When employees install an AI writing assistant, connect Coding CoPilot to their IDE, or start summarizing a meeting using a new browser tool, they’re doing exactly what productive employees should be doing: finding ways to work faster.
In most organizations today, employees run three to five AI tools a day. Most were never reviewed by IT. A significant portion connect to corporate data through OAuth tokens or browser sessions, giving employees access to shared drives, emails, and internal documents that they never specifically intended to make public. Security teams often have no idea about it.
This is the shadow AI gap, and it’s rapidly growing. Most security tools are built to monitor email and network traffic flowing through corporate networks. Browser-based AI tools that connect to corporate data through quick login approvals never traverse the corporate network and thus completely bypass these controls. According to Gartner, 69% of organizations suspect or have confirmed that employees are using prohibited AI tools in the workplace, and only 37% have AI governance policies in place. As a result, there is a growing disconnect between how employees work and what security teams perceive.
A program that guides AI adoption down a secure, visible, and approved path provides security teams with the visibility they need and gives employees the tools they need. The five steps below show you exactly how to build it.
Step 1: Build a complete picture of what’s running
A security program can only manage what it can see. The first step is to discover which AI tools are used across your organization, and most security teams will find the answer surprising.
Three areas account for the majority of shadow AI activity.
OAuth connection. Most AI tools request access to Google Workspace or Microsoft 365 via OAuth, giving them read or write permissions to corporate data. Quarterly audits of connected third-party apps categorized by permission range typically reveal dozens of tools that security teams haven’t reviewed. Browser extension. Many AI tools run as browser extensions and never touch the operating system, making them completely missed by traditional endpoint management tools. A browser management solution or lightweight agent installed on employee devices can scan and identify active extensions across your organization. AI capabilities are already bundled with approved tools. Microsoft Copilot, Google Gemini, and Salesforce Einstein are examples of AI capabilities that may have been introduced after the original vendor’s review, often without a separate security assessment.
It’s also worth conducting a simple employee survey. Surveys aimed at helping employees work more safely tend to yield more candid answers. Many shadow tools surface through investigation that are completely missed by automated detection.
The goal of this step is to create a current and accurate inventory of all AI tools in use, who is using them, and what data they have access to.
Step 2: Create policies that work for your employees
Most AI acceptable use policies stall for the same reason. Employees are provided with a list of prohibited tools without any guidance on what the approved path is. Designed as a practical guide, the policy identifies approved tools and provides a clear process for requesting new tools, giving employees the foundation they need to make good decisions.
An effective AI governance policy includes five things.
Current list of approved tools and their locations. Clear data classification rules that specify categories of data that should never be fed into AI tools, such as customer records, source code, and financial information. Validated data training opt-out status for each approved tool. Many AI tools use input from the company by default to improve their models unless the company settings are explicitly configured. Approval requires a confirmed opt-out for tools that handle sensitive data. A defined process for requesting new tools with target turnaround time. Clearly explain why the guidelines exist.
That last element is more important than you might think. Employees who understand why OAuth connections carry the risk of data leakage will apply that reasoning to every decision they make about their tools. Policy, including its evidence, becomes education.
Step 3: Create a fast lane for new tool requests
Shadow AI grows fastest in organizations where formal approval processes cannot keep up with the pace of AI product releases. Employees who need a tool now and are facing a six-week security review will likely find a workaround within days. The purpose of this step is to remove that friction.
Most requests for AI tools do not warrant a full procurement review. A structured intake form with defined evaluation criteria is sufficient for most low-risk tools. Structured input forms and a defined set of evaluation criteria enable faster decision-making. For tools with limited data access, many organizations believe that faster work is possible if evaluation criteria are documented and applied consistently. Evaluation criteria should include scope of data access, vendor security practices, data training opt-out status, compliance certification, and whether a functionally equivalent tool is already on the approved list.
Security teams that keep their list of approved tools openly available and up-to-date typically see significantly reduced use of shadow AI. Employees will use the right tools if they know where to find them.
Step 4: Use monitoring as a shared safety layer
Continuous visibility into AI tool usage across your organization allows you to serve two groups simultaneously.
Security teams have real-time visibility needed to identify and address exposures before they become incidents. Employees get a form of protection they wouldn’t get on their own. In other words, it’s a signal that the tool you’re using may be putting your credentials or company data at risk.
A browser-native monitoring approach gives security teams visibility into AI activity without rerouting employees’ web traffic or adding strain to their daily work. Captured signals feed into each employee’s broader risk profile and are stored in one place alongside phishing simulation results and training completion data.
Risky behavior occurs in multiple ways, so a combined perspective is important. When employees click on phishing links, skip training, and run unauthorized AI tools to access sensitive data, they pose a much higher risk than any single action would suggest. Seeing the big picture in one place allows security teams to focus on the employees who need the most attention.
Step 5: Make good security behavior easier
The security program that makes it easiest for your employees to make safe choices is the one that your employees follow. In the context of AI governance, two things drive it: just-in-time coaching and training that explains the reasoning behind the rules.
Just-in-time coaching provides short, contextual prompts the moment an employee attempts to use an unapproved tool. This is more effective than quarterly training modules because the intervention occurs at the point of decision-making. A well-designed prompt communicates concerns to employees, directs them to approved alternatives, and takes less than 30 seconds to read.
Training that explains the reasoning behind AI governance policies builds judgment that employees can apply to any situation they encounter, including tools and threats that emerge long after the training itself. The landscape of AI tools is changing rapidly, so no training program can predict every specific case. Employees who understand that an OAuth connection to a company’s Google Workspace can potentially expose their entire shared drive to third-party vendors will apply that understanding to tools that didn’t exist six months ago.
Building a security program based on how your team works
The introduction of AI shows that more productive teams get their jobs done better. Companies that build on this momentum with practical programs, with a clear path to approved tools and real-time visibility for their security teams, tend to be best able to capitalize on this momentum.
Security teams closing this gap have found that the use of shadow AI has naturally declined over time. Browser-native visibility, a clear path to approved tools, and just-in-time coaching at the moment of risk make it possible. When employees have access to effective, approved tools and a fast, transparent path to getting new tools reviewed, there is little incentive to circumvent the system.
Adaptive Security’s AI governance products include automated policies and just-in-time employee coaching, giving security teams real-time visibility into all AI tools and shadow apps running across the organization. For more information, please visit adaptivesecurity.com.
Source link
