Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Suppo...
Shadow AI and LLM d...
 
Notifications
Clear all

Shadow AI and LLM data leakage: what IAM teams need to do now

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 5324
Topic starter 12/06/2026 12:40 am  

TL;DR: Employees are already pasting code, customer data, and internal documents into public LLMs, creating Shadow AI leakage paths that bypass IT governance, logging, and policy enforcement, according to Pomerium. The real issue is not whether users will adopt AI, but whether identity, access, and data controls can bound that adoption before sensitive context escapes.

NHIMG editorial — based on content published by Pomerium: Your Employees Are Already Dumping Company Data to LLMs (Here’s What To Do About It)

Questions worth separating out

Q: How should security teams govern employee use of public LLMs?

A: Security teams should treat prompt submission as a governed access event.

Q: Why do bans on public AI tools usually fail?

A: Bans fail because employees route around them when the sanctioned path is slower or less useful.

Q: What breaks when secrets are pasted into LLM prompts?

A: What breaks is the organisation's ability to control where the secret goes next.

Practitioner guidance

  • Map LLM data flows by identity Inventory which human, service, and workload identities are sending data to public or approved models.
  • Force model traffic through a governed gateway Route all approved LLM usage through an identity-aware proxy that can enforce authorisation, apply policy, and block direct access paths that bypass visibility.
  • Apply pre-send filtering to prompts and context Strip secrets, customer identifiers, and regulated personal data before content reaches any external model.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • A concrete gateway architecture showing where identity-aware policy enforcement sits in the LLM request path.
  • Step-by-step implementation patterns for teams piloting approved AI usage with existing identity infrastructure.
  • Examples of how the gateway can integrate with logging, DLP, and rate limiting for model-bound requests.
  • Practical pitfalls such as friction, bypass behaviour, and why opt-in controls usually fail.

👉 Read Pomerium's analysis of how employees are already dumping company data into LLMs →

Shadow AI and LLM data leakage: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
pomerium shadow-ai llm-governance data-loss-prevention identity-aware-proxy
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  pomerium (48) , shadow-ai (169) , llm-governance (2) , data-loss-prevention (25) , identity-aware-proxy (6) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.