Shadow AI on endpoints: what IAM and PAM teams need to do

TL;DR: Shadow AI is already embedded in browser extensions, IDE plugins, local models, and OAuth-connected assistants on employee endpoints, creating hidden data leakage, secret exposure, and long-lived non-human identities, according to Delinea. The real problem is not adoption itself, but unmanaged identity inheritance that extends user access into tools no security team has inventoried.

NHIMG editorial — based on content published by Delinea: Shadow AI is already on your endpoints. Here’s what to do about it

Questions worth separating out

Q: How should security teams govern AI tools that inherit user permissions on endpoints?

A: Treat each OAuth-connected assistant, plug-in, or local model as a non-human identity with delegated authority.

Q: Why do shadow AI tools create more risk than ordinary shadow IT?

A: Shadow AI is more dangerous because it can process far more sensitive data and act through inherited permissions.

Q: What breaks when employees paste secrets into AI chat tools?

A: Secrets can leave the organisation through a normal work interaction rather than a known transfer channel.

Practitioner guidance

• Inventory AI tools on the endpoint Use endpoint privilege management and application control to identify browser extensions, local model runtimes, and AI apps that are running outside procurement and security review.
• Review OAuth grants as non-human identities Map every AI assistant, plug-in, and connector to the account it impersonates, then classify the access it inherits.
• Restrict local model elevation on workstations Block administrative installation paths where a local LLM or wrapper does not need them, and monitor for persistent processes that create an unmanaged endpoint footprint.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• Endpoint visibility examples for discovering browser extensions, local model runtimes, and AI binaries on employee devices
• Practical monitoring rules for identifying leading AI tools running on laptops and PCs
• How the latest Privilege Manager release filters endpoint processes and privileges that may indicate shadow AI
• The vendor's product-specific workflow for turning endpoint observations into a controlled response

👉 Read Delinea's blog post on controlling shadow AI on endpoints →

Shadow AI on endpoints: what IAM and PAM teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →