Shadow AI visibility gaps - are your controls keeping up?

TL;DR: Shadow AI is proliferating inside browsers, devices, and on-premise environments, and according to JumpCloud, 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5% at the start of 2025. Traditional IAM cannot govern what discovery cannot see, and agentic access now needs lifecycle control as well as policy enforcement.

NHIMG editorial — based on content published by JumpCloud: shadow AI, agentic IAM, and the visibility gap for AI agents

By the numbers:

• 40% of all enterprise applications will embed task-specific AI agents by the end of the year.
• less than 5% at the start of 2025

Questions worth separating out

Q: How should security teams govern shadow AI that appears outside normal onboarding?

A: Security teams should treat shadow AI as an identity inventory and lifecycle problem, not just a tooling problem.

Q: Why do AI agents create more risk than ordinary automation in identity programmes?

A: AI agents create more risk because they can act independently while inheriting access from users, devices, or integrations that were never designed for autonomous behaviour.

Q: What breaks when organisations cannot see AI agents across devices and browsers?

A: When organisations cannot see AI agents across devices and browsers, they lose the ability to inventory the actor, trace its access, and prove who approved it.

Practitioner guidance

• Expand discovery beyond SSO and SaaS inventories Instrument browsers, endpoint processes, and on-premise runtimes so AI agents are visible where they actually execute, not only where they are registered.
• Treat AI agents as governed identities Assign an owner, define the permitted data and tool scope, and record when each agent is approved so accountability exists before access expands.
• Bind offboarding to agent retirement Remove access when the use case ends and verify that browser extensions, workflows, and delegated tokens are revoked together.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• How JumpCloud frames discovery across browsers, devices, and on-premise environments for hidden AI agents
• The vendor's proposed lifecycle approach for creating, managing, and retiring autonomous agents
• Examples of how its Agentic IAM model is intended to map agents into an identity programme
• The full discussion of Zombie Agents and Shadow AI as a control and visibility problem

👉 Read JumpCloud's analysis of shadow AI and agentic identity governance →

Shadow AI visibility gaps - are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →