Skip to content
 

Shadow AI risk: Navigating the growing threat of ungoverned AI adoption

  

The rise of Shadow AI in the enterprise

As organizations eagerly embrace the transformative potential of artificial intelligence (AI) solutions, a new threat is emerging: shadow AI. This unsanctioned use of AI tools without oversight from IT or security teams is becoming a top concern for Chief Information Security Officers (CISOs).

44% of organizations with at least some AI usage struggle with business units deploying AI solutions without involving IT and security teams

In fact, research from Delinea's 2025 AI in Identity Security Demands a New Playbook report reveals that 44% of organizations with at least some AI usage struggle with business units deploying AI solutions without involving IT and security teams. An equal percentage grapple with unauthorized usage of generative AI by employees. Here are three risks shadow AI is creating for organizations embracing AI:

1. Policy and visibility gaps in AI governance

Delinea's research shows that while most organizations (89%) have implemented some form of policies or controls to restrict or monitor access to sensitive data by AI tools, the scope and effectiveness of these measures vary.

Only about half (52%) of global organizations claim to have comprehensive controls in place, with smaller companies lagging even further behind. This lack of robust governance and visibility leaves organizations vulnerable to data breaches, compliance failures, and security risks.

For many organizations, AI controls are lacking. For example, an acceptable use policy for AI tools is the most common AI control in use. This should be a basic expectation yet only 57% of organizations have one in place. Other critical measures, such as access controls for AI agents and models (55%), AI activity logging and auditing (55%), and identity governance for AI entities (48%), are even less prevalent.

Without these foundational controls, organizations are essentially flying blind when it comes to AI activity within their digital ecosystems.

2. New Agentic AI challenges

The rise of Agentic AI, which exhibits greater autonomy and independence than generative AI, further compounds the risks associated with the adoption of ungoverned AI. As these advanced AI systems are given more control over critical systems and data, the potential risk of security breaches and compliance failures grows exponentially. This underscores the urgent need for organizations to adapt their identity strategies to account for the unique risks posed by Agentic AI.

3. Organizations are overconfident in machine identity management

Despite the evident gaps in AI governance and visibility, a staggering 93% of organizations express confidence in their efforts to secure machine identity. This confidence may be misplaced, as many firms rely on basic processes for managing the identity lifecycle of machine identities (82%) rather than comprehensive, automated controls (58%). And only 61% of organizations claim to have full visibility into all machine identities for the purpose of monitoring for compromise.

 

How to navigate the AI Era with robust identity security

To effectively mitigate the risks associated with shadow AI and ungoverned AI adoption, organizations must prioritize developing and implementing comprehensive AI security policies. These policies should encompass acceptable use guidelines, access controls, activity logging and auditing, and identity governance for AI entities.

By establishing a strong foundation of governance and visibility, organizations can unlock the transformative potential of AI while safeguarding their most valuable assets

By establishing a strong foundation of governance and visibility, organizations can unlock the transformative potential of AI while safeguarding their most valuable assets. Security leaders can follow Delinea’s framework on how to secure generative AI.

As Agentic AI systems become more prevalent, it is crucial that organizations adapt their identity strategies to account for these new risks. For example, implementing more granular access controls, enhancing monitoring and auditing capabilities, and investing in advanced identity governance solutions that can keep pace with the rapidly evolving AI landscape.

In the face of these challenges, CISOs must take a proactive approach to AI security. By staying informed about emerging threats, collaborating closely with IT and security teams, and championing the development of robust AI governance frameworks, organizations can position themselves to reap the benefits of AI while managing the associated risks.

Get deeper insights into the current state of AI security and identity management. Download Delinea's 2025 AI in Identity Security Report to discover comprehensive research findings and actionable strategies for securing AI in your organization.