AI Security Guide

Shadow AI in the Enterprise: Detecting, Governing and Securing Unsanctioned GenAI Use

Most shadow AI happens because the approved tools are worse than the unapproved ones. A practical detection and governance framework that doesn't pretend a ban will work.

Shadow AI in the Enterprise: Detecting, Governing and Securing Unsanctioned GenAI Use

The most useful way to think about shadow AI is to stop treating it as an attack on policy and start treating it as a vote of no confidence in the approved alternatives.

The numbers make the point more cleanly than any framing does. Roughly 47% of GenAI users at enterprises now access these tools through personal accounts, completely outside corporate visibility. About 38% of employees admit to sharing sensitive company data with AI tools without permission. Netskope tracks more than 1,550 distinct GenAI SaaS applications in enterprise traffic — up from 317 just over a year ago. The average enterprise now sees 223 data-policy violations per month tied directly to AI usage. And IBM’s most recent Cost of a Data Breach report puts the additional cost of a shadow-AI-related breach at roughly $670,000 above the standard breach baseline.

These are not the metrics of a problem that responds to a memo from IT.

The CISOs who are actually reducing shadow AI exposure are the ones who have stopped trying to win an enforcement war and started building governance that lets people do their jobs faster with AI than they could without it. The data here is striking: in one healthcare-sector study, organisations that supplied approved AI alternatives saw an 89% reduction in unauthorised AI use, alongside roughly 32 minutes of daily time savings per clinician. Supply the tools, set the boundaries, and usage shifts from shadow to sanctioned.

That is the brief for this guide. We will cover what shadow AI actually looks like in 2026, how to detect it without theatre, and how to govern it without driving it deeper underground.

What shadow AI actually means in 2026

The term gets used loosely. It is worth being precise.

Shadow AI is any AI tool, model, agent or workflow being used in an enterprise context without IT or security oversight. That includes the obvious cases — an analyst pasting a customer list into ChatGPT for summarisation — but also a much wider perimeter that most governance programmes miss:

  • Browser-based GenAI: ChatGPT, Claude, Gemini, Perplexity and the long tail of consumer chat interfaces accessed from a corporate device through a personal account.
  • Embedded AI features in approved SaaS: Notion AI, Salesforce Einstein, Slack AI, Zoom AI Companion, Atlassian Rovo. These are turned on by default in many tenants. Whether they constitute “shadow” depends entirely on whether the security team has reviewed the data-handling terms — and most have not.
  • AI-enabled coding assistants: GitHub Copilot in personal mode, Cursor, Replit Ghostwriter, Codeium. Developers have been earlier adopters than any other function, and the data exposure is more concentrated — proprietary source code rather than meeting notes.
  • Custom agents built in low-code platforms: An employee builds a small workflow in n8n, Zapier AI, or Microsoft Copilot Studio that calls an LLM API. The workflow itself is sanctioned; the data flowing through it is not necessarily reviewed.
  • API calls embedded directly in code: Developers calling OpenAI, Anthropic or other model APIs from production or pre-production systems with credentials that nobody in security has audited.

The MIT-cited statistic that resonates most with practitioners is this: employees at more than 90% of companies surveyed are using personal AI accounts for daily work tasks, while only 40% of organisations provide official LLM tooling. That is the actual gap shadow AI fills. It is not malicious. It is rational.

Why bans don’t work

If you have been in security long enough, you have seen this film before. Shadow IT in the early SaaS era was largely defeated not by blocking but by enterprise IT eventually offering Slack, Box, Asana and the rest as official options. The blocking phase was a delay tactic that mostly produced workarounds.

Shadow AI is following the same pattern, faster and with higher stakes.

The blocking-first approach fails for three structural reasons:

First, the tools are too useful and too easy to access. A blocked URL on the corporate proxy is solved by switching to a personal phone, a personal device on the guest WiFi, or a different model accessed through an aggregator the proxy has not yet catalogued. The 1,550-and-rising number of distinct GenAI apps means any blocklist is by definition incomplete.

Second, the productivity gains are real. The clinicians in the healthcare study above were not using AI to mess around. They were saving half an hour a day on documentation. When the choice is between hitting a productivity target and following a security policy, the policy loses every time. This is a forty-year-old observation about human behaviour in organisations, and it has not changed because the policy is now about AI.

Third, blanket blocks are politically expensive. The CISO who blocks ChatGPT enterprise-wide and then has to explain to the CEO why the marketing team is two weeks behind on a launch is in a much weaker position than the CISO who provided an approved enterprise option six months earlier.

The honest framing is that shadow AI cannot be eliminated. It can be measurably reduced and the residual risk can be governed. That is the realistic ambition.

A four-layer detection model

Detection has to work at the layers where the data actually moves. Most organisations underestimate this and try to bolt visibility onto a single chokepoint — usually the corporate proxy — which catches some of the traffic and misses most of it.

A practical model works in four layers, each catching what the layer above misses:

Layer 1 — Network and proxy visibility. Your existing SWG, SASE or CASB platform will identify traffic to known GenAI domains. This is the cheapest layer to enable and the one most organisations already have. Vendors like Netskope, Zscaler and Palo Alto Prisma Access publish regular updates of GenAI app catalogues. The limit of this layer is unmanaged devices and personal mobile.

Layer 2 — Browser-level inspection. This is where the real shadow AI lives. Microsoft Edge for Business, Island and Talon (now Palo Alto) browsers, and dedicated browser-extension controls from Harmonic Security and Lasso can inspect prompts before they leave the browser, identify sensitive data inline, and block or coach the user in real time. Microsoft’s RSAC 2026 announcement of inline DLP for Edge for Business — analysing prompts in real time and redirecting risky requests to enterprise Copilot — is the clearest signal that browser-layer governance is becoming the default control point.

Layer 3 — Endpoint DLP with AI awareness. Traditional endpoint DLP (Microsoft Purview, Symantec, Forcepoint) increasingly includes AI-specific classifiers. The relevant capability here is identifying when a user copies sensitive data from an approved system (CRM, EHR, code repository) and then pastes it into any browser tab — not just known-AI tabs. This catches the long tail of unknown apps.

Layer 4 — Identity and SaaS posture. SSPM platforms (AppOmni, Adaptive Shield, Obsidian) and identity providers (Okta, Microsoft Entra) can show you which OAuth integrations users have authorised and which AI apps are connected to your sanctioned SaaS. This is how you find the embedded AI features that were enabled silently and the custom agents built on top of approved platforms.

No single layer is sufficient. The leverage comes from running all four with shared context — and the integration work is more important than the choice of vendor at any given layer.

Shadow AI discovery vendor landscape

The dedicated shadow-AI tooling market has consolidated around a handful of approaches. The honest assessment is that no vendor in this space is yet mature enough to be the only thing you rely on, and most CISOs end up combining capabilities.

VendorPrimary approachStrengthsRealistic limitations
NetskopeNetwork-layer inline + browser plug-inLargest catalogued GenAI app database; mature DLP integrationNetwork layer alone misses unmanaged devices
Palo Alto (Prisma AIRS)SASE-native AI securityStrong fit if you already run Prisma AccessLess mature on browser-layer prompt inspection
ZscalerInline ZTNA-based controlMature SASE platform; AI app catalogue updated frequentlySame off-network limitation as other proxy approaches
Microsoft Purview + Edge for BusinessBrowser + endpoint DLP, AI-awareBest fit for Microsoft-heavy estates; inline prompt redirectionEdge for Business adoption required for full effect
Harmonic SecurityBrowser-layer prompt inspectionDesigned-for-purpose; lightweight deploymentSmaller vendor; long-term independence uncertain
Lasso SecurityBrowser plug-in + LLM observabilityStrong real-time discovery and behavioural analyticsNewer category entrant; reference base still building
CyberhavenData lineage + AI usage analyticsExcellent visibility into what data flows whereDLP enforcement weaker than dedicated platforms
Nightfall AIAPI + browser DLPStrong for SaaS-resident data; developer-friendlyLess coverage of non-SaaS shadow AI

Microsoft has the structural advantage in any organisation already running Entra ID, Purview and Edge — the inline prompt inspection that ships in Edge for Business is genuinely well integrated, and the licence is often already paid for. Netskope has the largest dataset on what GenAI apps are out there and what they do with data. The smaller dedicated players (Harmonic, Lasso) tend to be ahead on the specific browser-layer features but require an additional procurement and integration cycle.

If you are starting from zero, the highest-leverage sequence is: turn on whatever GenAI app discovery your existing SASE/SWG already supports; add a browser-layer control as your second move; add identity and SaaS posture review as your third; and use endpoint DLP only to fill specific gaps where the first three leave residual risk.

The governance framework that actually works

Once detection is in place, governance has to give people a reason to use the sanctioned path. The framework that consistently produces results in the field has four moves.

1. Provide enterprise-grade approved alternatives — and make them genuinely good. This is the precondition for everything else. If your sanctioned option is Microsoft 365 Copilot or Google Workspace’s enterprise Gemini, configure them properly: tenant isolation, exclusion from training data, retention controls, audit logging. If your developers need a coding assistant, license GitHub Copilot Enterprise or equivalent — not a hostile-by-default policy that pretends Copilot in personal mode does not exist. The 89% reduction figure in the healthcare study was achieved by replacement, not enforcement.

2. Classify data, not tools. Most policy documents try to enumerate which AI tools are allowed. This is hopeless: the catalogue grows weekly. The durable approach is to classify data by sensitivity and define which data classes are acceptable in any external AI tool, regardless of which one. A simple three-tier model — public, internal, restricted — covers most cases. Restricted data (customer PII, source code, financial projections, regulated data) goes only to enterprise AI within tenant boundaries. Internal data can go to any reviewed AI tool. Public data can go anywhere. This approach is enforceable in DLP and explainable to non-technical staff.

3. Coach in real time, don’t punish in arrears. The single most effective intervention is a polite, in-line warning the moment a user is about to paste sensitive data into a non-sanctioned tool. Microsoft’s Purview-in-Edge approach and Harmonic’s browser plug-in both demonstrate this clearly: when the user gets a real-time prompt explaining the policy and offered an alternative path (often the same task routed to enterprise Copilot), compliance jumps. Quarterly DLP-incident reports sent to managers do not change behaviour. In-the-moment coaching does.

4. Maintain a living AI inventory and audit it quarterly. Shadow AI does not stay static. New apps appear weekly. The agents that someone built in Copilot Studio six months ago are still running. A quarterly audit cycle — covering browser-discovered apps, OAuth-connected SaaS integrations, and developer-built custom agents — is the minimum viable cadence. ISACA has published audit methodology for this; the substance is straightforward, the discipline of doing it regularly is the hard part.

The framework that pulls these together is enablement-first: you provide the approved tools, you classify the data not the apps, you coach in real time, and you audit on a cycle. The CISOs reporting the largest reductions in shadow AI exposure are the ones who treat governance as a product to be designed for the user, not a policy to be enforced against them.

Where the EU AI Act and other regulators land on this

Shadow AI is not just an IT-risk problem. It is increasingly a compliance problem.

Under the EU AI Act, organisations deploying AI systems classified as high-risk are required to maintain documentation of those systems, conduct risk assessments, and ensure human oversight. An employee using ChatGPT to summarise a CV during a hiring decision arguably triggers the high-risk classification — and if that usage is happening outside any inventory, the organisation cannot demonstrate compliance with the documentation requirement. We cover the practical implications in detail in our EU AI Act guide for security teams.

GDPR adds a parallel obligation: any processing of personal data needs a lawful basis and the ability to honour erasure requests. When an employee pastes customer data into a consumer GenAI tool that may retain it for model training, the organisation has lost both. The ICO and equivalent EU DPAs have signalled that they will treat shadow AI as a controller-level governance failure, not as an individual employee mistake.

The intersection with NIS2 is also worth flagging. Article 21 requires organisations to implement appropriate measures to manage security risks — and “appropriate” increasingly includes AI usage governance for organisations in scope.

The compliance angle is not the reason to fix shadow AI, but it is increasingly the reason that finally gets the budget approved.

What to do this quarter

If you are starting from a low maturity baseline and trying to make material progress in 90 days, the highest-leverage sequence is:

  1. Week 1–2. Turn on whatever GenAI discovery your existing SASE/SWG supports. You need a baseline of which apps your employees are actually using before you do anything else.
  2. Week 3–4. Procure or activate enterprise AI alternatives for the top three use cases identified in your discovery scan. For most organisations, this means enterprise ChatGPT or Microsoft 365 Copilot for general productivity, GitHub Copilot Enterprise for developers, and a vetted vertical tool for whichever function is heaviest (legal, marketing, support).
  3. Week 5–8. Deploy a browser-layer control with inline coaching. Microsoft Edge for Business with Purview is the path of least resistance for Microsoft estates; Harmonic or Lasso for organisations with mixed browser environments.
  4. Week 9–12. Publish a data-classification-based AI usage policy — not a tool blocklist. Train managers, not just employees. Establish a quarterly audit cadence and assign an owner.

That sequence will not eliminate shadow AI. Nothing will. But it will move the needle from “we have no idea what’s happening” to “we have measurable visibility, an approved path, and a defensible governance posture” — which is the realistic destination.

Frequently asked questions

Is shadow AI different from shadow IT? Functionally similar, materially more dangerous. Shadow IT generally moved data into another company’s storage; shadow AI can move that same data into a model’s training corpus, where the contamination is permanent and unrecoverable. The blast radius is larger and the remediation options are fewer.

Can we just block ChatGPT and call it done? No. You will block the one app that 60% of your employees use, drive the usage to the other 1,549 GenAI apps (most of which your filters do not yet recognise), and lose the productivity gains your competitors are capturing. Blocking the obvious front door pushes the traffic to the back doors you cannot see.

How do we handle the embedded AI features in our approved SaaS? Treat each one as a separate review. Slack AI, Notion AI, Salesforce Einstein and the rest each have distinct data-handling terms, training-opt-out settings and tenant-isolation guarantees. The fact that the underlying SaaS is approved does not mean the AI feature is. Review the AI addendum to your DPA and configure tenant-level controls before enabling.

What about developer use of AI coding assistants? This is the highest-stakes category and the one most often left uncovered. Source code pasted into a personal Copilot, Cursor or ChatGPT account is a direct IP exposure and frequently includes secrets and credentials. Provide an enterprise coding assistant with tenant isolation, mandate its use through repository-level controls where possible, and scan repositories for AI-generated content that should not be there. The machine identity and AI agent identity question is closely related — autonomous coding agents require their own identity governance layer.

How does this interact with prompt injection risk? Shadow AI and prompt injection compound each other. An employee using a non-sanctioned AI tool is exposed to whatever prompt injection vulnerabilities that tool has, with none of the controls a vetted enterprise deployment would have. The compound risk is one of the strongest arguments for moving usage to enterprise AI rather than tolerating shadow AI as a low-priority issue.