Organizations can’t see much of their mobile AI activity

Organizations have limited visibility into AI activity on mobile devices despite security leaders expressing confidence in their AI governance, according to Lookout’s “Solving for the Mobile AI Blind Spot: Executive Confidence Meets Technical Reality” report.

Mobile AI visibility gaps

Enterprises lack visibility into a large share of mobile AI activity taking place on both corporate-owned and BYOD devices. More than half of this activity remains outside the reach of monitoring tools because the traffic occurs between local applications, on-device models, and external cloud services. Secure web gateways, proxies, and other network-based controls cannot monitor these interactions.

When organizations implement strict AI restrictions or monitoring policies, employees often turn to shadow IT and use personal mobile devices. Employees rely on a growing number of AI-powered applications, creating software fragmentation and expanding the attack surface. This shows the gap between perceived and actual visibility into the mobile ecosystem. The rise of agentic AI further compounds the problem.

“Acceptable-use policies and passive corporate mandates are useless without active, technical enforcement at the edge,” said Firas Azmeh, President of Mobile Endpoint Security at Lookout. “AI governance has escalated to a board-level priority, with 97% of leaders agreeing it is mission-critical.”

Smartphones consolidate identities, authenticated sessions, MFA-validated credentials, and OAuth tokens connected to core enterprise applications. This makes them an ideal platform for agents operating with the user’s digital authority.

Organizations have limited visibility into how autonomous AI agents operate, what data they access, and how permissions are inherited within mobile environments. At the same time, they struggle to identify and audit embedded AI software development kits (SDKs) and third-party libraries within native mobile applications. A seemingly benign application may integrate an unvetted generative AI SDK for background processing, routing corporate data to external LLMs without the organization’s knowledge.

The business impact of limited visibility

Global compliance frameworks require end-to-end traceability of data interactions involving AI models. Without this visibility, organizations cannot ensure accountability or demonstrate auditability.

Security leaders are concerned about their ability to produce the audit-ready evidence required by AI governance frameworks.

Shadow permissions remain a major concern. When employees authorize unvetted AI assistants or productivity plugins, those tools can inherit existing SSO access. Without edge-level governance, autonomous agents can read, crawl, and ingest data from enterprise systems.

The risk is already showing up in incident investigations. Sixty-three percent of surveyed organizations reported investigating security incidents during the previous 12 months in which generative AI tools were identified as a contributing factor in the successful or attempted theft or leakage of sensitive data.

When legacy approaches meet mobile AI

To address these risks, organizations are allocating a growing share of their security budgets to AI governance, visibility, and compliance initiatives.

“Enterprises are burning nearly a fifth of their security budgets trying to solve a 2026 problem with desktop-era tactics,” said Zeus Kerravala at ZK Research.

“Relying on binary web-filtering completely destroys employee productivity and has forced 84% of IT leaders to actively stall business-led AI initiatives. Meanwhile, forcing all mobile data traffic to backhaul through heavy cloud sandboxes introduces crippling user latency and triggers massive cloud compute bills. You cannot secure data fluidly by turning the user’s phone into a non-functional silo. True mobile compliance must happen natively at the edge,” Kerravala continued.

How organizations spend those resources will determine the outcome. For years, enterprises have relied on legacy approaches to manage mobile devices. Web filtering and network access controls are ineffective because they depend on rigid enforcement models.

Blocking access to AI services can reduce productivity and slow business-led AI initiatives.

Routing mobile traffic through cloud sandboxes or virtualized environments to inspect AI interactions creates substantial overhead. It increases latency, drains device batteries, and raises cloud computing and data transfer costs. Many security vendors continue to adapt desktop-focused architectures for mobile devices without accounting for their distinct operating models and usage patterns.

Data security and compliance cannot be achieved through device isolation or virtualization layers alone. Mobile security tools often provide only limited visibility into how data moves between enterprise applications and third-party AI assistants.

Guide: What automated pentesting alone cannot see