The shadow AI problem has moved from theoretical risk to boardroom urgency. According to research cited by Adaptive Security, 80% of employees currently use unapproved generative AI applications at work — yet only 12% of companies have formal AI governance policies in place. The result is a widening gap between employee behavior and security team visibility, with browser-based AI tools actively bypassing traditional network monitoring by running through OAuth tokens and user sessions.
Adaptive Security's framework, published via BleepingComputer, offers a five-step approach designed to close that gap without creating the friction that pushes employees toward shadow tools in the first place.
Why Shadow AI Is Different
Traditional shadow IT — unauthorized SaaS apps, personal cloud storage — is a known problem with established detection methods. Shadow AI compounds it. AI tools:
- Process sensitive data including code, contracts, customer information, and internal strategy documents
- Connect via OAuth, bypassing network-layer visibility entirely
- Bundle into approved tools — features like Copilot, Gemini for Workspace, and Notion AI are often enabled by default without a security review
- Train on user data unless opt-out settings are configured, potentially exfiltrating corporate IP to model providers
A single misclassified document shared with an AI assistant can constitute a reportable data breach under GDPR, HIPAA, or CCPA depending on the jurisdiction and data category.
The Five-Step Framework
Step 1: Discover What's Running
Security teams must audit three primary areas before writing a single policy:
- OAuth connections to Google Workspace and Microsoft 365 — most AI tools authenticate this way, leaving a discoverable trail in admin consoles
- Browser extensions — AI writing assistants, grammar checkers, and coding helpers frequently have access to everything in the browser tab
- AI features bundled into approved tools — Teams, Slack, Notion, and dozens of other approved platforms have quietly shipped AI features that may not have received security review
Employee surveys remain a practical complement to technical discovery. Employees who understand they won't be penalized for disclosure are more likely to surface tools that bypass technical detection.
Step 2: Create Workable Policies
Policies that employees can't navigate create the exact friction that drives shadow adoption. Effective AI governance policies include:
| Element | Why It Matters |
|---|---|
| Approved tool list | Employees need a clear "yes" list, not just a "no" list |
| Data classification rules | Which data categories can flow into which tools |
| Training opt-out verification | Confirmed that approved tools don't train on user data |
| Transparent request process | A path for employees to request new tool approvals |
| Plain-language explanations | Security reasoning employees can actually understand |
The last point matters more than it sounds. Policies with explained rationale build the judgment employees apply to tools that don't yet exist.
Step 3: Establish Fast-Track Approval
The approval backlog is often the root cause of shadow adoption. When employees wait weeks for a tool evaluation, they make their own decision. Structured intake forms with defined evaluation criteria — data residency, training opt-out status, SOC 2 certification, access scope — allow security teams to complete assessments in days rather than weeks.
Security teams that publish and maintain a current approved list see measurable reductions in unauthorized tool usage. Visibility into what's available is itself a governance control.
Step 4: Implement Continuous Monitoring
Discovery is a snapshot; governance requires ongoing visibility. Browser-native monitoring provides real-time data without rerouting traffic through a proxy — avoiding the performance degradation and certificate trust issues that have historically made monitoring unpopular with engineering teams.
Risk signals from AI tool usage should integrate with broader security telemetry: phishing simulation results, anomalous login patterns, and DLP alerts create a composite risk picture that surface-level AI monitoring alone cannot provide.
Step 5: Enable Secure Choices
Just-in-time coaching — a nudge at the moment an employee is about to paste sensitive data into an unapproved tool — consistently outperforms periodic training sessions. The intervention is contextually relevant, immediately actionable, and builds the correct habit rather than adding to a compliance checkbox.
Education that explains why a policy exists gives employees the mental model to make correct decisions when they encounter a tool or scenario the policy didn't anticipate. That judgment is the actual goal.
The Core Insight
"When employees have transparent access to approved tools and fast review processes, shadow AI usage naturally declines."
The framework's central argument is that shadow adoption is primarily a supply problem, not a discipline problem. Employees reach for unauthorized tools because approved options are slow, unclear, or absent — not because they're trying to bypass security. Governance that solves the supply problem solves most of the shadow problem.
Immediate Actions
For security teams dealing with shadow AI today:
- Run an OAuth audit in Google Workspace Admin Console and Microsoft Entra — look for third-party AI apps with broad permission scopes
- Query your browser management platform for AI extensions deployed outside policy
- Review default-enabled AI features in every approved SaaS tool and confirm data handling terms
- Draft a one-page AI acceptable use policy — a short, clear document is more effective than a comprehensive one employees don't read
- Create a Slack/Teams channel for tool approval requests — visible, fast, and auditable