On paper, it makes sense. If AI tools present a risk to sensitive data, intellectual property, or compliance obligations, then limiting access should reduce exposure. In reality, the opposite is often happening, employees are not abandoning AI, they are simply finding ways to use it anyway, outside the view of the organisation. And in doing so, they are introducing a new category of risk that is harder to detect, harder to manage, and far more pervasive than traditional insider threats.
At the same time, employees are under constant pressure to do more with less. When a tool demonstrably helps them meet that expectation, the incentive to use it becomes overwhelming.
Many employees had already set up personal accounts on AI platforms long before their organisation formed any policy at all. Telling them to stop is not just a policy challenge, it is a behavioural one. So when organisations say ‘don’t use AI,’ what many employees hear is: ‘do your job the slower and more difficult way.’ That tension creates a predictable outcome, usage doesn’t stop, it simply goes underground.
The rise of ‘shadow AI’ behaviour
When AI tools are restricted, employees adopt workarounds. Employees will access AI tools on their own devices, outside of corporate networks and monitoring systems. They might draft content, analyse information, or solve problems using AI, then transfer the output back into their work environment.
To the organisation, this activity is invisible and there is no audit trail into what data was shared, and no way to intervene if something goes wrong.
Then there is the use of unsanctioned or obscure AI tools. If well-known platforms are blocked, employees simply look for alternatives. These may include lesser-known apps, browser extensions, or AI features embedded within other software. Ironically, by blocking mainstream platforms, organisations often push employees toward higher-risk environments.
A lack of visibility makes it difficult for the organisation to know what data is being shared, which employees are engaging in high-risk behaviour, how frequently is AI being used and to what extent, whether the outputs are verified and more. In the past, a single human error would typically have a contained impact. With AI, a single action can expose far more information, far more quickly.
The agent problem: when shadow AI isn’t human
Until recently, conversations about shadow AI have focused primarily on employees, but the problem has evolved significantly. The next frontier of shadow AI is not a human working around a policy, it’s an AI agent operating autonomously, often without any meaningful human oversight.
Employees are now deploying AI agents on their own systems. Developers are spinning up agents within hours, and organisations are purchasing agentic software from vendors, sometimes without a clear understanding of what level of autonomous access that software has been granted. In some cases, organisations may not even be aware that agentic software is running in the background at all.
This matters because agents do not behave like human users. Agents working on your data is analogous to a recent University Graduate starting in a role, it might be smart, but it’s not trained and lacks experience. Your employees maybe deploying many unsupervised graduates to manipulate, extract and interpret your data.
A person using an unsanctioned AI tool makes a decision, executes an action, and moves on. An agent operates continuously. It can access data, send messages, trigger workflows, and interact with other systems at machine speed, and, critically, it can do all of this at a scale no individual employee could replicate. What was once the risk of a single employee pasting a document into ChatGPT is now the risk of an autonomous agent with broad system access operating around the clock.
The security implications are significant. Agents can be vulnerable to prompt injection attacks - a form of manipulation where malicious instructions are embedded within content the agent processes. An attacker might embed hidden instructions in an email, a document, or a web page, designed specifically to be read by an AI agent rather than a human. If the agent is not constrained appropriately, it may follow those instructions without question. Organisations are already encountering these attacks in the wild.
The question is no longer only about managing the behaviours of employees, it is about managing the behaviours of non-human identities. These shadow AI agents operate under an employee’s credentials, carry out tasks on behalf of an organisation, and can make mistakes just as a human might, but at a speed and scale that makes those mistakes far harder to catch. They were not trained on company policy there is no mechanism to stop them if something goes wrong. Years of putting in place a Zero Trust security model is now broken.
The human and the non-human factor
At its core, this is not a technology problem. It is a human behaviour problem. Before employees were copy and pasting into ChatGPT to do their jobs better, now they have even more powerful tools on hand, so why not use them to get ahead? Employees are not trying to undermine their organisations, they are trying to do their jobs better, faster, and more efficiently. In many cases, they are also navigating unclear or overly restrictive policies. The business benefits can be high if used correctly.
This creates a gap between policy and practice. When policies are perceived as unrealistic or out of step with day-to-day work, employees adapt. This is why traditional approaches such as blocking tools, issuing blanket bans, or relying solely on policy enforcement, are proving insufficient. They address the symptom, not the cause.
The behaviours associated with shadow AI represent a new evolution of insider risk. Unlike malicious insiders, these employees are not acting with intent to harm. Unlike negligent insiders, they may believe they are taking reasonable precautions, but the outcome can be just as damaging.
What makes this category of risk particularly challenging is its normalisation. AI usage is becoming an expected part of modern work. As adoption increases, so too does the likelihood that these behaviours become embedded in everyday processes.
Visibility and human behaviour
The instinct to restrict AI usage is understandable, but banning AI does not eliminate risks. It redistributes them into less visible, less controllable forms and it does nothing to address the agentic layer, where the most significant emerging risks now sit. Restriction is not a strategy. Visibility is.
A more effective approach recognises a fundamental truth: AI is here to stay.
Organisations need to shift their mindset from restriction to visibility, by investing in capabilities that focus on behaviour, not just the tools employees use, but the activities of every identity operating in their environment, human or otherwise. Discovery is the essential first step - understanding what AI tools are being used, by whom, and under what conditions. Research suggests that nearly all organisations that look for unsanctioned AI in their environment find it.
The rise of shadow AI is not a sign that employees are reckless. It is a sign that security has not kept pace with the way people actually work. When the tools people need to do their jobs effectively are unavailable or blocked without viable alternatives, shadow AI is the inevitable result. That is not a people problem. It is a governance problem. Training is essential to ensure employees are using the correct AI, in the correct way.
The role of security to create the conditions under which people and technology can operate productively, without exposing the organisation to unacceptable risk. That means providing sanctioned tools that genuinely meet the needs of the workforce, building governance that moves at the speed of adoption, and maintaining the visibility to know what is happening across the environment at any given moment. You cannot govern what you cannot see and, in most organisations, a significant portion of activity, human and non-human, is happening entirely out of sight.
For cybersecurity to address these challenges head-on, organisations must also leverage AI capabilities. The current approach is: 1) an event occurs; 2) an alert is generated; and 3) a human remediates the problem.
For cybersecurity to address AI, this approach must evolve into: 1) an event occurs; 2) AI remediates the problem; and then 3) a human receives an alert about the action to validate. This represents a significant change in ways of working and the operating model.
The organisations that will navigate this era well are not the ones that blocked the most tools. They are the ones that evolved their operating model, built the clearest view of their environment, gave their people and their agents the right guardrails to operate within, and understood that in security, visibility is not a luxury, it is the starting point for everything else.