Shadow AI: An Identity Risk perspective

Marco Serenelli - AI Engineer
Jun 18, 2026By Marco Serenelli - AI Engineer

Employees are already using AI tools you don’t know about. The question isn’t whether it’s happening, it’s how much damage it’s causing, silently, right now.

That’s Shadow AI, the use of AI tools, models, and services by employees without the knowledge or oversight of the IT or security team.

It's not a future risk, according to IBM's 2025 Cost of Data Breach Report, one in five organizations has already experienced a breach linked to unsanctioned AI, yet only 37% of organizations have any governance policy in place to detect it. The other 63% are totally blind.

Why is Shadow AI an Identity Problem?

Shadow IT has always existed, someone buys a Dropbox subscription on a company card, a team starts using Notion without approval. Security teams learned to contain it.

Shadow AI is different. It's not just an unapproved application, it's a reasoning engine your employees are actively feeding with proprietary data. The moment a developer pastes internal source code into ChatGPT, or an analyst uploads a confidential spreadsheet to a consumer AI tool, that data has left the building. No firewall rule brings it back.

More than 80% of workers already use unapproved AI tools, nearly half through personal accounts that bypass enterprise controls entirely. For identity professionals, this means unmanaged Non-Human Identities with no lifecycle or owner, accounts that sit completely outside your IGA system, and compliance exposure you can't explain. GDPR, NIS2, DORA all assume you know where your data is, IBM puts the average remediation cost above € 600,000.

Solutions?

Well, the two instinctive responses to Shadow AI are either blocking everything, or ignoring it.

Blocking is ineffective. Employees route around it through personal devices and browser-based tools. Research shows nearly half would continue using personal AI accounts even after a formal ban.

Ignoring it is worse. Gartner predicts more than 40% of enterprises will experience a security or compliance incident linked to unauthorized Shadow AI by 2030.

The real answer is visibility-first governance:

  • Discover what's already there: identify which AI tools are in use and which identities are connected to external models, at the identity layer, not just the network layer.
  • Treat AI agents as first-class identities: register, scope, and govern every agent or automation that touches enterprise systems, with least-privilege access and a defined lifecycle.
  • Offer a sanctioned alternative: employees use Shadow AI because it solves real problems. If there's no approved alternative, circumvention will continue regardless of policy.


Conclusion


Traditional IGA wasn’t built for this. Static roles and quarterly certification campaigns don't catch an autonomous agent quietly connected to a shared service account last Tuesday.

Effective Shadow AI governance requires continuous, contextual visibility into the temporal dimension of identity: who had access, when, under what conditions, and whether it's still appropriate today. That's exactly what the IAMONES Temporal Identity Graph is designed to answer, making it possible to ask questions that traditional IGA cannot: Who connected that agent to our directory? When was this agent used ? Has this NHI ever been reviewed?

Shadow AI isn't going away. The organizations that get ahead of it won't be the ones that blocked ChatGPT at the firewall. They'll be the ones that built identity governance capable of keeping pace.