Shadow AI governance: what IAM teams need to control now

TL;DR: Eight in 10 employees are using unapproved AI tools, while 44% of U.S. workers use AI without authorization and 45% do so without telling their manager, according to JumpCloud. The governance gap is now about visibility, policy clarity, and data-flow control, not whether employees will experiment with AI.

NHIMG editorial — based on content published by JumpCloud: shadow AI governance and the gap between employee adoption and organisational oversight

By the numbers:

• 8 out of 10 employees are using unapproved AI tools.
• 44% of U.S. workers use AI tools without authorization.
• 45% of employees have used AI on the job without informing their manager.

Questions worth separating out

Q: How should security teams govern shadow AI in the enterprise?

A: Start by discovering where AI is already being used, including personal accounts, browser extensions, and informal team adoption.

Q: Why does shadow AI create more risk than ordinary shadow IT?

A: Shadow AI does more than introduce an unapproved application.

Q: What do organisations get wrong about AI governance?

A: Many teams assume that a policy document or approved-tool list is enough.

Practitioner guidance

• Discover unsanctioned AI usage across the estate Inventory personal accounts, browser extensions, and department-level experimentation so AI use is visible before it becomes embedded in daily work.
• Define data classes that cannot enter AI tools Publish explicit rules for confidential, regulated, and customer data, and make those rules readable at the point of use rather than buried in policy documents.
• Align approval workflows with how employees actually work Reduce the gap between sanctioned and unsanctioned tools by making approved options faster to access, easier to find, and simpler to use in real workflows.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• How its shadow AI discovery approach identifies GenAI applications in use across the organisation
• How departmental usage patterns and pre-discovery actions support approval or restriction decisions
• How to centralise approved resources so employees can find sanctioned tools without bypassing governance
• How the vendor frames AI and SaaS management for organisations trying to reduce hidden usage

👉 Read JumpCloud's analysis of shadow AI governance and employee tool use →

Shadow AI governance: what IAM teams need to control now?

Explore further

View Full Forum →  |  NHI Foundation Course →