The risks of shadow AI

Shadow AI and Gen AI are creating a massive visibility crisis. David Shepherd at Ivanti explains how to address it

  

The industry has spent decades building security perimeters, only to watch them vanish in the cloud era. Now, as GenAI tools flood into organisations, there is a new obstacle. And it’s a big one, anchored in this reality: what you can’t see absolutely will hurt you.

 

Far too many security teams operate with cavernous visibility gaps. When I talk to fellow security professionals, I’ve seen a consistent pattern: they know the threats exist, but they can’t fully see them. This isn’t for a lack of intent or effort. I’m not knocking anyone here; even top teams are teetering around these gaps. But it’s time to do something about it.

 

Why visibility gaps persist

Ivanti’s recent cyber-security research uncovered several eye-opening stats, but here’s one to start with: software that employees use — including shadow IT — ranks as the number one area where security leaders lack sufficient data to make informed decisions. This affects fully 45% of organisations.

 

Awareness of the visibility danger hasn’t yet equated to fixing it. While 52% of security professionals correctly identify API-related and software vulnerabilities as high or critical threats, barely a third consider themselves properly prepared to address these risks.

 

To be clear, the problem isn’t a lack of awareness; it’s a lack of implementation.

 

GenAI is widening the cracks in defences

I watched with fascination as ChatGPT exploded onto the scene, and with growing concern as similar tools rapidly made their way into corporate environments. These powerful AI systems, accessible with minimal friction, have flooded workplaces faster than any previous technology.

 

What’s uniquely dangerous about these tools isn’t just their unauthorised presence. It’s how they work. Instead of just storing data, they learn from it. When employees input sensitive information into unsanctioned AI platforms, that data risks exposure and potentially becomes part of the AI’s training corpus.

 

This results in several worrying scenarios, such as corporate information leaking into public AI models, confidential data becoming accessible to employees who shouldn’t have it, regulatory violations as data crosses jurisdictional boundaries and AI outputs containing fabricated information that appears factual.

 

To me, most troubling is the readiness gap: nearly one in three security and IT professionals have no documented strategy for addressing these GenAI risks. As adoption accelerates, this lack of readiness becomes increasingly dangerous.

 

The structural elephant in the room

When I examine why visibility gaps are so prevalent across various industries, I keep coming back to one underlying issue: the walls between security and IT departments.

 

Look at these numbers: 

• 55% of organisations report their security and IT data exist in separate silos
• 62% say these divisions slow down security response times
• 53% state that silos actively weaken their security posture 

These stats aim a laser pointer at a deeply flawed organisational model. When security teams can’t see what applications are running in the environment and IT lacks contextual threat intelligence, shadow AI operates in the visibility gaps between, creating vulnerabilities that neither team fully understands.

 

Choosing collaboration instead of silos

So, what’s to be done? The uncomfortable reality is that addressing shadow AI requires fundamentally rethinking how security and IT functions operate within your organisation.

 

First, we need to acknowledge that the traditional model, where security teams alone bear responsibility for protection, is fundamentally broken in the AI age. Security and IT must function as integrated partners with shared visibility and aligned objectives.

 

This means implementing unified platforms that connect security and IT data, creating comprehensive visibility across your entire technology landscape. When security teams can see which applications are running in the environment and IT understands the threat landscape, shadow AI becomes far less "shadowy."

 

Establishing governance for a sustainable solution

Improved visibility is only the beginning. Once you can see the full extent of AI usage in your environment, you need frameworks to govern it effectively.

 

This requires clear policies around AI usage that balance security needs with productivity benefits, approved alternatives for common AI use cases, regular audits of data flows between corporate systems and external AI tools and continuous monitoring for new AI tools appearing in your environment.

 

If you’re tempted to wait and see how things play out before making core shifts here, please hear me when I say that this is not the time to dawdle about. Many of your competitors are already moving from binary "allow/block" approaches to more nuanced governance models that accommodate the reality of AI’s value while managing its risks. The longer you wait, the further you’ll fall behind.

 

Keep in mind that you can implement the best technology solutions to tackle this problem and things still won’t change unless you also address the attitudes and cultural elements surrounding silos. To make the invisible visible, here’s what else needs to happen: 

• CISOs and CIOs must collaborate on technology strategy
• Employees need education on AI risks without scaremongering
• Security teams should understand business objectives, not just threats
• IT needs to develop deeper security expertise 

You don’t necessarily need an enormous security budget to make this work. Dismantling structural divisions ought to make things significantly more efficient.

 

Even if you don’t take all my suggestions here, I urge you to recognise that shadow AI isn’t going away. The productivity benefits are too compelling, and the technology is becoming too embedded in everyday tools. The challenge isn’t to eliminate it, but to bring it into the light where it can be managed effectively.

 

The alternative — continuing with massive visibility gaps while AI capabilities rapidly evolve — is too risky to contemplate.

 

---

 

David Shepherd is SVP EMEA at Ivanti

 

Main image courtesy of iStockPhoto.com and Lemon_tm