There's every likelihood that there’s an AI agent running in your environment right now that nobody approved. It’s probably using a human account or a copied token, maybe a service account, a fistful of cloud permissions, and access to data that would make a compliance team member's eye twitch. It was spun up by a well-meaning engineer eight months ago; that engineer has since moved teams, now has a better chair and a view of the car park, and the agent is still quietly doing... something. No one’s entirely sure what. Then there’s the potential OpenClaw security problem that Trevor from accounts was experimenting with, with access to his Google cloud files and calendar, and ticking away quietly waiting to raise its ugly head when our auditor says, “Can you prove least privilege?”
Welcome to the age of shadow AI. It’s an age that's arrived quickly, and it's no longer just a productivity story.
From Rogue Tool to Rogue Identity
Most organizations are still framing shadow AI as an employee behavior problem: someone used ChatGPT with sensitive data, a team built an unapproved workflow, a department licensed a tool without IT sign-off. The fix, in that framing, is policy, training, and a stern all-staff email.
Alas, that framing is woefully out of date.
The deeper, more durable risk is what employees leave behind: tokens, service accounts, API keys, OAuth connections, and autonomous agents that outlive the original use case, the original team, and occasionally the original company strategy. When shadow AI-related breaches occur, IBM's research shows that 65% involve compromised PII (personally identifiable information) and 40% expose intellectual property, with each incident carrying a $670,000 cost premium over a standard breach. “Shadow AI-related breaches” means a breach that involved unsanctioned, unmanaged, or unapproved AI systems, tools, models, agents, plug-ins, or integrations being used within the organization. IBM defines shadow AI broadly as AI being used outside normal governance, approval, visibility, or security controls. One in five organizations in the study reported a breach stemming from a security incident involving shadow AI.
Shadow AI isn't a shadow. It has credentials. It has entitlements. And increasingly, it acts.
The Agentic Escalation: AI That Does, Not Just Says
The threat model shifted when AI stopped generating text for humans to review and started taking actions on their behalf.
Gartner projects that 40% of enterprise applications will integrate task-specific AI agents by the end of this year, up from less than 5% in 2025. These aren't chatbots. They read emails, query databases, make API calls, trigger downstream workflows, and delegate to other agents, often without a human in the loop. Teleport's 2026 State of AI in Enterprise Infrastructure Security report found that 70% of enterprises already have AI agents in production, yet 70% of those same organizations report their AI systems have *more* access than equivalent human roles.
Most zero-trust implementations stop at the level of human identity. Automated processes retain broad authorization privileges without expiration, attestation, or accountability. The result is a security kill chain built from over-permissioned service accounts, broad permissions, hardcoded credentials, and inactive certificates nobody thought to revoke. No malware. No obvious exploit. Just ungoverned machine identities accumulating a level of trust they were never meant to keep.
Ghost Credentials and the Identity Debt Crisis
CyberArk's 2025 Identity Security Landscape report found that machine identities outnumber human identities by 82 to 1 in the average enterprise. They don't log in. They don't get offboarded. They don't appear in quarterly access reviews. They just... persist.
Tenable's Cloud and AI Security Risk Report 2026 found that 65% of cloud environments possess "ghost" secrets (unused or unrotated credentials) with 17% tied to critical administrative privileges. Meanwhile, 99% of cloud identities are over-privileged, with identity issues driving 44% of all true-positive security alerts. Attackers don't need a zero-day: they log in with stolen credentials and exploit over-permissioned roles without triggering a single alarm.
Attackers chain together small, ordinary permissions. A password reset here, a token read there, a management API call next. None is dangerous alone, but all catastrophic together. This is our identity debt, accumulated through every AI experiment, every contractor access, every "just-in-case" service account. Shadow AI is accelerating it faster than most teams realize.
The Architecture Response: Zero Trust Must Evolve
NIST SP 800-207NIST SP 800-207 defines Zero Trust Architecture as enforcing "accurate, least privilege per-request access decisions in information systems viewed as compromised." Right philosophy. Wrong scope. Most enterprise ZTA was designed around human identity, and AI agents are breaking the underlying assumptions.
NIST responded in February 2026, formally launching its AI Agent Standards Initiative, the first US government program dedicated to interoperability and security standards for agentic AI, alongside an NCCoE concept paper on AI agent identity and authorization. The framework the industry is converging on is Zero Standing Privilege (ZSP): agents receive ephemeral, task-scoped credentials that expire when the job is done. No persistent access. Full stop/period.
Teleport's 2026 research found a 17% incident rate at organizations enforcing least-privilege controls for AI agents, versus 76% at those without it. The most exploited failure mode: shared API keys, still used by 45.6% of enterprises for agent-to-agent authentication. No accountability, no revocation, no visibility.
Every agent needs its own identity. Every action must be attributable, auditable, and revocable. As BT's Principal Security Architect, Toni-Ann Grant, put it at the Gartner IAM Summit 2026:
"Whether you're a human, a workload, a service account, or a wandering AI agent, everybody has to answer the same questions: Who are you, why are you here, are you really [authorized]?"
That's the operational baseline. Build it before an attacker answers those questions for us.
Controls That Move the Needle
- Discover every identity, human and non-human.
You cannot govern what you cannot see, and shadow AI starts precisely where visibility ends. - Classify by privilege level, not identity type.
An unrotated service account with admin access to production is not the same risk as a read-only logging credential. - Enforce just-in-time access and eliminate standing permissions.
Task-scoped, time-limited credentials for agents are now de facto table stakes, not a nice-to-have.
Only 37% of organizations have AI governance policies in place, per IBM's 2025 research. The remaining 63% are operating on the assumption that what they don't know won't hurt them.
Shadow AI is not a future problem. It is our current inventory, ungoverned, over-privileged, and growing. The frameworks are maturing. The regulatory deadlines are arriving. The organizations that build identity governance foundations now will not be scrambling to retrofit them later.
The question isn’t whether our organization has shadow AI. It does. The question is: what is it doing right now, and does anyone have the authority to stop it?
