Notifications
Clear all
Topic starter
11/06/2026 10:55 pm
TL;DR: Shadow AI is driving employees and autonomous AI agents to bypass controls, expand data exposure, and create audit gaps when organisations try to block usage instead of governing identity, according to JumpCloud. The real risk is unmanaged identity sprawl across human, non-human, and agentic access, making unified governance the practical response.
NHIMG editorial — based on content published by JumpCloud: Are your employees using AI tools without your approval?
Questions worth separating out
Q: How should security teams govern shadow AI without blocking every AI tool?
A: Start by governing the identities and data paths behind AI use, not the tool category itself.
Q: Why does shadow AI create more risk when organisations try to prohibit it?
A: Prohibition often shifts usage underground, which reduces visibility and weakens logging, data control, and accountability.
Q: What breaks when AI usage is not tied to identity governance?
A: Without identity governance, you cannot reliably answer who accessed what, when, or why.
Practitioner guidance
- Inventory all AI access paths Discover sanctioned and unsanctioned AI tools, then trace each one back to the human, token, service account, or agent that is actually making requests.
- Unify policy across human and non-human identities Apply the same verification and authorization model to human users, service connections, and emerging agentic access so one identity class does not become the bypass route for another.
- Add auditability to approved AI workflows Require approved AI use cases to preserve identity lineage, data handling records, and access logs that support compliance review.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's specific visibility-and-control framing for sanctioned and unsanctioned AI usage.
- The platform-oriented workflow it proposes for discovering AI access across users and identities.
- The practical argument it makes for replacing block-first policy with a unified governance path.
👉 Read JumpCloud's analysis of shadow AI governance and unified identity control →
Shadow AI governance: why blocking tools is failing IT teams?
Explore further
12/06/2026 7:21 am
Shadow AI governance is fundamentally an identity governance problem. The article is right to move the conversation away from tool prohibition, but the deeper issue is that unsanctioned AI use creates uncontrolled identity pathways into data and systems. Human users, service connections, and emerging agentic identities all require the same governance lens when they can move corporate data outside approved controls. Practitioners should treat shadow AI as an access and accountability problem, not a procurement problem.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How should organisations decide whether to block or permit AI tools?
A: Use a governance test, not a fear test. If the organisation can discover the identity behind the usage, constrain its access, preserve logs, and review the data path, it can usually permit the tool with controls. If those conditions do not exist, the issue is governance maturity, not merely tool approval.
👉 Read our full editorial: Shadow AI governance needs unified identity controls, not blocking
