Bottom line: Employees use unapproved AI tools daily that security teams cannot see. A structured governance program provides a solution: first, all AI tools in use must be discovered through audits of OAuth connections, browser extensions, and employee surveys.
Employees use an average of three to five AI tools daily – most have never been reviewed by IT. This “Shadow AI gap” is growing rapidly and poses major challenges for security teams. A structured governance program can help.
When employees install an AI writing assistant, integrate a code copilot into their IDE, or create meeting summaries with new browser tools, they are doing exactly what productive workers are expected to do: find faster ways of working.
In most organizations, employees use three to five AI tools daily. The majority have never been reviewed by IT. A significant portion connects to corporate data via OAuth tokens or browser sessions, gaining access to shared drives, emails, and internal documents without the employee explicitly granting permission. Security teams often have no visibility at all.
Most security tools were designed to monitor email and network traffic through the corporate network. A browser-based AI tool that connects to corporate data through quick login approvals completely bypasses these controls because it never traverses the corporate network.
According to Adaptive Security research, 80 percent of employees use unapproved generative AI applications at work, while only 12 percent of companies have a formal AI governance policy. This creates a growing gap between how employees work and what security teams can see.
A program that directs AI adoption toward secure, visible, and approved channels gives security teams the necessary transparency and employees the tools they want. The first step is to create a complete overview of all AI tools in use. This includes: OAuth connections to Google Workspace or Microsoft 365, browser extensions that traditional security tools miss, as well as AI features embedded in already-approved tools like Microsoft Copilot or Google Gemini. A simple employee survey rounds out the inventory. The goal is a current and accurate inventory: every AI tool in use, who is using it, and what data it has access to.