Shadow AI in the enterprise: is your governance keeping up?

TL;DR: Shadow AI is already widespread, with 55% of employees using GenAI without approval, 67 apps per enterprise on average, and 11% of pasted content containing confidential data, creating exposure across code, customer information, and road-map material, according to Pomerium. Identity-aware, zero-trust enforcement is now the baseline for governable AI usage, not an optional control layer.

NHIMG editorial — based on content published by Pomerium: Shadow AI Is Already in Your Org. Here’s the 5-Minute Playbook to Secure It

By the numbers:

• 55 percent of employees use GenAI without approval.
• 67 on average, 90 percent lack approval.
• 11 percent of all pasted content

Questions worth separating out

Q: How should security teams govern shadow AI without blocking productive use?

A: They should govern shadow AI with identity-aware policy, not blanket bans.

Q: Why do unsanctioned GenAI tools create an IAM problem?

A: Because access is happening outside the normal control loop.

Q: What breaks when security teams rely on prompt filtering alone?

A: Prompt filtering breaks when the user can paste data through another route before inspection happens.

Practitioner guidance

• Inventory all AI access paths Map browser use, IDE plug-ins, API calls, and internal agents so you can see where sensitive data may leave sanctioned controls.
• Bind AI policy to identity and data class Write policies that decide based on user role, device context, destination, and the sensitivity of the content being sent.
• Issue short-lived credentials for every AI request path Replace standing keys in scripts and agents with ephemeral credentials that expire with the session or task.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• How the identity-aware gateway evaluates who, what, when, and where for AI traffic
• How to import IdP groups and translate them into enforceable AI access policy
• How to structure enriched logs so SIEM output includes user, role, policy decision, and context
• How to decide where to block, transform, or route AI requests based on destination and data sensitivity

👉 Read Pomerium's analysis of shadow AI governance and zero-trust controls →

Shadow AI in the enterprise: is your governance keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →