Shadow AI governance gap: what IAM teams need to do now

TL;DR: Shadow AI is already widespread in mid-sized firms, with Delinea reporting that 81% of organisations in the $10 million to $50 million revenue range have faced breaches or compliance issues tied to unauthorized AI use. The real problem is not AI adoption itself but the governance gap around what data unsanctioned tools can access, persist with, or exfiltrate.

NHIMG editorial — based on content published by Delinea: What is Shadow AI and what is the risk to your organization?

By the numbers:

• 81% of these medium-sized firms with shadow AI use have already suffered breaches and compliance consequences as a result.
• 85% of security stakeholders have either confirmed use or have some credible reason to believe that shadow AI applications and models are being used at their organizations.
• 64% reported that it has already led to a known data breach or compliance issue within their organization.

Questions worth separating out

Q: How should security teams govern shadow AI in enterprise environments?

A: Security teams should govern shadow AI by focusing on the identities, data paths, and privileges the tools use, not just on whether the tool is approved.

Q: Why does shadow AI create such a high breach risk?

A: Shadow AI creates high breach risk because it can access sensitive data outside normal oversight, then process or reproduce that data in places security teams do not control.

Q: What do organisations get wrong about shadow AI governance?

A: Many organisations focus on banning tools instead of governing the access paths those tools create.

Practitioner guidance

• Discover unsanctioned AI usage across the enterprise Inventory browser-based AI tools, embedded assistants, and department-level models, then map them to the identities, secrets, and data stores they can reach.
• Classify AI access by data sensitivity Apply stricter rules where AI tools can touch privileged, regulated, or customer data.
• Review the secrets behind AI-enabled workflows Identify API keys, service accounts, and delegated tokens used by AI-enabled processes, then determine whether those credentials are overbroad, shared, or unmonitored.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• The survey breakdown by organisation size, including why mid-sized firms show the sharpest breach and compliance impact.
• The specific unauthorized AI use cases respondents reported, such as developer code generation and finance workflow automation.
• The risk categories Delinea maps to shadow AI, including data exfiltration, copyright exposure, and unvetted training data.
• The governance steps Delinea recommends for aligning AI use with access management and data controls.

👉 Read Delinea's analysis of shadow AI risk and governance gaps →

Shadow AI governance gap: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →