Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI in the enterprise: what security teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: Shadow AI is now widespread across chatbots, SaaS copilots, browser extensions, and autonomous agents, with employees routinely sharing sensitive data outside approved controls, according to Knostic and cited survey data from Cybernews, SAP, and Microsoft. The governance problem is no longer adoption alone, but the lack of visibility, identity-aware controls, and enforceable policy around how AI tools handle enterprise data.

NHIMG editorial — based on content published by Knostic: Shadow AI in the Enterprise

By the numbers:

Questions worth separating out

Q: How should security teams control shadow AI in the enterprise?

A: Start by classifying approved AI use cases by data sensitivity, then enforce access through identity-aware controls rather than user education alone.

Q: Why does shadow AI create a non-human identity risk?

A: Because many AI tools and agents operate with stored credentials, delegated permissions, or embedded service access, they behave like non-human identities even when users create them casually.

Q: What do organisations get wrong about approving AI tools?

A: They often approve the headline application while ignoring the embedded feature, extension, or data path that actually processes information.

Practitioner guidance

  • Define approved AI use cases by data class Create explicit rules for what data employees may share with chatbots, copilots, extensions, and agents.
  • Inventory embedded AI features in SaaS platforms Treat summarisation, search, drafting, and predictive features as separate AI controls, not harmless interface options.
  • Bind AI access to persona and context Use persona-based and attribute-based controls so AI tools only receive the access needed for a specific role and task.

What's in the full article

Knostic's full article covers the operational detail this post intentionally leaves for the source:

  • A side-by-side breakdown of the shadow AI scenarios and how each one surfaces in real enterprise workflows.
  • Practical examples of identity-aware access controls for AI tools, agents, and embedded SaaS features.
  • The article's remediation guidance for visibility, monitoring, and user enablement across common shadow AI patterns.
  • The source's own examples of how unapproved AI usage affects compliance, data leakage, and operational risk.

👉 Read Knostic's full analysis of shadow AI scenarios and enterprise controls →

Shadow AI in the enterprise: what security teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Shadow AI is becoming an identity governance problem, not just an AI policy problem. The article shows that unapproved tools and embedded features are already sitting inside ordinary workstreams, often with user credentials or delegated access attached. That means the real failure is not only tool adoption, but the absence of lifecycle control over who or what is allowed to act with those permissions. For IAM and PAM teams, AI usage must now be reviewed as an access-governance event, not a convenience choice.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when an unapproved AI agent exposes sensitive data?

A: Accountability sits with the business owner that enabled the workflow, the control owner that failed to detect it, and the governance function that did not define acceptable data use. For regulated data, privacy, security, and compliance teams all need an auditable approval and review process.

👉 Read our full editorial: Shadow AI is turning productivity tools into unmanaged data pipes



   
ReplyQuote
Share: