Shadow AI: The Growing Threat Companies Can No Longer Ignore 36% of employees admit to using AI tools not fully approved or managed by IT

In today's race to embrace AI, many organisations are unknowingly playing a dangerous game. As AI tools seep into every corner of the workplace, a new threat has emerged — Shadow AI — and it's proving harder to track and even harder to control.

Shadow AI happens when employees or departments use AI applications, models, or AI-powered features without formal approval from IT or security teams. It's not just another version of shadow IT; it's a quieter, stealthier threat. Unlike traditional unauthorised apps that are easier to spot, AI capabilities are often hidden inside familiar, trusted software. Organisations may think their digital environment is secure, but in reality, sensitive data could already be flowing through invisible AI channels — far beyond their walls.

And the numbers tell a worrying story: 36 per cent of employees admit to using AI tools not fully approved or managed by IT, as mentioned in the CyberArk's 2025 Identity Security Landscape Report.

Every untracked AI interaction becomes a potential point of risk. Imagine an employee unknowingly feeding a confidential API key into an AI prompt, or submitting personal customer data to a generative AI tool. That information could be stored, logged, or even used to train models without the company ever realising it.

Without the right safeguards, it's not just about accidental data exposure. Attackers are getting smarter, using tactics like injection attacks and model poisoning to corrupt AI behavior. And because AI is sprawling across different environments — from on-premises data centers to multi-cloud platforms — securing it all feels like trying to catch smoke with bare hands.

The danger isn't theoretical. Companies are already feeling the impact. A staggering 87 per cent of organisations have suffered at least two successful identity-centric breaches in the past year, ranging from supply chain compromises to credential theft. Yet, there's a troubling disconnect: 75 per cent of security professionals agree that business efficiencies are prioritised over strong cybersecurity in their organisations. In other words, innovation is racing ahead faster than security can keep up.

In India's dynamic business landscape, this problem is even more acute. As Rohan Vaidya, Area Vice President, SAARC & India, CyberArk, puts it: "The rapid adoption of AI in India's dynamic business environment has introduced complex challenges when it comes to managing machine identities and their privileged access. As AI-driven processes gain momentum, security leaders in India must rethink their identity security strategies to address the growing risk of unmanaged identities, both human and machine. Modernising these strategies is essential to protecting critical data, ensuring compliance, and mitigating the growing threat landscape."

Higher investments, stronger controls

Fortunately, many organisations are waking up to these new realities. According to report, improving application-centric security controls like API and secrets management is now the top security priority for 47 per cent of organisations. Meanwhile, 37 per cent are focused on shoring up cloud security strategies, and 35 per cent are investing in strengthening privileged access management (PAM).

It's not just about protecting human identities anymore. As developers integrate more AI, 34 per cent of organisations are enhancing developer-centric identity security controls, and 33 per cent are introducing zero standing privileges for cloud privileged access — an important move to reduce persistent attack surfaces.

Other key areas of focus include improving identity governance and compliance (32 per cent), securing third-party and partner identities (29 per cent), and reducing identity, account, and role sprawl (27 per cent). Notably, 26 per cent are prioritising the security of machine identities, recognising that in an AI-driven world, machines are quickly becoming the new insiders.

Why It matters now

The risks of shadow AI aren't going away — in fact, they're only getting bigger as AI adoption grows. Without clear policies, monitoring systems, and robust security frameworks, companies aren't just gambling with sensitive data; they're setting themselves up for regulatory violations, reputational damage, and serious financial fallout.

The companies that thrive in the AI era will be those that innovate responsibly — combining boldness with caution, and speed with security.