Notifications
Clear all
Topic starter
09/06/2026 11:23 pm
TL;DR: Push telemetry shows the average organisation now uses 16 unique AI apps, 17 AI browser extensions, and 17 AI OAuth integrations, with many approved only by employees rather than security teams, while Verizon DBIR 2026 reports 45% of employees are regular AI users on corporate devices. The governance problem is no longer AI adoption itself, but unmanaged browser-based trust relationships that widen blast radius across connected SaaS.
NHIMG editorial — based on content published by Push Security: shadow AI telemetry and the four categories of unmanaged AI risk
By the numbers:
- The average organization has 16 unique AI apps in active use, 17 AI browser extensions, and 17 AI OAuth integrations.
- 45% of employees are now regular AI users on corporate devices, up from 15% the year before.
- 92% allow employees to use public GenAI applications.
Questions worth separating out
Q: How should security teams govern shadow AI in the browser?
A: Security teams should govern shadow AI at the browser layer, where users authenticate, consent, and move data between systems.
Q: Why do AI OAuth integrations create more risk than standalone AI app use?
A: AI OAuth integrations create more risk because they convert a simple app login into persistent delegated access across enterprise systems.
Q: What breaks when employees use personal accounts for approved AI tools?
A: When employees use personal accounts for approved AI tools, enterprise policy controls no longer apply consistently, even if the application itself is sanctioned.
Practitioner guidance
- Inventory AI activity across the browser layer Build a live register of AI apps, accounts, extensions, and OAuth integrations that are actually used in the browser.
- Default-deny new OAuth consent grants Require explicit approval for new consent grants in Google Workspace, Microsoft 365, and high-value SaaS apps.
- Apply allowlisting to AI browser extensions Approve only vetted extensions, block everything else, and re-check permission changes that would expand access to cookies, session tokens, or page content.
What's in the full article
Push Security's full post covers the operational detail this analysis intentionally leaves at the governance level:
- Weekly telemetry methodology behind the app, extension, and OAuth counts across customer environments
- Examples of shadow AI categories mapped to specific browser and SaaS trust failures
- Practical steps for browser visibility, consent governance, and extension control across Google Workspace and Microsoft 365
- Illustrative Vercel-style integration risk patterns that show how forgotten grants become downstream exposure
👉 Read Push Security's analysis of shadow AI, browser extensions, and OAuth risk →
Shadow AI sprawl and OAuth risk: what IAM teams are missing?
Explore further
10/06/2026 1:42 am
Browser session governance is now an identity problem, not just a web usage problem. Shadow AI lives inside the browser, where users authenticate, consent, upload data, and connect systems in one place. That means the control boundary has shifted from application inventory to session-level identity and delegated access oversight. For IAM teams, this is a signal that browser telemetry belongs in the identity programme, not only in endpoint or web security workflows.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How should teams reduce the blast radius of AI-driven SaaS access?
A: Teams should reduce blast radius by classifying every AI connection by the downstream systems it can reach, then removing unnecessary OAuth scopes and inactive grants. The goal is to limit how far a single compromised AI tool, extension, or user consent can travel across the SaaS estate.
👉 Read our full editorial: Shadow AI is expanding enterprise attack surface through browser trust
