Security Teams Confront Shadow AI Tool Risks
BleepingComputer reports that employees typically run three to five AI tools daily, and many of those tools are unapproved and unseen by IT. According to Adaptive Security research cited in the article, 80% of employees use unapproved generative AI at work while only 12% of companies have a formal AI governance policy. The article identifies the "shadow AI gap," noting that browser-based tools and OAuth connections can bypass traditional perimeter monitoring and access corporate documents without routing through corporate networks. It outlines a five-step programme beginning with discovery of active tools and OAuth permissions, and argues organisations should channel adoption into visible, governed pathways rather than attempting blanket bans. The piece is offered as actionable guidance for security and IT teams to regain visibility without blocking productivity.
What happened
BleepingComputer published a sponsored guide titled "5 Steps to Managing Shadow AI Tools Without Slowing Down Employees." The piece reports that across most organisations employees run three to five AI tools on any given day, and many of those tools were never reviewed by IT. The article cites Adaptive Security research stating 80% of employees use unapproved generative AI applications at work and that only 12% of companies have a formal AI governance policy in place. The article describes a widening "shadow AI gap" where browser-based tools and applications that obtain access via OAuth or browser sessions bypass traditional network and email monitoring, exposing shared drives, email, and internal documents without security-team visibility.
Technical details
The article's Step 1 recommends discovery focused on three primary vectors: OAuth connections, browser extensions, and lightweight agents or audits to detect extensions and third-party apps requesting wide permission scopes. The piece explains that OAuth approvals can grant read/write permissions to Google Workspace or Microsoft 365, which can surface dozens of unvetted tools during a quarterly audit. It also notes that many AI copilots and summarizers run inside the browser and therefore avoid endpoint tools that only inspect operating-system-level processes.
Industry context
Industry reporting frames shadow AI as an evolution of previous shadow SaaS problems: ad hoc tool adoption solved immediate productivity needs while creating new blind spots for security teams. Observed patterns in comparable incidents show that discovery-first programmes paired with straightforward governance - rather than outright bans - tend to reduce exposure while preserving developer and knowledge-worker velocity.
For practitioners
The article structures a five-step programme that starts with discovery and auditing, and then moves toward governance, integration, controls, and user education. Editorial analysis: organisations attempting similar programmes should prioritise low-friction discovery (OAuth app audits, browser extension inventories) and clear approval pathways so workers can keep productivity gains without creating unmanaged data exfiltration risks.
What to watch
Track whether security tooling vendors expand capabilities for browser-extension detection, OAuth app-scoping dashboards, and managed integrations with enterprise identity providers. Also watch for increases in formal AI governance policies, given the low baseline of 12% reported by Adaptive Security.
Scoring Rationale
The story highlights a growing operational security issue that affects most organisations and security teams, offering practical discovery-and-governance steps valuable to practitioners. It is notable but not a frontier research or platform-level event.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems
