Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI governance: what IAM teams need to control now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9062
Topic starter  

TL;DR: Eight in 10 employees are using unapproved AI tools, while 44% of U.S. workers use AI without authorization and 45% do so without telling their manager, according to JumpCloud. The governance gap is now about visibility, policy clarity, and data-flow control, not whether employees will experiment with AI.

NHIMG editorial — based on content published by JumpCloud: shadow AI governance and the gap between employee adoption and organisational oversight

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI in the enterprise?

A: Start by discovering where AI is already being used, including personal accounts, browser extensions, and informal team adoption.

Q: Why does shadow AI create more risk than ordinary shadow IT?

A: Shadow AI does more than introduce an unapproved application.

Q: What do organisations get wrong about AI governance?

A: Many teams assume that a policy document or approved-tool list is enough.

Practitioner guidance

  • Discover unsanctioned AI usage across the estate Inventory personal accounts, browser extensions, and department-level experimentation so AI use is visible before it becomes embedded in daily work.
  • Define data classes that cannot enter AI tools Publish explicit rules for confidential, regulated, and customer data, and make those rules readable at the point of use rather than buried in policy documents.
  • Align approval workflows with how employees actually work Reduce the gap between sanctioned and unsanctioned tools by making approved options faster to access, easier to find, and simpler to use in real workflows.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

  • How its shadow AI discovery approach identifies GenAI applications in use across the organisation
  • How departmental usage patterns and pre-discovery actions support approval or restriction decisions
  • How to centralise approved resources so employees can find sanctioned tools without bypassing governance
  • How the vendor frames AI and SaaS management for organisations trying to reduce hidden usage

👉 Read JumpCloud's analysis of shadow AI governance and employee tool use →

Shadow AI governance: what IAM teams need to control now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Shadow AI is an identity governance problem before it is a tooling problem. The article shows that employees are not waiting for formal approval to use AI, which means the enterprise is losing visibility at the point of account creation and first use. That makes the control gap operational, not theoretical. Practitioners should treat unmanaged AI use as a governance layer that sits between human identity, SaaS access, and data security.

A few things that frame the scale:

  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
  • 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.

A question worth separating out:

Q: Who is accountable when employees use unapproved AI tools?

A: Accountability usually sits with the organisation that owns data handling, access policy, and employee education, but operational ownership should be assigned across IAM, security, and data governance. If no team owns discovery, approval, and exception handling together, shadow AI becomes a gap with no clear control point.

👉 Read our full editorial: Shadow AI governance is outpacing enterprise IAM controls



   
ReplyQuote
Share: