Blocking alone fails because it does not address the business need that drives Shadow AI use. Employees often find a workaround through browsers, personal accounts, or alternate endpoints. Without discovery, approved alternatives, and policy enforcement on data use, the organisation remains blind to where sensitive information is going.
Why This Matters for Security Teams
Blocking unapproved AI tools sounds decisive, but it only treats the visible channel, not the behaviour that creates the risk. When employees are under time pressure, they route around restrictions with personal accounts, browser-based access, consumer file uploads, or mirrored workflows in approved tools. The result is not less AI use, but less visibility into where prompts, documents, and secrets are flowing.
This is why the control problem shifts from simple denial to discovery, data governance, and sanctioned alternatives. NHI Management Group has seen how quickly AI-related exposure can expand once a tool is reachable through an exposed credential path, as illustrated in the LLMjacking research and the DeepSeek breach analysis. The core issue is not whether a specific app is blocked, but whether the organisation can see, control, and audit the identity and data paths behind AI use. Current guidance from the NIST Cybersecurity Framework 2.0 points toward risk management and visibility, not just prohibition. In practice, many security teams discover shadow ai only after sensitive data has already left approved boundaries, rather than through intentional discovery.
How It Works in Practice
Effective control starts by classifying AI usage into approved, tolerated, and prohibited categories, then pairing that policy with discovery. Teams need browser and network visibility, CASB or SSE telemetry where available, and identity-based monitoring that shows who is using which model, from where, and with what data. Blocking should be one control in a broader workflow, not the whole strategy.
Operationally, the stronger pattern is:
- Publish approved AI tools with clear data-handling rules.
- Detect unauthorised AI access through DNS, proxy, endpoint, and SaaS logs.
- Use DLP or content controls to stop secrets, regulated data, and customer records from entering prompts.
- Route high-risk use cases to alternatives that are logged, reviewed, and tied to enterprise identity.
- Review exceptions so business units do not create informal workarounds.
This matters because AI use is often embedded in legitimate work, not just obvious shadow IT. A developer may paste code into a consumer chatbot, a marketer may upload a campaign brief, or a support analyst may forward case notes to a public model. Those actions can be invisible if the policy only blocks a domain name. The State of Secrets in AppSec research is relevant here because leaked secrets and poor handling habits remain persistent even in mature organisations, which makes prompt hygiene and data controls critical. Best practice is evolving toward identity-aware, context-aware enforcement rather than simple deny lists. These controls tend to break down when users can reach the same model through multiple endpoints, because the policy is attached to the app label rather than the data flow.
Common Variations and Edge Cases
Tighter blocking often increases user friction, requiring organisations to balance prompt reduction against business continuity. That tradeoff is real, especially where AI assists daily productivity and no sanctioned alternative exists.
There is no universal standard for this yet, but current guidance suggests a layered approach. In regulated environments, blanket blocking can be justified for narrow categories such as customer PII, source code, or export-controlled content, while broader knowledge work may need approved enterprise AI instead. In engineering-heavy teams, the bigger risk is not just tool access but data egress through plugins, browser extensions, and copy-paste into model web UIs. In procurement or legal workflows, the risk may be less about public model usage and more about unvetted retention terms and model training reuse.
The practical edge case is that some organisations block direct access yet still permit AI through embedded SaaS features, which creates a false sense of control. Security teams should therefore treat shadow AI as an identity, data, and workflow problem, not a website-blocking problem. The right question is not only whether the tool is allowed, but whether the organisation can prove what data entered the model, which identity used it, and where the output went.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses unsafe AI tool use and hidden prompt/data paths. | |
| CSA MAESTRO | Covers governance for sanctioned and unsanctioned AI workflows. | |
| NIST AI RMF | Supports risk-based governance beyond simple blocking. |
Inventory AI entry points and enforce guardrails around prompts, data flow, and outputs.
Related resources from NHI Mgmt Group
- What breaks when organisations rely on a single analytics service for every workload?
- What breaks when organisations rely on legacy DLP for AI workflows?
- How should organisations govern AI usage when employees use unapproved tools?
- What breaks when organisations rely only on observability for AI governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
