Shadow AI visibility: what IAM teams need to govern now

TL;DR: Shadow AI is creating data leakage and compliance exposure because employees use free-tier AI tools with personal accounts and enter sensitive data, while many organisations also lack visibility into non-human and agentic usage, according to JumpCloud. The real governance failure is not detection alone but the inability to inventory, classify, and control unapproved AI access before data leaves the enterprise boundary.

NHIMG editorial — based on content published by JumpCloud: shadow AI visibility and governance guidance

By the numbers:

• 68% of employees use free-tier AI tools like ChatGPT with personal accounts.
• 57% admit to inputting sensitive data such as customer personally identifiable information (PII) and internal documents into these ungoverned models.
• There are over 6,500 GenAI domains and 3,000 apps observed across enterprises, making manual tracking impossible.

Questions worth separating out

Q: How should security teams govern shadow AI without blocking productivity?

A: Start by discovering every unapproved AI tool, linking it to a user or non-human identity, and classifying the data that reaches it.

Q: Why does shadow AI create more risk than ordinary shadow IT?

A: Shadow AI can receive sensitive prompts, persist data outside enterprise retention, and process information through systems the organisation does not control.

Q: What breaks when organisations cannot see unapproved AI use?

A: Without visibility, security teams cannot attribute activity, classify data exposure, or decide whether a tool is acceptable.

Practitioner guidance

• Link AI discovery to identity telemetry Correlate user, device, and web access data so every unapproved AI tool can be tied to a real identity and reviewed in context.
• Classify sensitive inputs before AI use expands Map customer PII, internal documents, and other regulated data to explicit AI handling rules so users know what may never be pasted into unapproved tools.
• Extend governance to non-human and agentic identities Include scripts, service accounts, and AI agents in the same discovery process so autonomous access cannot bypass your shadow AI controls.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step AI discovery workflow that uses identity, device, and web signals to build an inventory in hours.
• Examples of how the platform warns users on unapproved domains or blocks access to risky AI services.
• Operational guidance for categorising discovered AI tools by risk score, usage volume, and user identity.
• How to formalise approval for low-risk tools through enterprise identity controls such as SSO.

👉 Read JumpCloud's analysis of shadow AI visibility and governance →

Shadow AI visibility: what IAM teams need to govern now?

Explore further

View Full Forum →  |  NHI Foundation Course →