Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI governance gaps: what security teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Nearly 90% of organisations now use AI in at least one business function, while only 22% rely exclusively on employer-provided tools and nearly two-thirds lack the policies needed to detect or manage shadow AI, according to Zero Networks. The governance gap is now broader than visibility alone: unsanctioned AI creates access paths, lateral movement risk, and compliance exposure that conventional controls were not built to cover.

NHIMG editorial — based on content published by Zero Networks: Securing Shadow AI: How to Detect and Govern Unsanctioned AI Tools

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI without losing visibility into legitimate business use?

A: Start by classifying approved AI services, then measure actual traffic, API calls, and embedded integrations against that baseline.

Q: Why do shadow AI tools create more risk than ordinary software sprawl?

A: Shadow AI can authenticate, chain actions, and reach data through APIs and workloads in ways ordinary software inventory tools do not model well.

Q: What do security teams get wrong about AI agent least privilege?

A: They often assign permissions based on the agent’s intended job rather than its observed runtime behaviour.

Practitioner guidance

  • Inventory AI access paths continuously Map every AI-related destination, API connection, and embedded integration from observed traffic rather than from declared tooling lists.
  • Block unsanctioned AI destinations by default Use allowlists for approved AI services and enforce them at the network layer so users, devices, and workloads cannot bypass policy through alternate clients or embedded features.
  • Scope AI agents to observed operational need Review each agent against what it actually authenticates to and what it can reach, then remove inherited permissions that are broader than the runtime task requires.

What's in the full article

Zero Networks' full article covers the operational detail this post intentionally leaves for the source:

  • How the article maps shadow AI discovery to live network visibility and enforcement points.
  • The four-step control approach for inventorying AI, blocking unsanctioned destinations, and governing agents with least privilege.
  • The product-specific segmentation and control examples for SaaS AI, AI agents, and LLM infrastructure.
  • The operational distinction between deterministic enforcement and human-on-the-loop policy management.

👉 Read Zero Networks' analysis of shadow AI detection and governance →

Shadow AI governance gaps: what security teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Shadow AI is the governance gap between AI adoption and identity control. The article correctly shows that usage is rising faster than oversight, but the deeper issue is that AI access is now being created outside approved identity processes. Once that happens, policy enforcement, recertification, and access review all start from incomplete evidence. The practitioner conclusion is simple: AI visibility must be treated as identity governance, not just application discovery.

A few things that frame the scale:

  • The average cost of a data breach is $670,000 higher for organizations with high levels of shadow AI, according to The State of Secrets in AppSec.
  • Another finding from the same research shows that 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.

A question worth separating out:

Q: Who is accountable when shadow AI causes a compliance failure?

A: Accountability sits with the organisation that allowed the access path to exist without oversight, classification, and control evidence. For regulated environments, that includes the teams responsible for identity governance, security operations, and audit readiness. If a tool cannot be inventoried and assigned controls, compliance claims are weak from the start.

👉 Read our full editorial: Shadow AI outpaces governance as unsanctioned tools spread



   
ReplyQuote
Share: