The people's voice of reason
The people's voice of reason
Shadow IT has been a challenge for security teams for years, and now AI is raising the stakes. As organizations race to adopt new tools, shadow AI is spreading across teams.
Vanta data shows that 70% of companies have AI tools accessing their environment without going through proper procurement channels, and fewer than 2% of unmanaged vendors ever receive a security review. The result is a growing gap between adoption and control—one that’s harder to manage because these systems can take action, not just store data.
To close that gap, organizations need a clearer way to see, manage, and control how AI is used across the business. This guide from Vanta covers how to:
AI agents sit inside customer support platforms, procurement tools, engineering workflows, and compliance processes. They both assist with and participate in how work gets done.
Eight in 10 organizations are already deploying or planning to deploy agentic AI. Looking ahead, Gartner predicts that 40% of enterprise applications will include task-specific AI agents by the end of 2026.
AI agents are spreading across marketing, sales, HR, finance, and security, but ownership doesn’t always follow. Organizations may not have a reliable way to answer basic questions like:
Without a baseline, governance can be reactive and incomplete by default.
There’s a noticeable mismatch between how quickly organizations adopt AI and how well they understand it. That’s when the shadow AI starts to take hold.
Vanta data shows that shadow IT is growing 36% year over year, fueled in part by AI adoption.
Microsoft’s Cyber Pulse Report, released in February, also found that 29% of data security professionals surveyed in July 2025 reported using unsanctioned AI tools at work. For example, a team might give an agent broad API access just to get it working, or skip review because a tool seems low risk. Over time, those decisions add up to systems no one fully owns or understands.
As AI spreads across more systems without clear guardrails, incidents are becoming more common and harder to catch before they cause damage. The missing piece is dependable governance.
The data reflects that shift:
These cases are a byproduct of fast adoption without consistent oversight. One example may be an AI agent pulling sensitive data into logs, triggering the wrong workflow, or exposing information through downstream systems. Without clear visibility, it’s hard to trace what happened or where it started.
At the same time, most teams don’t have the capacity to keep up. Nearly two-thirds of organizations say they spend more time proving security than improving it, according to Vanta’s fall 2025 The State of Trust Report. Per the report, teams already spend about 12 weeks a year on compliance work. That leaves little room to manage systems that are constantly changing—especially when they can act on their own.
As incidents become more common, some patterns are starting to emerge in how organizations respond.
As AI risk grows, a few patterns are starting to emerge in how organizations approach governance. The shift is toward more consistency in how AI systems are understood and controlled.
In many environments, AI agents are increasingly treated like identities. If a system can access data or take action, it’s given defined permissions, with clearer boundaries around what it can and can’t do.
There’s also more attention on autonomy. Rather than letting capabilities expand organically, teams are starting to define where automation is appropriate and where human review still matters.
Monitoring is shifting, too. Periodic reviews are giving way to more continuous visibility, especially as systems begin to act across multiple tools and datasets.
And as AI spreads across teams, ownership is becoming more explicit. Instead of shared or unclear responsibility, organizations are starting to define who is accountable for how each system behaves.
Across all of this, the direction is consistent: moving from fragmented oversight to systems that can keep pace with how quickly AI is actually used.
For most organizations, this shift doesn’t begin with a full governance overhaul. It usually starts with visibility.
As AI use expands, teams are working to answer a basic set of questions: What’s running, where it’s connected, and what it’s allowed to do? That baseline is often incomplete at first, especially in environments where tools have been adopted quickly.
From there, structure tends to build gradually. Teams start adding guardrails around higher-risk actions, clarifying access, and introducing more consistent monitoring as systems evolve.
The process isn’t always linear. But over time, organizations that invest in visibility and control tend to move away from reactive fixes toward something more sustainable, where AI governance can keep up with how AI is actually used.
Vanta’s research has identified another dynamic shaping how organizations approach managing AI: External expectations are on the rise.
Those expectations extend to AI. Customers want to understand how AI is being used, what controls are in place, and how risks are managed, and partners are asking similar questions as procurement processes evolve.
When organizations can clearly show how they control and monitor their AI systems, it builds confidence with buyers, makes security reviews smoother, and helps unblock deals that might otherwise stall.
AI governance plays a direct role in revenue, partnerships, and growth.
You can’t manage what you can’t see, and AI adoption isn’t slowing down. It’s only getting more embedded, more distributed, and more essential to how work gets done.
However, most organizations don’t yet have a clear picture of their own AI footprint. They might not know exactly how many agents are running, where they’re deployed, or what they’re allowed to do.
Without visibility, risk grows alongside adoption. Unmanaged AI might not fail loudly in the beginning. Instead, it accumulates small gaps with unclear permissions, missing oversight, and fragmented ownership. But those gaps can connect.
The most practical place to start is also the most foundational: Make AI visible. Once you can see it clearly—where it lives, what it touches, how it behaves—you can begin to shape it.
This story was produced by Vanta and reviewed and distributed by Stacker.
Reader Comments(0)