Local AI and SaaS discovery on devices: what changes for IT teams?

TL;DR: Browser-only discovery misses locally installed SaaS apps, standalone AI desktop tools, and agentic browsers that never generate the cloud or IdP signals standard controls depend on, leaving visibility gaps that affect compliance and risk management, according to JumpCloud. The core problem is that discovery models built for browser activity no longer match software usage that now executes on the endpoint.

NHIMG editorial — based on content published by JumpCloud: device-based AI and SaaS discovery for local shadow IT and AI

By the numbers:

• 46%, ure AI adoption is currently stalled for many organizations by limited oversight of permissions, 46%, and a fundamental lack of visibility into AI activity, 45%.

Questions worth separating out

Q: How should security teams govern local AI apps that bypass browser-based controls?

A: Security teams should treat local AI apps as endpoint-governed software, not as browser extensions of SaaS.

Q: Why do standalone desktop apps create visibility gaps for IAM teams?

A: Standalone desktop apps create visibility gaps because they can be installed and authenticated outside the normal SSO, IdP, and web gateway paths.

Q: What breaks when software discovery stops at the browser?

A: What breaks is the assumption that every meaningful application session will produce a central identity or network signal.

Practitioner guidance

• Add endpoint installation data to SaaS governance: Correlate device-installed applications with browser and connector discovery so local AI tools and desktop SaaS apps do not remain outside the software inventory.
• Review approval paths for local AI tools: Require explicit review for standalone AI desktop apps and agentic browsers before they can be used with corporate or personal credentials on managed devices.
• Treat local execution as a policy boundary: Write controls that apply when software runs outside the browser, including requirements for user attribution, allowed installs, and evidence retention.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• How the existing JumpCloud device agent identifies locally installed applications without deploying a separate tracking tool
• The mechanics of combining browser, connector, and device-based discovery into a single SaaS inventory
• Why locally installed AI desktop apps and agentic browsers can bypass standard SSO, web gateway, and IdP signals
• The compliance and SBOM use cases that depend on endpoint-level application visibility

👉 Read JumpCloud's analysis of device-based AI and SaaS discovery →

Local AI and SaaS discovery on devices: what changes for IT teams?

Explore further

View Full Forum →  |  NHI Foundation Course →