Shadow AI and identity governance: what are teams missing?

TL;DR: Shadow AI is now a daily reality, with 8 in 10 office workers using some form of public AI, 60% of organisations already seeing a data exposure event, and AI-related incidents taking 26.2% longer to identify, according to JumpCloud. The governance problem is not adoption itself but the lack of visibility, policy, and sanctioned alternatives across identity-controlled access paths.

NHIMG editorial — based on content published by JumpCloud: The 2026 State of Shadow AI

By the numbers:

• 8 in 10 office workers now use some form of public AI, often without their IT department’s knowledge or approval.
• By 2026, 70% of employee interactions with AI will occur through features embedded in existing, sanctioned SaaS applications.
• Enterprise traffic to AI applications increased by a staggering 595% between April 2023 and January 2024.

Questions worth separating out

Q: How should security teams govern shadow AI without blocking all employee use?

A: Start by discovering where AI already appears in sanctioned SaaS, browsers, and public tools, then apply policy to the specific data flows and identities involved.

Q: Why do unsanctioned AI tools create compliance risk for IAM teams?

A: They move employee data into third-party systems that may sit outside approved access, logging, and retention controls.

Q: What do organisations get wrong about acceptable use policies for AI?

A: They often treat acceptable use as a document instead of a control.

Practitioner guidance

• Inventory AI entry points across sanctioned SaaS Map where employees are already encountering AI inside approved applications, then separate those flows from standalone public tools so you can apply different controls to each path.
• Bind AI usage policy to enforceable identity controls Translate acceptable use rules into identity provider conditions, device posture checks, and approved application restrictions so the policy can actually shape behaviour.
• Classify prompt and output data flows Treat prompts, uploaded files, and model outputs as governed data movements, then define what can be sent, where it can go, and who owns the resulting telemetry.

What's in the full article

JumpCloud's full research covers the operational detail this post intentionally leaves for the source:

• The survey methodology behind the shadow AI statistics and how respondents were segmented
• The full breakdown of where shadow AI appears across employee workflows and application types
• The report's guidance on discovery, governance, and enablement as a three-part response model
• The business impact discussion on tool sprawl, redundancy, and unsanctioned code assistants

👉 Read JumpCloud's 2026 shadow AI report for the full survey findings →

Shadow AI and identity governance: what are teams missing?

Explore further

View Full Forum →  |  NHI Foundation Course →