TL;DR: Shadow AI use outside approved workflows is creating visible compliance and data-loss risk, with Cisco reporting that 74% of organisations have already experienced data leakage through unsanctioned AI use. The core issue is that consumer AI adoption bypasses identity, logging, and third-party controls that SOC 2 and HIPAA assume are in place.
NHIMG editorial — based on content published by Pomerium: How Shadow AI Impacts SOC 2 and HIPAA, and What to Do About It
Questions worth separating out
Q: How should security teams govern shadow AI use in regulated environments?
A: They should treat shadow AI as an identity and policy enforcement problem.
Q: Why does shadow AI create compliance risk for SOC 2 and HIPAA?
A: Because both frameworks assume that access, data handling, and third-party use are controlled and observable.
Q: What do organisations get wrong about managing unsanctioned AI use?
A: They often focus on banning tools instead of governing the request path.
Practitioner guidance
- Map approved AI use paths Identify every sanctioned AI service, then bind each one to enterprise identity, device trust, and policy enforcement before data can be entered or uploaded.
- Block consumer AI pathways for regulated data Prevent uploads, copy-paste workflows, and browser access to unsanctioned AI services from systems that handle PHI or audit-scoped data.
- Require audit-ready logs for AI activity Log who accessed which service, when the access occurred, what data was transferred, and which policy decision allowed or denied the request.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- Per-route policy examples for allowing approved AI services while blocking uploads and attachment flows.
- Structured logging details that show who accessed which AI service, when access occurred, and what policy applied.
- HIPAA-oriented route patterns for clinical staff, managed devices, and time-bound access rules.
- Example SIEM integration patterns for continuous monitoring and alerting on AI activity.
👉 Read Pomerium's analysis of shadow AI risks for SOC 2 and HIPAA →
Shadow AI and compliance drift: what IAM teams need to know?
Explore further
Shadow AI is a governance problem before it is a technology problem. Unapproved AI use bypasses the organisational identity layer, which means security teams lose the ability to bind access, logging, and policy to a managed subject. In regulated environments, that turns routine productivity behaviour into a control failure. The practitioner conclusion is that AI access needs to be governed as part of the identity estate, not treated as an exception outside it.
A few things that frame the scale:
- 79% of organizations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when shadow AI exposes regulated data?
A: Accountability sits with the organisation that allowed the data path to exist without control. Compliance, IAM, security, and business owners all share responsibility, because unmanaged AI use is a governance failure rather than a single-user mistake. The organisation must be able to prove who approved access and how it was monitored.
👉 Read our full editorial: Shadow AI breaks SOC 2 and HIPAA controls in regulated firms