Shadow AI and IAM visibility: what security teams need now

TL;DR: Shadow AI is spreading as employees use unsanctioned AI tools and paste sensitive data into them, with 61% of organisations reporting unmonitored AI use and 60% of IT professionals saying AI is outpacing their protection, according to JumpCloud. The security problem is not just tool sprawl but the collapse of identity, policy, and data-handling control at the point of use.

NHIMG editorial — based on content published by JumpCloud: Shadow AI is exposing identity and data control gaps in IAM

By the numbers:

• 61% of organizations report encountering unsanctioned or unmonitored use of AI tools.
• 60% of IT professionals agree that AI is outpacing their organization’s ability to protect against threats.
• 85% of IT leaders agree that secure IAM practices are critical for successful AI adoption.

Questions worth separating out

Q: How should security teams govern shadow AI use in the enterprise?

A: Security teams should govern shadow AI as part of IAM, endpoint, and data-handling policy rather than as a standalone training issue.

Q: Why does shadow AI create more risk than ordinary SaaS sprawl?

A: Shadow AI is more dangerous because the user is not just accessing an unauthorised application, they are also potentially disclosing sensitive content into a system that may retain, reuse, or expose it.

Q: What do organisations get wrong about employee use of public AI tools?

A: The most common mistake is assuming the risk begins and ends with the app itself.

Practitioner guidance

• Inventory unsanctioned AI usage paths Discover where employees are using public AI tools, browser extensions, and embedded copilots without approval.
• Classify data that must never enter public prompts Publish explicit handling rules for PII, financial data, source code, customer records, and other sensitive information.
• Unify identity and device enforcement for AI access Connect IAM signals with browser management, application allowlists, and device posture checks so access decisions are consistent across sanctioned and unsanctioned tools.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• The report-backed breakdown of how AI maturity gaps are showing up across IT teams
• Specific examples of policy language for acceptable AI use and data handling
• Practical guidance on browser and identity controls for blocking unsanctioned AI access
• The article's framing for CIO accountability across governance, risk, and education

👉 Read JumpCloud's analysis of shadow AI risk and IAM governance →

Shadow AI and IAM visibility: what security teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →