Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI on endpoints: what IAM and PAM teams need to do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Shadow AI is already embedded in browser extensions, IDE plugins, local models, and OAuth-connected assistants on employee endpoints, creating hidden data leakage, secret exposure, and long-lived non-human identities, according to Delinea. The real problem is not adoption itself, but unmanaged identity inheritance that extends user access into tools no security team has inventoried.

NHIMG editorial — based on content published by Delinea: Shadow AI is already on your endpoints. Here’s what to do about it

Questions worth separating out

Q: How should security teams govern AI tools that inherit user permissions on endpoints?

A: Treat each OAuth-connected assistant, plug-in, or local model as a non-human identity with delegated authority.

Q: Why do shadow AI tools create more risk than ordinary shadow IT?

A: Shadow AI is more dangerous because it can process far more sensitive data and act through inherited permissions.

Q: What breaks when employees paste secrets into AI chat tools?

A: Secrets can leave the organisation through a normal work interaction rather than a known transfer channel.

Practitioner guidance

  • Inventory AI tools on the endpoint Use endpoint privilege management and application control to identify browser extensions, local model runtimes, and AI apps that are running outside procurement and security review.
  • Review OAuth grants as non-human identities Map every AI assistant, plug-in, and connector to the account it impersonates, then classify the access it inherits.
  • Restrict local model elevation on workstations Block administrative installation paths where a local LLM or wrapper does not need them, and monitor for persistent processes that create an unmanaged endpoint footprint.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

  • Endpoint visibility examples for discovering browser extensions, local model runtimes, and AI binaries on employee devices
  • Practical monitoring rules for identifying leading AI tools running on laptops and PCs
  • How the latest Privilege Manager release filters endpoint processes and privileges that may indicate shadow AI
  • The vendor's product-specific workflow for turning endpoint observations into a controlled response

👉 Read Delinea's blog post on controlling shadow AI on endpoints →

Shadow AI on endpoints: what IAM and PAM teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8436
 

Shadow AI is really NHI sprawl in disguise: once an AI tool inherits OAuth permissions or runs persistently on an endpoint, it becomes a non-human identity that security teams must govern. The article's most useful contribution is to collapse the false boundary between AI adoption and identity management. The practical conclusion is that endpoint AI discovery belongs in NHI governance, not in a separate innovation queue.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is the exact control blind spot shadow AI exploits when it inherits access.

A question worth separating out:

Q: How can organisations reduce Shadow AI risk without banning AI outright?

A: Use a visibility first approach: discover what is installed, publish a short approved tool catalog, restrict unnecessary privilege, and train employees on what data can be shared. The goal is to make sanctioned tools easier to use than shadow tools. If the approved path is fast and clear, usage becomes governable rather than underground.

👉 Read our full editorial: Shadow AI on endpoints exposes a new identity governance gap



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8436
 

Shadow AI is really NHI sprawl in disguise: once an AI tool inherits OAuth permissions or runs persistently on an endpoint, it becomes a non-human identity that security teams must govern. The article's most useful contribution is to collapse the false boundary between AI adoption and identity management. The practical conclusion is that endpoint AI discovery belongs in NHI governance, not in a separate innovation queue.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is the exact control blind spot shadow AI exploits when it inherits access.

A question worth separating out:

Q: How can organisations reduce Shadow AI risk without banning AI outright?

A: Use a visibility first approach: discover what is installed, publish a short approved tool catalog, restrict unnecessary privilege, and train employees on what data can be shared. The goal is to make sanctioned tools easier to use than shadow tools. If the approved path is fast and clear, usage becomes governable rather than underground.

👉 Read our full editorial: Shadow AI on endpoints exposes a new identity governance gap



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8436
 

Shadow AI is really NHI sprawl in disguise: once an AI tool inherits OAuth permissions or runs persistently on an endpoint, it becomes a non-human identity that security teams must govern. The article's most useful contribution is to collapse the false boundary between AI adoption and identity management. The practical conclusion is that endpoint AI discovery belongs in NHI governance, not in a separate innovation queue.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is the exact control blind spot shadow AI exploits when it inherits access.

A question worth separating out:

Q: How can organisations reduce Shadow AI risk without banning AI outright?

A: Use a visibility first approach: discover what is installed, publish a short approved tool catalog, restrict unnecessary privilege, and train employees on what data can be shared. The goal is to make sanctioned tools easier to use than shadow tools. If the approved path is fast and clear, usage becomes governable rather than underground.

👉 Read our full editorial: Shadow AI on endpoints exposes a new identity governance gap



   
ReplyQuote
Share: