Shadow agents: finding the ungoverned AI already running in your enterprise

A security team I spoke with ran a routine OAuth audit last quarter. They expected to find the usual suspects: a few unsanctioned Slack integrations, maybe a rogue analytics tool. Instead, they found 23 AI-powered applications with active API tokens connected to their Google Workspace. Seventeen of them had read access to shared drives containing customer data. Nobody in IT had approved any of them.

One agent had been summarizing meeting transcripts and sending the summaries to an external service for “enhanced analysis.” That external service’s privacy policy allowed training on customer data. The agent had been running for four months.

This is the shadow agent problem. Not a theoretical risk. A running process. Right now. In your environment.

The scale of the problem#

The numbers paint a consistent picture across every survey conducted in the past 12 months.

BlackFog’s research, surveying 2,000 employees across the US and UK, found that 86% use AI tools at least weekly for work-related tasks. 49% use tools not sanctioned by their employer. 60% believe using unsanctioned AI tools is acceptable if it helps meet deadlines faster. And 51% have connected AI tools to work systems without IT approval.

These are not rogue actors. These are employees trying to do their jobs faster. The problem is not malicious intent. It is the gap between what employees need and what IT provides.

How shadow agents proliferate#

Shadow agents do not appear through a single entry point. They arrive through four channels, each with its own detection challenge.

Channel 1: Developer side projects#

A developer needs to automate a code review workflow. They sign up for an API key with their personal email, connect it to the internal repo and deploy a lightweight agent that reviews pull requests. It works well. Teammates ask for access. Within a month, the agent is handling 40% of code reviews and nobody outside the team knows it exists.

The agent has read access to source code. It sends code snippets to an external LLM API for analysis. The code includes proprietary algorithms, internal architecture patterns and occasionally customer configuration data embedded in test fixtures.

Detection challenge: The API key is personal, not corporate. The cost appears on no corporate expense report. Network traffic to the API endpoint blends with legitimate developer tool traffic.

Channel 2: SaaS-embedded agents#

This is the fastest-growing channel and the hardest to govern. Your existing SaaS vendors are embedding AI features directly into their products: Salesforce Einstein, HubSpot AI, Notion AI, Slack AI, Microsoft Copilot. These agents activate with a toggle; there is no procurement process, no IT review and no separate purchase order to flag.

By 2026, 70% of employee AI interactions are expected to happen through embedded SaaS features rather than standalone AI tools. Your employees are not “adopting AI.” Your vendors are activating it inside tools your employees already use.

Detection challenge: The agent runs within a sanctioned application. No new OAuth token. No new network destination. The SaaS-embedded agent governance problem is invisible to traditional shadow IT detection because the application itself is approved. Only the AI feature within it is ungoverned.

Channel 3: Department-level deployments#

A marketing director purchases a $200/month AI content generation tool on their corporate card. Legal subscribes to an AI contract analysis service. HR deploys a resume screening bot. Each department solves its own problem independently.

The result: five departments running five AI tools, none registered with IT, each processing different categories of sensitive data (customer data, financial records, employee PII, legal documents, intellectual property) and none subject to data handling policies.

Detection challenge: The purchases are small enough to fly under procurement thresholds. Each tool looks like a routine SaaS subscription. Without AI-specific expense categorization, they are invisible in financial systems.

Channel 4: Vendor-provided agents#

Your managed service provider deploys an AI agent to monitor your infrastructure. Your outsourced customer support vendor uses an AI agent to handle tier-1 tickets. Your consulting firm uses an AI agent to analyze your financial data during an engagement.

These agents operate in your environment, access your data and make decisions that affect your operations. But they are not in your agent inventory because they belong to a third party.

Detection challenge: Vendor agents often operate under the vendor’s credentials, not yours. They access your data through existing integration points. Unless your contracts explicitly require AI disclosure, you have no visibility into whether your vendors are using agents on your behalf.

Why traditional asset management misses agents#

Your CMDB tracks servers. Your MDM tracks devices. Your CASB tracks SaaS applications. Your IAM tracks user identities. None of them were designed to track AI agents.

Agents are not servers. They do not have IP addresses. They do not appear as rows in your infrastructure inventory. An agent running as a scheduled function inside a SaaS platform leaves no footprint in your CMDB.

Agents are not applications. A single SaaS application might contain three, five or ten embedded AI features, each behaving as an independent agent with its own data access patterns. Your CASB sees one sanctioned application. It does not see the agents operating inside it.

Agents are not users. They may use service accounts, API keys or OAuth tokens. They may inherit permissions from the human who activated them. Your IAM system shows a user with normal access patterns. It does not show that the user’s permissions are being exercised by an autonomous agent 200 times per hour.

This is why the CMDB model needs extension for the agent era. Traditional asset management tracks what you deploy. Agent governance must also track what deploys itself.

A Gartner survey of 302 cybersecurity leaders found that 69% of organizations suspect or have evidence that employees use prohibited public GenAI. Gartner predicts that by 2030, more than 40% of enterprises will experience security or compliance incidents linked to unauthorized shadow AI. The gap between suspecting the problem and finding the problem is the discovery challenge.

The risk exposure you cannot see#

Unknown agents create five categories of risk that compound with every agent you do not know about:

1. Data exfiltration without intent. Employees paste sensitive data into AI tools without malicious purpose. 77% of employees who use AI tools paste sensitive business data into them without visibility, controls or audit trail. Customer records, financial data, source code, employee information, all flowing to external services whose data handling practices nobody in your organization has reviewed.

2. Decision authority without authorization. A shadow agent making recommendations is one thing. A shadow agent making decisions, approving expenses, screening candidates, classifying risk, routing customer requests, is another. If the agent has write access to business systems, it is making decisions on your behalf without governance, audit trail or accountability.

3. Compliance gaps you cannot report. The EU AI Act requires organizations to maintain registries of high-risk AI systems, GDPR requires data processing records and SOC 2 requires access control documentation. If you do not know an agent exists, you cannot comply with any of these requirements. The compliance violation is not the agent itself; it is the absence of the agent from your governance records.

4. Attack surface expansion. Every shadow agent is an ungoverned entry point. API keys without rotation schedules. OAuth tokens with excessive permissions. Service accounts without monitoring. A shadow agent compromised through prompt injection gives an attacker the same access the agent has, and nobody is watching.

5. Incident response blind spots. When a data breach occurs, your incident response playbook requires inventorying all systems involved. If shadow agents accessed the affected data, they are part of the blast radius, but they are not in your inventory. Your forensic analysis is incomplete before it starts, your regulatory notification may understate the scope and your remediation may miss the actual vector.

The 10-day shadow agent discovery sprint#

Comprehensive discovery does not require a six-month project. A focused 10-day sprint covers the three primary detection vectors.

Days 1-3: Expense and procurement review#

What you are looking for: AI subscriptions purchased outside normal procurement.

Method:

• Pull six months of corporate card transactions and expense reports. Search for: OpenAI, Anthropic, Claude, Midjourney, Jasper, Copy.ai, Perplexity, Cursor, Replit and any AI tool vendor names.
• Review procurement records for software purchases under the threshold that bypasses IT approval. In most organizations, this is $500-$1,000 per month.
• Check department budgets for line items categorized as “software,” “tools,” or “subscriptions” that were not reviewed by IT.
• Survey department heads about AI tool usage. Direct questions: “What AI tools does your team use?” “Which were purchased on corporate cards?” “Which are embedded in existing tools?”

What you will find: The low-hanging fruit. Tools purchased explicitly for AI capabilities. This typically surfaces 30-40% of shadow AI.

Days 4-6: Identity and access audit#

What you are looking for: AI tools connected to corporate systems through OAuth grants, API keys or service accounts.

Method:

• Audit OAuth grants in Google Workspace, Microsoft 365, Salesforce and other major platforms, filtering for grants issued in the last 12 months to applications with AI-related names or capabilities
• Review API keys issued through developer portals and identify keys associated with AI service endpoints (api.openai.com, api.anthropic.com, api.cohere.com)
• Inventory browser extensions across managed endpoints, since AI assistant extensions often have broad page content access
• Review service account activity for patterns consistent with automated AI usage: high-frequency API calls, bulk data reads or requests to known LLM endpoints

What you will find: The connected agents. Tools that have active API access to your corporate data. This is the highest-risk category because these agents have direct data access.

Days 7-9: Network and data flow analysis#

What you are looking for: AI-related data flows that expense reports and OAuth audits missed.

Method:

• Examine outbound traffic logs for connections to known AI service domains. Maintain an updated list of AI vendor API endpoints.
• Review SSL inspection data for large data uploads to AI services (bulk document processing, dataset uploads).
• Analyze DLP alerts for AI-related patterns: sensitive data being sent to AI classification endpoints, PII flowing to summarization services, source code being transmitted to code review agents.
• Monitor DNS queries for AI-related domains that employees access from corporate networks.

What you will find: The invisible agents. Tools that employees access through browser without formal installation. Embedded SaaS features that send data to AI backends. This surfaces the remaining 60-70% that expense and OAuth audits missed.

Day 10: Classification and decision#

Every discovered tool gets classified into one of three categories:

• Endorse: The tool serves a legitimate business need and can be governed. Register it in the agent registry, assign an owner, classify its risk and apply governance policies.
• Restrict: The tool serves a need but the current implementation creates unacceptable risk. Provide a governed alternative, migrate users and restrict the ungoverned version.
• Remove: The tool creates risk without sufficient business value. Revoke access, rotate any exposed credentials and notify affected users of approved alternatives.

The critical insight: removal alone does not work. If you remove a shadow tool without providing an approved alternative, employees will find another shadow tool. Organizations that provide approved alternatives see unauthorized usage drop to approximately 9%.

Governance onboarding for discovered agents#

Discovery without onboarding is an audit report that gathers dust. Every endorsed agent needs to transition from shadow to governed through a structured workflow:

Step 1: Registration. Enter the agent into the centralized registry with mandatory fields: owner (a named human, not a team alias), purpose, data access requirements, downstream dependencies and the business unit it serves. This is the moment the agent becomes visible.

Step 2: Risk classification. Apply the organization’s risk classification framework based on the data the agent accesses, the decisions it makes and its regulatory exposure. A content summarization agent accessing public documents is low-risk. A financial analysis agent accessing customer financial records and generating recommendations is high-risk.

Step 3: Policy application. Based on the risk classification, apply the appropriate governance policies: access controls, monitoring requirements, review cadence and compliance certifications. Low-risk agents may need only basic monitoring. High-risk agents need continuous observability, quarterly reviews and drift detection.

Step 4: Compliance review. Schedule and complete the first compliance review. This establishes the behavioral baseline against which future drift is measured. Until this review is complete, the agent operates under provisional governance with heightened monitoring.

Step 5: Ongoing monitoring. Connect the agent to your observability infrastructure. Every action, every data access, every decision becomes auditable. The agent is no longer shadow. It is governed.

The entire onboarding workflow should take 1-5 days for low-risk agents and 2-4 weeks for high-risk agents. If it takes longer, the process is too heavy and teams will skip it. If it takes less, it is not thorough enough.

Building a culture that prevents shadow agents#

Discovery sprints find today’s shadow agents. Culture prevents tomorrow’s. Five organizational changes reduce shadow agent proliferation:

1. Provide approved alternatives that do not suck. The number one reason employees use shadow AI is that the approved alternative is too slow, too limited or does not exist. If your developers need code review automation, provide it. If your marketing team needs content generation, provide it. If you do not provide it, they will provide it themselves, without governance.

2. Make registration fast. If registering an AI tool takes three weeks of approvals, employees will skip it. Self-service registration with automated policy checks for low-risk tools removes the incentive to go shadow. The agent governance implementation playbook should include registration SLAs: 24 hours for low-risk, one week for medium-risk, two weeks for high-risk.

3. Amnesty programs. Run periodic amnesty windows where employees can disclose shadow AI usage without penalty. Frame it as inventory improvement, not enforcement. The goal is visibility, not punishment. Organizations that lead with trust surface more shadow AI than those that lead with policy enforcement.

4. Vendor AI disclosure requirements. Update vendor contracts to require disclosure of AI features, agent deployments and data handling practices. Include specific questions in vendor risk assessments: “Does your product include AI-powered features? Do any features send customer data to external models? What AI agents operate within your platform?”

5. Continuous discovery, not annual audits. The 10-day sprint finds what exists today. But new shadow agents appear every week. Continuous monitoring through network traffic analysis, OAuth grant monitoring and expense tracking keeps the discovery current. Quarterly full sprints catch what continuous monitoring misses.

The cost of not looking#

Gartner predicts that by 2030, more than 40% of enterprises will experience security or compliance incidents linked to unauthorized shadow AI. Gartner also forecasts AI governance spending will reach $492 million in 2026 and surpass $1 billion by 2030. The spending is growing because the problem is growing.

The hidden cost of agent sprawl is not just the direct cost of shadow AI breaches. It is the compound effect of ungoverned decisions, unaudited data flows and compliance gaps that accumulate silently until an auditor, a regulator or an attacker surfaces them.

Every shadow agent in your environment is a governance decision you did not make. It is an access control you did not set. It is a compliance certification you did not complete. It is a risk you did not assess. The question is not whether you have shadow agents. The question is how many, and how long they have been running.

Sources#

Source	Date	URL
BlackFog, Shadow AI threat research	Nov 2025	https://www.blackfog.com/blackfog-research-shadow-ai-threat-grows/
IBM, Cost of a Data Breach Report	2025	https://www.ipconsultinginc.com/shadow-ai-breaches-are-here-the-670000-problem-most-companies-cant-see/
Gartner, GenAI blind spots for CIOs	Nov 2025	https://www.gartner.com/en/newsroom/press-releases/2025-11-19-gartner-identifies-critical-genai-blind-spots-that-cios-must-urgently-address0
Strata Identity, AI agent identity crisis	2026	https://www.strata.io/blog/agentic-identity/the-ai-agent-identity-crisis-new-research-reveals-a-governance-gap/
Innovaiden, Shadow AI discovery sprint	2026	https://www.innovaiden.com/insights/shadow-ai-discovery-10-day-sprint
CIO.com, Shadow AI hidden agents	2026	https://www.cio.com/article/4083473/shadow-ai-the-hidden-agents-beyond-traditional-governance.html
CrowdStrike, Securing AI agents in SaaS	2026	https://www.crowdstrike.com/en-us/blog/how-crowdstrike-secures-ai-agents-pervading-saas-environments/
Security Boulevard, AI agent sprawl in SaaS	Mar 2026	https://securityboulevard.com/2026/03/tackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments/