More Detail
Shadow AI Brings New Risks and Requires a Shift in Security Approach
Gartner surveys and industry reports show that employees are increasingly accessing, installing, and using unsanctioned AI tools on corporate endpoints.4, 5 This inevitably expands the already broad attack surface beyond endpoints, servers, networks, identity, and cloud to the AI tools themselves. In addition to risks such as hallucinations causing undesired actions, AI agents are susceptible to intent and automation hijacking. Attackers can inject instructions directly into agent inputs (such as prompts, data, or files) or indirectly through access to resources or tools.
The alteration of agent behavior can persist if malicious instructions are saved in agent memory, stored in resources such as databases or skills, or used via a compromised tool as part of task execution.6, 7 In other instances, attackers have created fake versions of the ChatGPT Desktop application for Windows, masquerading as legitimate software.8
Organization-managed endpoints lower the barrier to sensitive data access for installed AI tools with minimal attribution, controls, or auditability, compounding risk as agent autonomy increases.
This Gartner research primarily focuses on addressing shadow AI risks on organization-managed endpoints. However, some forms of shadow AI exist almost entirely outside the organization’s visibility and control, reinforcing the need to complement technical measures with clear AI usage policies and AI literacy initiatives within the organization. For example, OpenClaw may be deployed on personal employee devices, or employees, contractors, and third parties may access sensitive data with personal devices and wearables without realizing they are using embedded AI. This places additional pressure on loose BYOD policies, creating a greater attack surface than in the past.
Three common types of shadow AI usage on organization-managed endpoints include:
Employee shadow AI: This represents the largest-scale use of shadow AI. Employees may use AI browsing agents (such as OpenAI ChatGPT or Anthropic Claude), AI browsers (such as Perplexity Comet or OpenAI’s ChatGPT Atlas), computer-use agents (such as Anthropic’s Claude Cowork, Microsoft’s Copilot Cowork, or OpenClaw), and other unsanctioned AI tools without approval, either to improve productivity or for recreational purposes. There is a steady flow of leaked confidential and regulated data into unlicensed, external AI tools.
Developer shadow AI: This is less obvious, but equally important to recognize. Developers and citizen developers will experiment with the latest AI tools and coding assistants. In addition to using tools like Anthropic’s Claude Code, GitHub Copilot, or Cursor, developers may install and use open-source AI models, MCP servers, coding agents, code packages, agent skills, and browser extensions from outside corporate repositories, installing them manually or automatically through AI coding assistants — a practice that makes it more difficult for cybersecurity teams to implement effective software supply chain security.
Technology provider shadow AI: Embedded AI features and agentic automation are increasingly being integrated into common, nontraditional AI applications and devices such as CRMs, office suites, communication tools, writing assistants, video generation tools, wearables and other devices. Embedded AI capabilities may quietly appear in these applications as part of the standard software update cycle. As a result, cybersecurity leaders must treat every application as an AI application.
Heightened shadow AI risk marks the end of an era of loose administrative privileges, which allowed the installation of any applications on organization-managed endpoints.
Despite vendor marketing claims, discovering and controlling the usage of AI cannot be fully accomplished with a single cybersecurity product, due to the complex and distributed nature of AI applications, features and ecosystems. Endpoint protection and network security tools typically focus either on detecting and denylisting known AI applications running on endpoints or on inspecting and filtering at the network level. While these approaches offer partial coverage, they are not sufficient for comprehensive AI discovery and usage control due to limitations in the breadth or depth of their capabilities.
Although some providers have acquired or built AI-specific security features, effective browser-level and endpoint-level inspection, policy enforcement for AI usage, endpoint application classification, and the ability to monitor and control AI-specific prompts and interactions across the many forms of shadow AI require significant investments in product licensing, policy creation, and ongoing management of findings.
How to Effectively Block Unsanctioned AI Usage on Corporate Endpoints
One of the common pitfalls when addressing shadow AI usage is defining usage policies without adapting security controls for practical enforcement. On the opposite end of the spectrum is banning AI usage outright, without offering more secure AI tool alternatives to satisfy existing demand for improving productivity. Cybersecurity leaders should pursue a balanced approach that includes the following quick wins and a longer-term strategy.
Quick Wins
Communicate clear guidelines by specifying which AI providers and tools are approved for particular use cases (e.g., writing, productivity, software development) and groups of employees (e.g., sales and marketing, software engineering), including AI tools from existing technology providers. Educate employees about the security implications.
Leverage existing endpoint and network security controls to block unsanctioned usage (URL filtering, blocking downloads, etc.), starting with the highest-risk employee groups and the highest-risk AI usage.
Longer-Term Strategy
Secure support from both technical and business leadership for a stricter application control environment. Allowlisting on organization-managed endpoints requires cultural change, integration with IT change management, and robust exception management to minimize business disruption.
Build a comprehensive inventory of end-user endpoints and an application catalog, including browsers and their extensions, capturing both desired and running applications using existing exposure assessment platforms (EAPs). Document trusted software deployment mechanisms and established employee workflows as prerequisites. Avoid a one-size-fits-all approach to application control. Begin with employee groups that have a predictable, consistent application stack as initial candidates for allowlisting policies. This minimizes business disruption and overhead compared to rolling out to developers, admins, or IT staff.
Example allowlisting providers: Airlock Digital, Broadcom (Carbon Black App Control), Microsoft Windows Defender App Control and AppLocker, ThreatLocker, Trellix.
Balancing security and productivity on developer endpoints is challenging. Instead of allowlisting, combine platform engineering principles with the use of privileged elevation and delegation management (PEDM) tools to remove permanent admin rights, providing just-in-time, policy-based elevation for specific tasks, applications, or commands (with business justification and MFA options).
Example PEDM providers: ARCON, BeyondTrust, Delinea, Palo Alto Networks (CyberArk acquisition), Segura.
To address the risk of unknown applications, browser extensions, locally installed MCP servers, large language models, IDE extensions, and code packages on developer endpoints, combine PEDM with specialized AI security technologies for developers that inspect and help manage unknown incoming software from marketplaces, repositories, and app stores prior to installation and execution. Example specialized AI security providers for developers: Backslash Security, BoostSecurity, Palo Alto Networks (Koi Security acquisition), Pluto Security.
Tackling Shadow AI Beyond Endpoint Application Control
In addition to addressing shadow AI on organization-managed endpoints, stricter application control and privilege management are an effective approach to mitigating malware and ransomware, reducing the risk of bring your own vulnerable driver (BYOVD) attacks that target EDR tools, managing security operations alert fatigue, and improving endpoint performance. However, like any other cybersecurity tool, it is just one control in the toolbox and not a sole solution to the shadow AI challenge.
Every approved endpoint application is a potential gateway to AI services and unsanctioned usage. For example, employees may run approved AI applications but sign into personal accounts. Other prominent examples include any approved browsers, whether managed or unmanaged, including AI-enhanced traditional browsers, AI browsers, or AI browsing agents. As discussed in the Analyst Take: Securing a “Browser” No Longer Means What You Think It Means, the level of risk and the type of controls required change drastically depending on the type of browser in use, especially as organizations move beyond traditional browsers to AI browsing agents and emerging AI browsers.
Emerging AI usage control solutions and secure enterprise browser (SEB) extensions aim to address these risks. SEB providers mainly focus on end-user interactions with the web components of AI, often missing the broader scope of AI usage. While AI usage control solutions offer broader coverage, their primary benefits are in addressing enterprise AI usage and adoption. When cybersecurity teams use AI usage control solutions as the main layer of defense against shadow AI, the sheer number and diversity of AI tools used by employees will quickly overwhelm cybersecurity teams, thereby reducing the value of AI usage control to its discovery and risk-rating capabilities. Achieving granular control across thousands of AI applications is challenging, requiring a multilayered approach, starting with stricter endpoint application control and privilege management.