Shadow AI Was the Easy Problem: The Real Risk is Hidden Agents in Approved Software

Two years ago, shadow AI meant employees pasting customer data into ChatGPT. The fix, broadly, was manageable: discover the tools, sanction the good ones, block the bad ones, train the people. Most organizations are somewhere in the middle of executing that playbook where 61% have already encountered shadow AI in their environments and the playbook mostly works.

However, this description no longer describes the issue. Shadow AI has shifted beyond a behavioral problem to an architectural problem. Traditional governance cannot keep up with the modern landscape, including vendor-embedded and employee-wired AI agents operating inside approved systems with inherited credentials, making identity the only real control point.

The Two Shadows You’re Not Watching

The interesting question in 2026 isn’t which AI tool an employee opened. It’s which AI agent your sanctioned vendor quietly shipped inside last quarter’s product update and what permissions it inherited from the human who installed it.

Shadow AI used to be a question of behavior. You could see it, name it, and put a policy against it. The version that’s spreading now is structural. It arrives through software you already approved, acting under credentials you already issued, in workflows you already audited. The shadow isn’t behavioral anymore, it’s architectural. Employees are still in the picture, but they’ve moved from using AI to deploying it: wiring agents into the systems they already have access to, and doing it through interfaces designed to make that simple. The policies written for the first behavior don’t reach the second one.

This is why “ban it” was never the real debate. The CISOs who got out ahead of shadow AI by sanctioning enterprise tools and pushing employees toward governed alternatives won that round and discovered the next one was already underway and that it had two vectors, not one. The first is what sanctioned vendors are shipping into products already in production: embedded models, agentic modes, new integrations that arrived in a release note nobody read. The second is what employees are wiring up themselves: an LLM connected to the CRM through a no-code automation, a Custom GPT given an API key to the data warehouse, an MCP connection from a desktop assistant into a production system. Both produce the same outcome, which includes agents acting under approved credentials, against approved systems, in workflows that never went through any review designed to catch them. Procurement can see the first vector and miss the second one entirely.

It’s worth being honest about how unevenly the first round was actually won. Nine in 10 organizations are planning AI-related IT budget increases, with many planning broader expansion across IT operations in the next 6–24 months. The spend is flowing toward intelligent capabilities. Controls are catching up by inches. That imbalance is the problem, not a side effect of it.

The Perimeter Was Always Human

The mental model that worked for the first wave doesn’t work for this one. Shadow AI as employee behavior assumed a human in the loop making a choice the security team could influence. Shadow AI as vendor architecture removes the choice. The model that drafted the email, the agent that scheduled the meeting, the assistant that summarized the document and routed it onward. None of those required an employee to do anything other than continue using software they were told to use.

The honest answer is that the perimeter most security programs are still defending was a perimeter of human action. Employees opening tools, employees granting access, employees making decisions the security team could observe and shape. That perimeter is dissolving in two directions at once. From above, vendors are shipping agents into approved products faster than any review process can keep up. From below, employees are stepping out of the user role and into the integrator role, by wiring agents into systems through interfaces that were designed to be self-serve and were never instrumented for governance. The replacement perimeter, built around what identities are doing, regardless of whether those identities are people, and regardless of who deployed them, requires a control fabric most organizations don’t have yet.

The Only Place Left to Look

Identity is the right control point, but the framing has to shift. The conventional formulation says “identity is the new perimeter” because users are everywhere and devices are everywhere and SaaS is everywhere. That was true a decade ago, table stakes now. The version that matters in 2026 is different: identity is the only place left where you can see what AI is actually doing, because by the time it’s doing it, the tool boundary has already been crossed. The agent is acting under someone’s credentials. Whose, with what scope, against what data, on whose authorization are the only questions that produce a useful audit trail. Tool-level governance can’t answer these because the tool is no longer the unit of analysis.

Almost 90% of IT leaders already recognize that unification has a direct impact on their ability to implement and scale AI securely. The harder question is what unification actually means at the control layer. It can’t just mean fewer dashboards. It means a single identity fabric where every actor whether human, service account, agent, embedded model is provisioned, scoped, monitored, and retired through the same set of mechanics. Anything short of that gives you the appearance of consolidated governance when actually it’s just fragmented enforcement.

Your Vendor Review Has an Expiration Date

Unfortunately, a vendor review is only valid for so long. This has uncomfortable implications for how security programs are structured. Most AI Governance committees are organized around tool review, with vendors coming in and getting evaluated, sanctioned, or rejected, in order to get added to the registry. That process assumes the tool’s behavior at sanction time is the tool’s behavior in production. For AI-embedded software, that assumption is broken before the ink dries. The vendor will ship a new model, a new agent mode, a new integration, and the governance review that was approved six months ago is now describing a product that no longer exists.

Off the Tool, Onto the Identity

The programs that will hold up are the ones that move governance off the tool and onto the identity. Every action against your data, by any actor, is traceable to an identity with a known owner, a scoped permission set, and a defined lifespan. Whether it’s human or non-human, employee or agent, sanctioned tool or embedded mode, the question is the same: who is this, what are they allowed to do, and how do we know when that should stop being true? Programs that can answer those questions don’t need to win the tool-sanctioning race. Programs that can’t will be playing catch-up against vendors and employees who ship faster than any review process can move.

Shadow AI as a category isn’t going away. Especially with the new age of the agentic workforce, 72% of organizations already have AI agents in production. Instead, it’s becoming a smaller part of a bigger problem. The organizations that are spending the next budget cycle on tool discovery and sanctioning policy are the ones solving the 2024 problem on a 2026 timeline. The ones spending it on identity-layer instrumentation for humans, for agents, for the messy continuum between them, are solving the problem they’re actually going to have.

The first wave of shadow AI taught security teams that they couldn’t outrun employee curiosity. The second wave is going to teach them they can’t outrun vendor velocity or employee ingenuity. Both lessons point to the same conclusion. The unit of governance was never going to be the tool. It was always going to be the identity acting through it.