generative AI and extending identity practices to agentic AI use cases.
- The reported relationship between machine identity confidence, visibility, and lifecycle management in the 2025 research dataset.
- Examples of how security leaders can tighten monitoring and auditing around AI tools without blocking adoption.
👉 Read Delinea’s analysis of shadow AI risk and identity control gaps →
Shadow AI governance gaps: what IAM and security teams need to know?
Explore further
Shadow AI is an identity governance problem before it is an AI problem. The article’s core signal is that unsanctioned AI adoption bypasses the same control layers used to govern human, machine, and privileged access. That means discovery, policy enforcement, and lifecycle control must extend to AI-connected identities, not sit beside them. Practitioners should treat shadow AI as an access governance failure, not a tooling preference.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when shadow AI exposes data or credentials?
A: Accountability should rest with the business owner of the AI use case, the security team that approves or blocks the access path, and the identity team that governs the machine or user credentials involved. If no one owns discovery, review, and revocation, shadow AI becomes a standing governance gap rather than an isolated incident.
👉 Read our full editorial: Shadow AI governance gaps are exposing machine identity risk