Notifications
Clear all
Topic starter
10/06/2026 12:19 am
TL;DR: Browser-only discovery misses locally installed SaaS apps, standalone AI desktop tools, and agentic browsers that never generate the cloud or IdP signals standard controls depend on, leaving visibility gaps that affect compliance and risk management, according to JumpCloud. The core problem is that discovery models built for browser activity no longer match software usage that now executes on the endpoint.
NHIMG editorial — based on content published by JumpCloud: device-based AI and SaaS discovery for local shadow IT and AI
By the numbers:
- 46%, ure AI adoption is currently stalled for many organizations by limited oversight of permissions, 46%, and a fundamental lack of visibility into AI activity, 45%.
Questions worth separating out
Q: How should security teams govern local AI apps that bypass browser-based controls?
A: Security teams should treat local AI apps as endpoint-governed software, not as browser extensions of SaaS.
Q: Why do standalone desktop apps create visibility gaps for IAM teams?
A: Standalone desktop apps create visibility gaps because they can be installed and authenticated outside the normal SSO, IdP, and web gateway paths.
Q: What breaks when software discovery stops at the browser?
A: What breaks is the assumption that every meaningful application session will produce a central identity or network signal.
Practitioner guidance
- Add endpoint installation data to SaaS governance: Correlate device-installed applications with browser and connector discovery so local AI tools and desktop SaaS apps do not remain outside the software inventory.
- Review approval paths for local AI tools: Require explicit review for standalone AI desktop apps and agentic browsers before they can be used with corporate or personal credentials on managed devices.
- Treat local execution as a policy boundary: Write controls that apply when software runs outside the browser, including requirements for user attribution, allowed installs, and evidence retention.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- How the existing JumpCloud device agent identifies locally installed applications without deploying a separate tracking tool
- The mechanics of combining browser, connector, and device-based discovery into a single SaaS inventory
- Why locally installed AI desktop apps and agentic browsers can bypass standard SSO, web gateway, and IdP signals
- The compliance and SBOM use cases that depend on endpoint-level application visibility
👉 Read JumpCloud's analysis of device-based AI and SaaS discovery →
Local AI and SaaS discovery on devices: what changes for IT teams?
Explore further
11/06/2026 2:04 am
Device discovery is becoming the missing identity control plane for local software. Browser-centric SaaS management was built for a world where most work happened through the web and every meaningful action left an identity trail. That model breaks when applications move onto the endpoint and can be launched with no browser session, no connector event, and no centralised audit signal. The implication is that software inventory, access governance, and user attribution now need to converge at the device layer.
A few things that frame the scale:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to DeepSeek breach.
- Our research also found that attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
A question worth separating out:
Q: How can organisations measure whether local AI is under control?
A: Organisations should measure whether they can link installed local tools to named users, approved device groups, and documented policy decisions. If a local AI app appears in the estate without an owner, a review status, or a recorded business purpose, the programme still has an unmanaged exposure.
👉 Read our full editorial: Device-based AI and SaaS discovery closes local shadow IT gaps
12/06/2026 3:38 am
Device discovery is becoming the missing identity control plane for local software. Browser-centric SaaS management was built for a world where most work happened through the web and every meaningful action left an identity trail. That model breaks when applications move onto the endpoint and can be launched with no browser session, no connector event, and no centralised audit signal. The implication is that software inventory, access governance, and user attribution now need to converge at the device layer.
A few things that frame the scale:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to DeepSeek breach.
- Our research also found that attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
A question worth separating out:
Q: How can organisations measure whether local AI is under control?
A: Organisations should measure whether they can link installed local tools to named users, approved device groups, and documented policy decisions. If a local AI app appears in the estate without an owner, a review status, or a recorded business purpose, the programme still has an unmanaged exposure.
👉 Read our full editorial: Device-based AI and SaaS discovery closes local shadow IT gaps
