AI Adoption Surges But 80% of Employees Use Unapproved Tools, Exposing Security Gaps

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

When an employee installs an AI writing assistant, connects a coding copilot to their IDE, or starts summarizing meetings with a new browser tool, they are doing exactly what a productive employee should do: finding faster ways to work. Across most organizations today, employees are running three to five AI tools on any given day. Most were never reviewed by IT. A significant portion connect to corporate data through OAuth tokens or browser sessions, giving them access to shared drives, emails, and internal documents the employee never specifically intended to expose. Security teams often have no visibility into any of it. This is the shadow AI gap, and it is widening fast. Most security tools were built to monitor email and network traffic flowing through the corporate network. A browser-based AI tool that connects to company data through a quick login approval bypasses those controls entirely, because it never passes through the corporate network at all. According to Adaptive Security research, 80% of employees currently use unapproved generative AI applications at work, and only 12% of companies have a formal AI governance policy in place. The result is a growing disconnect between how employees work and what security teams can see. A program that channels AI adoption into a safe, visible, approved path gives security teams the visibility they need and employees the tools they want. The five steps below show exactly how to build one. A security program can only manage what it can see. The first step is discovering which AI tools are in use across the organization, and most security teams will find the answer surprising. Three areas account for the majority of shadow AI activity. A simple employee survey is also worth running. A survey framed around helping employees work more safely tends to get candid responses. Many shadow tools surface through surveys that automated discovery misses entirely. The goal of this step is a current, accurate inventory: every AI tool in use, who is using it, and what data it has access to. Most AI acceptable use policies stall for the same reason: they give employees a list of prohibited tools with no guidance on what the approved path looks like. A policy designed as a practical guide, one that identifies approved tools and provides a clear process for requesting new ones, is the foundation employees need to make good decisions. An effective AI governance policy covers five things. That last element matters more than it might seem. Employees who understand why OAuth connections carry data exposure risk apply that reasoning to every tool decision they make. Policy becomes a form of education when the reasoning is included. Shadow AI grows fastest in organizations where the official approval process cannot keep pace with the rate of AI product releases. An employee who needs a tool today and faces a six-week security review will find a workaround within days. The goal of this step is to remove that friction. Security teams that publish their approved tool list openly and keep it current typically see a meaningful reduction in shadow AI usage. When employees know where to find the right tools, they use them. Continuous visibility into AI tool usage across an organization serves two groups simultaneously. A browser-native monitoring approach gives security teams visibility into AI activity without rerouting employee web traffic or adding friction to daily work. The signals it captures feed into each employee's broader risk profile, sitting alongside their phishing simulation results and training completion data in one place. That combined view matters because risky behaviors compound. An employee who clicks phishing links, skips training, and runs unapproved AI tools with access to sensitive data presents a much higher risk than any single behavior would indicate. Seeing the full picture in one place helps security teams focus on the employees who need attention most. Security programs that make the secure choice the easiest choice are the ones employees follow. In the context of AI governance, two things drive that: just-in-time coaching and training that explains the reasoning behind the rules. Just-in-time coaching delivers a brief, contextual prompt at the moment an employee attempts to use an unsanctioned tool. This is more effective than quarterly training modules, because the intervention happens at the point of decision. A well-designed prompt tells the employee what the concern is, directs them to an approved alternative, and takes less than thirty seconds to read. Training that explains the reasoning behind AI governance policies builds the kind of judgment employees can apply across any situation they encounter, including tools and threats that emerge long after the training itself. The AI tool landscape is changing fast enough that no training program can anticipate every specific case. An employee who understands that OAuth connections to corporate Google Workspace can expose the entire shared drive to a third-party vendor will apply that understanding to tools that did not exist six months ago. AI adoption is a signal of productive teams doing their jobs well. Companies that build practical programs around that momentum, with clear paths to approved tools and real-time visibility for security teams, tend to handle it best. Security teams that close that gap find that shadow AI usage declines organically over time. Browser-native visibility, clear paths to approved tools, and just-in-time coaching at the moment of risk are what make that possible. When employees have access to effective, approved tools and a fast, transparent path to get new ones reviewed, the incentive to work around the system largely disappears. Adaptive Security's AI Governance product gives security teams real-time visibility into every AI tool and shadow app running across their organization, with automated policies and just-in-time employee coaching built in.

If everyone is rushing to board the AI ship why are so few workflows secure?

AI adoption outpaces security, governance and risk controls More than half of the world's enterprises have now deployed generative AI in some form. That figure might sound like a success story and in many respects, it is. The pace at which organizations have moved from experimenting with AI to embedding it in day-to-day operations, from security workflows to business decision-making, has been remarkable by almost any measure. But a less comfortable truth sits just beneath the surface of this momentum: adoption is moving considerably faster than the governance, security and risk management infrastructure needed to support it. The gap between what AI is being asked to do and what organizations have actually put in place to oversee it is widening and that is a problem the industry can no longer afford to defer. Only around one in five respondents has reached what could genuinely be described as AI mature, a state in which cybersecurity applications are fully deployed, security risks are systematically assessed and effectiveness is tracked against meaningful benchmarks. The remaining are navigating AI deployment while still constructing the foundations meant to underpin it. A growing gap between AI momentum and AI controls Across industries, enthusiasm for AI is undeniable. Enterprises are implementing GenAI tools to boost productivity, streamline operations and enhance decision-making. As these tools spread, the structures meant to govern them are lagging. Fewer than half of the organizations have a risk-based strategy in place to evaluate and manage AI systems. Fewer still have AI-specific data privacy policies. This lack of foundational governance intersects with several core risks tied to AI behavior and data use. Model bias and related ethical concerns often embedded deep within training data and architectures remain difficult to manage at scale and can produce unfair, inaccurate or unreliable outcomes. Prompt and input risks such as misleading or harmful outputs are a concern. Meanwhile, user-driven risks, including the unintended spread of misinformation generated with AI assistance affect more than half of organizations that have deployed these tools. These governance gaps do not exist in isolation. As enterprises scale AI across more workflows and touchpoints, the risks compound. Without clear policies around how systems learn, what data they access and how outputs are validated, organizations expose themselves to operational, ethical, and regulatory vulnerabilities that will only become harder to manage over time. The security implications are coming into sharper focus AI promises and, in many cases, already delivers meaningful advances for security teams. Faster detection of anomalies, enhanced analysis, and reduced manual workloads all rank highly among its benefits. Yet paradoxically, many organizations report that AI is also making it harder to maintain strong privacy and security practices. This challenge stems partly from the scale and autonomy of modern AI systems. As models interact with larger volumes of data and operate with fewer human checkpoints, they introduce new vectors for privacy loss, data exposure, and unauthorized access. Additionally, reliability concerns persist. Errors in AI decision rules and issues stemming from poor or incomplete data are cited frequently as barriers to AI effectiveness. These reliability gaps also impact trust. Just over half of practitioners believe human oversight remains essential not as a matter of preference but because AI systems cannot yet be relied upon to operate independently with sufficient consistency or safety. None of this signals that AI is failing. Enterprise investment in generative and agentic AI shows little sign of slowing. But the technology is not the bottleneck, the institutional infrastructure required to govern it is still catching up and closing that gap is what responsible AI adoption now depends on. What enterprises need to build trustworthy, scalable AI Despite these challenges, the path to responsible and secure AI adoption is becoming clearer even if the journey remains uneven. Four pillars stand out as critical to aligning AI innovation with enterprise risk and compliance needs: These are not novel concepts in enterprise technology management. They are adaptations of established principles to a new and rapidly evolving context. The challenge is that the pace of AI adoption has, in many organizations, outrun the pace at which those adaptations have been made. The true value of AI emerges when security, governance, and information management are integrated from the start. Enterprises still see enormous promise in generative and agentic AI. But their ability to unlock that value depends on balancing innovation with responsibility. For organizations pushing forward, the path to AI maturity will require not only investment in advanced tools, but also in clear policies, reliable data practices, and robust oversight mechanisms. Companies that succeed will be those that build trust as intentionally as they build capability, ensuring AI operates transparently, securely and with a governance framework designed for long-term success. We've featured the best endpoint protection software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit