Shadow AI risk: Navigating the growing threat of ungoverned AI adoption

AI is transforming how businesses operate, but it’s also creating new, often hidden risks. As employees and business units eagerly embrace and experiment with AI solutions, many organizations are losing control over where and how AI is being used. A new threat is emerging: shadow AI. This unsanctioned use of AI tools without oversight from IT or security teams has quickly become a top concern for CISOs.

According to Delinea’s 2025 AI in Identity Security Demands a New Playbook report, 44% of organizations with at least some AI usage struggle with business units deploying AI solutions without involving IT and security teams. An equal percentage grapple with unauthorized usage of generative AI by employees. Below are three of the biggest risks organizations face as shadow AI grows, and what CISOs can do to get ahead of them:

1. Policy and visibility gaps in AI governance

While most organizations (89%) have implemented some form of policies or controls to restrict or monitor AI access to sensitive data, the scope and effectiveness of these measures vary.

Only half (52%) of global organizations claim to have comprehensive controls in place, with smaller companies lagging even further behind. This lack of robust governance and visibility leaves organizations vulnerable to data breaches, compliance failures, and security risks.

For many organizations, AI controls are lacking. For example, an acceptable use policy for AI tools is the most common AI control in use. This should be a basic expectation, yet only 57% of organizations have one in place. Even fewer have adopted critical measures, such as access controls for AI agents and models (55%), AI activity logging and auditing (55%), and identity governance for AI entities (48%).

Without these foundational controls, CISOs are essentially flying blind when it comes to AI activity within their organization’s digital ecosystems.

2. New agentic AI challenges

As AI systems become more autonomous and capable of acting on behalf of users, the risks grow even more complex. The rise of agentic AI, which can make decisions and take independent action within systems, amplifies the impact of weak identity security controls.

As these advanced AI systems are given more control over critical systems and data, the potential risk of security breaches and compliance failures grows exponentially. To keep pace, security teams must evolve their identity security strategies to include these emerging machine entities, treating them with the same rigor as human identities.

3. Organizations are overconfident in machine identity management

Despite the evident gaps in AI governance and visibility, many organizations overestimate their readiness. Delinea’s research found that a staggering 93% of organizations express confidence in their machine identity security efforts. Yet, most firms rely on basic processes for managing the identity lifecycle of machine identities (82%) rather than comprehensive, automated controls (58%).

Only 61% of organizations claim to have full visibility into all machine identities for the purpose of monitoring for compromise, a gap that makes it difficult to detect compromise or misuse. This disconnect between confidence and capability leaves organizations vulnerable to unseen threats that could easily propagate through unmanaged AI systems.

How to stay ahead of shadow AI with robust identity security

To effectively mitigate the risks associated with shadow AI and ungoverned AI adoption, organizations need to start with a solid foundation of governance and visibility. That means implementing clear acceptable use guidelines, access controls, activity logging and auditing, and identity governance for AI entities.

By treating AI entities as identities that are subject to the same authentication, authorization, and monitoring as human users, organizations can safely harness the benefits of AI without compromising security.

As agentic AI systems become more prevalent, it is crucial that organizations adapt their identity strategies to account for these new risks. For example, implementing more granular access controls, enhancing monitoring and auditing capabilities, and investing in advanced identity governance solutions that can keep pace with the rapidly evolving AI landscape.

Ultimately, CISOs and IT leaders must take a proactive approach:

• Collaborate early and often with business units experimenting with AI
• Stay informed about emerging risks and threats
• Champion a robust AI governance framework that balances innovation with security and risk management

With the right identity security strategy, organizations can confidently embrace AI while keeping their business operations and data safe.

Get deeper insights into the current state of AI security and identity management. Download Delinea’s 2025 AI in Identity Security Report to discover comprehensive research findings and actionable strategies for securing AI in your organization.