The Growing Shadow AI Problem
Employees are using three to five AI tools every day, from writing assistants to coding copilots and meeting summarizers. Most of these tools were never approved or even reviewed by IT or security teams. They often connect to corporate data through OAuth tokens or browser sessions, giving them access to shared drives, emails, and internal documents. Traditional security tools, which monitor network traffic on the corporate network, fail to detect these browser based AI tools because they operate outside that perimeter entirely. A recent Gartner finding shows that 69% of organizations suspect or have confirmed employees using prohibited AI tools, yet only 37% have an AI governance policy in place. This creates a widening gap between how employees work productively and what security teams can actually see.
Building a Safe and Visible AI Program
The solution is not to block all AI tools, which would frustrate employees and hurt productivity. Instead, organizations need a structured program that channels AI adoption into a safe, visible, and approved path. The first step is discovery. Security teams must audit three key areas: OAuth connections, where AI tools request permissions to Google Workspace or Microsoft 365; browser extensions, which run locally and evade network monitoring; and direct API integrations. A quarterly review of connected third party apps, sorted by permission scope, typically reveals many unapproved tools. Once visibility is achieved, organizations can create a clear approval workflow, establish data handling rules, and provide employees with a curated list of vetted AI tools that balance security with efficiency.
Source: The Hacker News
