The core issue: Private identities in shadow AI systems circumvent central identity controls and render established security measures like DLP ineffective.
Employees use private email addresses and personal accounts for generative AI tools such as ChatGPT or Claude — these identities bypass central IAM structures and significantly weaken established security controls.
The widespread integration of generative AI in enterprises has evolved into a classical shadow IT problem: employees circumvent official compliance processes by using private accounts with AI providers such as ChatGPT, Claude, or Midjourney. Rather than waiting for central IT approvals, business departments independently access digital tools using private email addresses or personal profiles. The Microsoft and LinkedIn Work Trend Index documents that over 75 percent of global knowledge workers use generative AI tools in the workplace — predominantly without IT authorization.
The central security risk lies not only in the uncontrolled transfer of corporate data to external servers, but in the fragmentation of digital identities: central Identity-and-Access-Management systems (IAM) lose all visibility into these accesses. When an employee uploads a business document to an AI via a private Google account, that information leaves the protected corporate context. Established protection mechanisms such as Data Loss Prevention (DLP) remain ineffective because the IAM system does not recognize the identity and no control points are set for data transfer. Gartner predicts that unregulated shadow AI applications will be responsible for a significant share of data breaches in large enterprises by 2026.
Technically, this fragmentation is enabled by OAuth 2.0-based social logins — a single click on “Sign in with Google” or “Sign in with Apple” is sufficient to create functional profiles within seconds. The authorization token exchanged in this process is transmitted over standard HTTPS connections, which is why conventional firewalls classify the process as regular web traffic. IT departments see connections to AI domains but cannot differentiate whether they are authorized or private identities. The gatekeeper function of the identity architecture is lost.
To regain control, enterprises are deploying enterprise interfaces and advanced OAuth flows: by integrating these private identities into central IAM systems, IT departments can make access to AI platforms visible and subject it to governance. This creates a mapping between shadow identities and official corporate accounts — access control and monitoring become possible again. The approach accepts that employees will use AI tools but aims to reintegrate this usage back into the security architecture rather than blocking it.
Source: www.it-daily.net · Published June 29, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.2.