Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI visibility gaps - are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Shadow AI is proliferating inside browsers, devices, and on-premise environments, and according to JumpCloud, 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5% at the start of 2025. Traditional IAM cannot govern what discovery cannot see, and agentic access now needs lifecycle control as well as policy enforcement.

NHIMG editorial — based on content published by JumpCloud: shadow AI, agentic IAM, and the visibility gap for AI agents

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI that appears outside normal onboarding?

A: Security teams should treat shadow AI as an identity inventory and lifecycle problem, not just a tooling problem.

Q: Why do AI agents create more risk than ordinary automation in identity programmes?

A: AI agents create more risk because they can act independently while inheriting access from users, devices, or integrations that were never designed for autonomous behaviour.

Q: What breaks when organisations cannot see AI agents across devices and browsers?

A: When organisations cannot see AI agents across devices and browsers, they lose the ability to inventory the actor, trace its access, and prove who approved it.

Practitioner guidance

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

  • How JumpCloud frames discovery across browsers, devices, and on-premise environments for hidden AI agents
  • The vendor's proposed lifecycle approach for creating, managing, and retiring autonomous agents
  • Examples of how its Agentic IAM model is intended to map agents into an identity programme
  • The full discussion of Zombie Agents and Shadow AI as a control and visibility problem

👉 Read JumpCloud's analysis of shadow AI and agentic identity governance →

Shadow AI visibility gaps - are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Shadow AI is an identity inventory failure before it is an AI governance failure. When agents appear through browsers, device processes, and unmanaged workflows, the organisation loses the ability to bind action to ownership. That makes the first broken premise simple: if you cannot enumerate the actor, you cannot govern its access. Practitioners should treat discovery coverage as a prerequisite for any agent policy.

A few things that frame the scale:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who is accountable when a shadow AI agent exposes sensitive data?

A: Accountability sits with the team that allowed the agent to operate without lifecycle ownership, review, and revocation controls. The identity problem is not the data leak alone, but the absence of a responsible owner for the actor that caused it.

👉 Read our full editorial: Shadow AI visibility gaps are outpacing enterprise IAM controls



   
ReplyQuote
Share: