Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI governance gap: what IAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Shadow AI is already widespread in mid-sized firms, with Delinea reporting that 81% of organisations in the $10 million to $50 million revenue range have faced breaches or compliance issues tied to unauthorized AI use. The real problem is not AI adoption itself but the governance gap around what data unsanctioned tools can access, persist with, or exfiltrate.

NHIMG editorial — based on content published by Delinea: What is Shadow AI and what is the risk to your organization?

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI in enterprise environments?

A: Security teams should govern shadow AI by focusing on the identities, data paths, and privileges the tools use, not just on whether the tool is approved.

Q: Why does shadow AI create such a high breach risk?

A: Shadow AI creates high breach risk because it can access sensitive data outside normal oversight, then process or reproduce that data in places security teams do not control.

Q: What do organisations get wrong about shadow AI governance?

A: Many organisations focus on banning tools instead of governing the access paths those tools create.

Practitioner guidance

  • Discover unsanctioned AI usage across the enterprise Inventory browser-based AI tools, embedded assistants, and department-level models, then map them to the identities, secrets, and data stores they can reach.
  • Classify AI access by data sensitivity Apply stricter rules where AI tools can touch privileged, regulated, or customer data.
  • Review the secrets behind AI-enabled workflows Identify API keys, service accounts, and delegated tokens used by AI-enabled processes, then determine whether those credentials are overbroad, shared, or unmonitored.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

  • The survey breakdown by organisation size, including why mid-sized firms show the sharpest breach and compliance impact.
  • The specific unauthorized AI use cases respondents reported, such as developer code generation and finance workflow automation.
  • The risk categories Delinea maps to shadow AI, including data exfiltration, copyright exposure, and unvetted training data.
  • The governance steps Delinea recommends for aligning AI use with access management and data controls.

👉 Read Delinea's analysis of shadow AI risk and governance gaps →

Shadow AI governance gap: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shadow AI is really access governance failure in a faster wrapper. The article shows that the issue is not whether employees will use AI, but whether the organisation can govern the identities, data paths, and privileges those tools rely on. Traditional application approval alone is too slow when adoption happens department by department. Practitioners should treat shadow AI as a control-plane problem, not a policy memo problem.

A few things that frame the scale:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

A question worth separating out:

Q: Which controls matter most when AI tools touch privileged data?

A: The most important controls are access classification, secrets governance, telemetry, and restrictions on where sensitive data can be processed. If an AI workflow can reach privileged data, then access review alone is not enough. The organisation also needs monitoring that shows what the tool actually did.

👉 Read our full editorial: Shadow AI governance is outpacing enterprise access controls



   
ReplyQuote
Share: