5 steps to manage shadow AI tools without degrading employee performance

AI News
Michael Lewis


Adaptive Security Shadow AI

When employees install an AI writing assistant, connect Coding CoPilot to their IDE, or start summarizing a meeting using a new browser tool, they’re doing exactly what productive employees should be doing: finding ways to work faster.

In most organizations today, employees run three to five AI tools a day. Most were never reviewed by IT. A significant portion connect to corporate data through OAuth tokens or browser sessions, giving employees access to shared drives, emails, and internal documents that they never specifically intended to make public. Security teams often have no idea about it.

This is the shadow AI gap, and it’s rapidly growing. Most security tools are built to monitor email and network traffic flowing through corporate networks. Browser-based AI tools that connect to corporate data through quick login approvals never traverse the corporate network and thus completely bypass these controls.

According to research from Adaptive Security, 80% of employees currently use unapproved generative AI applications at work, and only 12% of companies have formal AI governance policies in place. As a result, there is a growing disconnect between how employees work and what security teams perceive.

A program that guides AI adoption down a secure, visible, and approved path provides security teams with the visibility they need and gives employees the tools they need. The five steps below show you exactly how to build it.

Step 1: Build a complete picture of what’s running

A security program can only manage what it can see. The first step is to discover which AI tools are used across your organization, and most security teams will find the answer surprising.

Three areas account for the majority of shadow AI activity.

  • OAuth connection. Most AI tools request access to Google Workspace or Microsoft 365 via OAuth, giving them read or write permissions to corporate data. Quarterly audits of connected third-party apps categorized by permission range typically reveal dozens of tools that security teams haven’t reviewed.

  • Browser extension. Many AI tools run as browser extensions and never touch the operating system, making them completely missed by traditional endpoint management tools. A browser management solution or lightweight agent installed on employee devices can scan and identify active extensions across your organization.

  • AI capabilities are already bundled with approved tools. Microsoft Copilot, Google Gemini, and Salesforce Einstein are examples of AI capabilities that may have been introduced after the original vendor’s review, often without a separate security assessment.

It’s also worth conducting a simple employee survey. Surveys aimed at helping employees work more safely tend to yield more candid answers. Many shadow tools surface through investigation that are completely missed by automated detection.

The goal of this step is to create a current and accurate inventory of all AI tools in use, who is using them, and what data they have access to.

AI-powered social engineering has moved beyond email to voice, SMS, and deepfake video.

Adaptive security protects your team by simulating attacks, measuring risk, and filling in the gaps that traditional SAT misses. CISO-grade protection against new threat models.

take a tour

Step 2: Create policies that work for your employees

Most AI acceptable use policies stall for the same reason. Employees are provided with a list of prohibited tools without any guidance on what the approved path is. Designed as a practical guide, the policy identifies approved tools and provides a clear process for requesting new tools, giving employees the foundation they need to make good decisions.

An effective AI governance policy includes five things.

  • Clear data classification rules that specify categories of data that should never be fed into AI tools, such as customer records, source code, and financial information.

  • Validated data training opt-out status for each approved tool. Many AI tools use input from the company by default to improve their models unless the company settings are explicitly configured. Approval requires a confirmed opt-out for tools that handle sensitive data.

  • A defined process for requesting new tools with target turnaround times.

  • Clearly explain why the guidelines exist.

That last element is more important than you might think. Employees who understand why OAuth connections carry the risk of data leakage will apply that reasoning to every decision they make about their tools. Policy, including its evidence, is education.

Step 3: Create a fast lane for new tool requests

Shadow AI grows fastest in organizations where formal approval processes cannot keep up with the pace of AI product releases. Employees who need a tool now and are facing a six-week security review will likely find a workaround within days. The purpose of this step is to remove that friction.

  • Most requests for AI tools do not warrant a full procurement review. A structured intake form with defined evaluation criteria is sufficient for most low-risk tools.

  • Structured input forms and a defined set of evaluation criteria enable faster decision-making. For tools with limited data access, many organizations believe that faster work is possible if evaluation criteria are documented and applied consistently.

  • Evaluation criteria should include scope of data access, vendor security practices, data training opt-out status, compliance certification, and whether a functionally equivalent tool is already on the approved list.

Security teams that keep their list of approved tools openly available and up-to-date typically see significantly reduced use of shadow AI. Employees will use the right tools if they know where to find them.

Step 4: Use monitoring as a shared safety layer

Continuous visibility into AI tool usage across your organization allows you to serve two groups simultaneously.

  • Security teams have real-time visibility needed to identify and address exposures before they become incidents.

  • Employees get a form of protection they wouldn’t get on their own. In other words, it’s a signal that the tool you’re using may be putting your credentials or company data at risk.

A browser-native monitoring approach gives security teams visibility into AI activity without rerouting employee web traffic or disrupting daily business operations. Captured signals feed into each employee’s broader risk profile and are stored in one place alongside phishing simulation results and training completion data.

Risky behavior occurs in multiple ways, so a combined perspective is important. When employees click on phishing links, skip training, and run unauthorized AI tools to access sensitive data, they pose a much higher risk than any single action would suggest. Seeing the big picture in one place allows security teams to focus on the employees who need the most attention.

Step 5: Easily take appropriate security actions

The security program that makes it easiest for your employees to make safe choices is the one that your employees follow. In the context of AI governance, two things drive it: just-in-time coaching and training that explains the reasoning behind the rules.

Just-in-time coaching provides short, contextual prompts the moment an employee attempts to use an unapproved tool. This is more effective than quarterly training modules because the intervention occurs at the point of decision-making. A well-designed prompt communicates concerns to employees, directs them to approved alternatives, and takes less than 30 seconds to read.

Training that explains the reasoning behind AI governance policies builds judgment that employees can apply to any situation they encounter, including tools and threats that emerge long after the training itself. The landscape of AI tools is changing rapidly, so no training program can predict every specific case.

Employees who understand that an OAuth connection to a company’s Google Workspace can potentially expose their entire shared drive to third-party vendors will apply that understanding to tools that didn’t exist six months ago.

Building a security program based on how your team works

The introduction of AI shows that more productive teams get their jobs done better. Companies that build on this momentum with practical programs, with a clear path to approved tools and real-time visibility for their security teams, tend to be best able to capitalize on this momentum.

Security teams closing this gap have found that the use of shadow AI has naturally declined over time. Browser-native visibility, a clear path to approved tools, and just-in-time coaching at the moment of risk make it possible.

When employees have access to effective, approved tools and a fast, transparent path to getting new tools reviewed, there is little incentive to circumvent the system.

Adaptive Security’s AI governance products include automated policies and just-in-time employee coaching, giving security teams real-time visibility into all AI tools and shadow apps running across the organization.

For more information, please visit adaptivesecurity.com.

Sponsored and written by Adaptive Security.



Source link

Related Posts

The Clone Wars: Delhi’s schools and colleges prepare for an AI onslaught.delhi news

Michael Lewis

Will AI help humans make better decisions? — Harvard Gazette

Michael Lewis

Transcarent launches AI-enabled consumer platform for care navigation

Michael Lewis