What is shadow AI and how to govern it

Shadow AI is the use of AI tools inside an organization without IT's knowledge or approval. This guide explains what it is, why it creates real security and compliance risk, and how the Bifrost AI gateway together with Bifrost Edge brings that usage under governance on every machine.

Most of the AI tools employees rely on at work run on their own machines and reach a model provider directly, without passing through any corporate network checkpoint. A developer can install a desktop assistant, paste in proprietary source code, and send it to a third-party model before anyone in security knows the tool exists. Industry analysts call this pattern shadow AI: the use of AI tools or applications by employees without the approval or oversight of the IT department. The scale is no longer marginal, as a 2026 Gartner survey of cybersecurity leaders found that 69 percent have evidence or suspect that employees are using public generative AI at work.

What shadow AI is

Shadow AI is the use of AI tools, models, and services by employees without the knowledge, approval, or governance of an organization's IT or security teams. It is a subset of shadow IT, the broader category of hardware and software that IT has not approved, but it carries risks that older shadow IT controls were never designed to handle. The distinction matters for how an organization should respond.

Where shadow IT generally involves an unapproved application or storage service, shadow AI centers on systems that process, generate, and retain data in ways that are difficult to reverse. Common forms include:

• Public chatbots and assistants used on work data, such as the ChatGPT app or Claude Desktop signed in with a personal account.
• AI features inside browser tabs and SaaS products that an employee turns on without review.
• Coding agents in the terminal and IDE, including Claude Code, Codex, and Cursor, that read source code and call external services.
• MCP servers wired into those tools, which can read files, call APIs, and act on a user's behalf.

Salesforce's 2026 Workforce AI Survey found that 67 percent of employees use AI at work, while only 18 percent of organizations have a formal AI security policy. Adoption at that pace, with no governing layer underneath it, is what turns ordinary productivity into a security exposure.

Why shadow AI is a security risk, not just a policy gap

Shadow AI raises measurable security and compliance risk because sensitive data reaches systems that the organization cannot see, control, or audit. Gartner predicts that by 2030, more than 40 percent of organizations will experience security or compliance incidents tied to the use of unauthorized AI, and the reasons follow directly from how these tools are used.

The exposure goes well beyond a single pasted prompt. Several distinct failure modes make shadow AI harder to contain than earlier forms of unapproved software:

• Data leaves the organization in a form that cannot be recalled. Once proprietary text enters a third-party model, it may be retained or used in ways the organization has no ability to reverse, unlike a file that can be deleted from a server.
• Compliance and audit trails break down. Legal and security teams cannot demonstrate where regulated data went, whether retention rules were followed, or whether residency obligations were met when the traffic never passed through a governed path.
• AI agents inherit standing access. An assistant connected through an MCP server can read email, repositories, and internal systems on a continuing basis, so the question shifts from what a user pasted once to what a connected tool can reach at any time.
• Governance trails adoption. Most organizations still have no reliable way to see which AI tools and connections are in use, which leaves the bulk of this activity outside any policy or review.

These concerns are not hypothetical; they describe what happens when fast, employee-driven adoption runs ahead of any mechanism for seeing or controlling it.

Why existing controls miss shadow AI

Traditional network controls miss most shadow AI because the activity does not behave like the traffic those controls were built to inspect. Network proxies and data loss prevention systems observe what crosses the corporate network, yet a large share of AI usage runs on the endpoint and connects straight to a provider over an encrypted channel that resembles ordinary web traffic.

Three gaps recur across the older approaches:

• Network filtering and data loss prevention operate at the perimeter, so AI requests that originate and resolve on the device fall outside their view.
• Blocklists depend on a known list of destinations, and new AI tools, browser features, and MCP servers appear faster than any list can track.
• Written policies state what employees should do, but a document does not enforce anything at the moment a prompt is sent.

The common thread points toward the fix: the AI runs on the endpoint, where the person and the tool actually meet, so the endpoint is the one place where every request can be seen and governed before data leaves the machine.

How the Bifrost AI gateway with Bifrost Edge govern shadow AI

Governing shadow AI well takes two things that fit together: one place to define policy, and a way to apply that policy to the AI running on every machine. Bifrost, the open-source AI gateway built by Maxim AI, is that one place. The gateway already holds the virtual keys, budgets, and rate limits that tie AI usage to a person or project, the guardrail profiles that inspect prompts and responses, and the audit logs that record every exchange. The limitation, until now, has been reach: those controls governed only the traffic that someone had configured to point at the gateway.

Bifrost Edge closes that gap by running on each machine and routing all supported AI traffic through Bifrost, so the same virtual keys, budgets, guardrails, and audit logs that already protect gateway traffic now apply to the desktop apps, browser AI, and coding agents people use day to day. The gateway stays the single control plane, and Edge becomes its reach to the endpoint, so there is no second policy model to build or maintain.

A request from any supported AI tool follows the same governed path on every machine:

1. A user works in a desktop app, a browser AI surface, or a coding agent exactly as before, with no base URL change and no SDK swap.
2. Bifrost Edge routes that request through the organization's Bifrost rather than letting it go straight to the provider.
3. Bifrost ties the request to the user's virtual key and its budget, runs the configured guardrails, and writes the exchange to the audit log.
4. The governed response returns to the original app, with sensitive content already caught or redacted.

Guardrails apply before data leaves the machine

The guardrail profiles configured in Bifrost apply to endpoint traffic with no extra setup on the device. A guardrail runs before a prompt reaches a model and again before a response returns, so secrets and personal data are caught or redacted before they leave the machine. Built-in coverage includes Gitleaks-backed secrets detection for leaked API keys, tokens, and credentials, a PII detection template built on custom regex, and content safety, alongside integrations with AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI.

Visibility into MCP servers across the fleet

Most organizations cannot say which MCP servers their employees have connected to AI tools. Bifrost Edge inventories the MCP servers configured inside each supported app and builds a live picture across the fleet of which servers are in use, on which apps, and on how many devices. Administrators then allow or deny each server individually, and Edge enforces that decision on the device, even for an app that had the server configured before the policy existed. MCP discovery covers the major AI apps that support it, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.

App policy enforced on every device

App governance lets administrators decide which AI applications are permitted across the organization. Approved apps run normally, with their traffic governed through Bifrost, while disallowed apps are blocked before any data leaves the machine. When Edge encounters an app or MCP server it has not seen, it requests approval from the admin console, and administrators choose whether pending items are allowed or blocked while a decision is pending. Policy changes reach the whole organization at once, without anyone revisiting individual machines.

Rollout through your existing device management

Bifrost Edge deploys through the device management platforms an organization already runs, including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, across macOS, Windows, and Linux. The managed configuration carries only the connection settings that point each machine at the organization's Bifrost, and identity and keys come from the user's single sign-on, so no secrets sit on the device. After the first sign-in, governance stays in sync with the gateway, and central changes to app policy, MCP allow and deny lists, and routing reach the fleet on their own.

Common questions about shadow AI

Is shadow AI the same as shadow IT?

Shadow AI is a subset of shadow IT, but the risk profile differs. Shadow IT covers any hardware or software that IT has not approved, whereas shadow AI specifically involves tools that process and retain data in a model, which makes the exposure harder to reverse and more likely to spread across teams.

Can shadow AI be detected?

Shadow AI can be detected when AI requests are observed at the point where they originate. Because much of the usage runs on the endpoint, a layer that operates on the device, such as Bifrost Edge, can inventory the apps and MCP servers in use and route their traffic through a gateway where it becomes visible and auditable.

How do you govern AI coding agents?

Coding agents such as Claude Code, Codex, and Cursor run locally and often connect directly to model providers and MCP servers. Routing their traffic through Bifrost applies the same guardrails, budgets, and audit logging used for the rest of an organization's AI, while app and MCP policies determine which agents and tools are allowed on each machine.

Where this leaves enterprise teams

Shadow AI persists because the activity happens on the endpoint and moves faster than perimeter controls can follow, so better intentions and longer policy documents do not resolve it on their own. The organizations that handle it well treat it first as a visibility problem and then as an enforcement problem, governing AI where people actually use it rather than where the network happens to see it.

Pairing the Bifrost AI gateway with Bifrost Edge gives security and platform teams one control plane for that work, with the gateway defining the virtual keys, budgets, guardrails, and audit logs, and Edge, currently in alpha, extending them to every machine in the organization. Teams sizing up shadow AI can review how the combined approach works on the Bifrost Edge overview and register there for alpha access.