Shadow AI to trusted AI governance: what IAM teams need now

TL;DR: AI adoption is expanding the identity problem from unmanaged non-human accounts to shadow AI and agentic access, while 77% of employees sharing secrets on ChatGPT shows the human, machine, and AI governance gaps are converging, according to Oasis Security. The security issue is no longer discovery alone, but whether identity control can keep pace with runtime behaviour across all three actor types.

NHIMG editorial — based on content published by Oasis Security: Cyber Beyond Humans: From Shadow AI to Trusted AI

By the numbers:

• Discover how 77% of employees sharing secrets on ChatGPT jeopardizes enterprise security.
• NHIMG research shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.

Questions worth separating out

Q: How should security teams govern shadow AI without blocking business productivity?

A: Start by identifying the identities and credentials behind AI use, then classify each one by data sensitivity, connected systems, and business purpose.

Q: Why do AI tools create new identity risks for IAM teams?

A: AI tools often inherit access through existing accounts, tokens, and integrations, which expands the attack surface without creating a new governance record.

Q: What breaks when AI access is managed like normal application access?

A: Normal application access assumes stable ownership, predictable usage, and clear review cycles.

Practitioner guidance

• Inventory every AI-connected identity Build a live register of employee-used AI tools, OAuth grants, API keys, and service accounts that can reach enterprise data or execute workflows.
• Separate approval from execution Require a second control point before an AI-connected identity can trigger data movement, external calls, or workflow actions.
• Define purpose-bound access rules Limit AI-related entitlements to a specific task, dataset, or workflow, then revoke or re-evaluate them when the purpose changes.

What's in the full article

Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Examples of how shadow AI shows up in real enterprise workflows and where identity control breaks down.
• The article's own examples of trusted AI guardrails and how they relate to agent access management.
• The vendor's framing of NHI management fundamentals for organisations building an AI governance roadmap.
• The specific operational steps Oasis Security says teams should use to move from discovery to controlled access.

👉 Read Oasis Security's analysis of shadow AI and trusted AI governance →

Shadow AI to trusted AI governance: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →