For years, “Shadow AI” basically meant employees using AI chatbots on the side, quietly, without approval from security teams. But now cybersecurity researchers are saying there’s a bigger thing going on: people are building, and then deploying full AI-generated applications, without bringing in IT or security at all.
This is getting easier thanks to “vibe coding” platforms. They let non-developers create real, working applications just by describing what they want in normal, plain language. After that, the apps can be wired into business systems like CRMs, ticketing platforms, analytics tools, financial software, and even internal databases. And in a lot of cases, they get published straight to the internet with almost no security review, or sometimes none.
Researchers recently looked at thousands of publicly accessible applications that were made using AI-driven development platforms, and they found that many were exposing sensitive business, operational, or personal data. In some reports, the applications didn’t even have basic authentication in place. So basically, the information was reachable by anyone who managed to find the URL.
One reason these risks get missed is that most traditional security tools were never really built for this exact situation. Endpoint security might only catch what happens in the browser, but not what the application is doing or producing inside the browser. Data loss prevention can watch known pathways, yet it often overlooks data flowing directly between cloud applications. Also, many governance tools have trouble telling custom-made AI applications apart from normal cloud platforms, so the signals get muddled.
Security experts say organizations should start by figuring out which AI-made applications employees have been building, then check what kinds of systems those tools connect to, and finally decide if anything is reachable from the public. From there, setting up a straightforward approval process and keeping ongoing visibility into AI-related development activity is now turning into a must-have in many current cybersecurity programs, not just a “nice to have.”
And as AI-powered development tools keep getting more popular, companies run into a tougher balancing act: pushing innovation and day-to-day productivity while also keeping security and governance tight. It can start as a simple internal utility, then somehow, in short order, become an internet-facing application that holds sensitive business data, especially if the right guardrails were never put in place.
Organizations with a cybersecurity focus, like IntelligenceX, keep stressing visibility, careful AI onboarding, and proactive governance because AI-generated applications are showing up everywhere across modern enterprises.
Top comments (0)