How to Govern Shadow AI Usage Across the Enterprise

Whenever a staff member opens an AI tool that no security control ever sees, that is shadow AI. The fix from Bifrost is to push the AI gateway all the way out to the endpoint so the activity falls under policy.

A breach traceable to shadow AI, meaning AI tools that employees adopt without sanction, has already hit one in five organizations. That figure comes from IBM's 2025 Cost of a Data Breach Report. Why does the problem keep growing? The logic is plain: a control governs only what passes through it, and on employee laptops almost no AI traffic does. Maxim AI wrote Bifrost in Go and ships it as an open-source AI gateway that operates as the control plane for AI traffic. Bifrost Edge then carries that governance out to every device the company runs. In the sections that follow we cover the full picture: a working definition, the reasons standard controls fail to catch it, and a path to placing the AI employees genuinely depend on under policy.

What Shadow AI Is

When employees pull AI tools, models, and services into their work and IT or security never learns of it, never signs off, and never governs it, that is shadow AI. The behavior spans a wide range. At one end someone pastes proprietary source code straight into a chat assistant. At the other, someone bolts an unvetted MCP server onto a coding agent. Each case unfolds with no policy layer in a position to watch or restrict whatever data leaves the device.

This used to surface now and then. Today it is everywhere. Per IBM, a breach that involved shadow AI tacked on about $670,000 to the typical breach bill, and such breaches more often spilled personally identifiable information and intellectual property. The same study put a number on the governance gap: 63% of breached organizations had no policy in place for managing AI or flagging unauthorized use. That statistic measures the daylight between how fast employees pick up AI and how slowly enterprises catch up on governing it.

Why Shadow AI Resists Governance

Here is the core difficulty. The AI surfaces a worker touches sit on the device, not in the data center. Yes, a centralized AI gateway can route, authenticate, and observe traffic, but that holds true only for the applications someone deliberately aimed at it. Terminal coding agents, desktop chat apps, and AI tucked inside the browser are rarely set up that way. Their prompts and responses therefore glide right past everything the security team has stood up.

Three traits make the situation harder still:

• The MCP blind spot. More and more, AI apps wire themselves to MCP servers, which are external tools that can read files, hit APIs, and act for the user. Hardly any organization can say which MCP servers its people have plugged in, and every such link stretches the attack surface in a meaningful way.
• Sensitive data exposure. Sensitive information disclosure sits near the top of the OWASP Top 10 for Large Language Model Applications. The moment a prompt leaves an ungoverned app, it can take secrets, PII, and source code along, leaving behind no audit trail and no route to claw the data back.
• No visibility. What a team cannot see, it cannot govern. The majority of organizations hold no inventory at all of the AI apps running across their fleet or of the data those apps forward to model providers.

Instructing every single employee to rewire their tools toward a gateway is never going to scale, and a policy document by itself enforces nothing in technical terms. For governance to work, it has to arrive at the endpoint on its own.

Approaches to Controlling Unsanctioned AI

A handful of tactics have been tried against unsanctioned AI, and a snag trails each one:

• Network and firewall blocking: Known AI domains get cut off, but employees discover newer tools quicker than any blocklist refreshes, and a heavy-handed block just relocates the work onto personal devices.
• Acceptable-use policies and training: Expectations get set, yet nothing is enforced at the technical level. The instant a deadline bites, the usage resumes.
• A centralized AI gateway: Every request crossing it is governed, which brings routing, budgets, rate limits, and guardrails into play, though only for the traffic configured to flow through it. Whatever AI lives on the endpoint stays outside.
• Data loss prevention (DLP): Some egress gets inspected, yet DLP seldom makes sense of AI-shaped traffic, MCP tool calls, or prompt text, and it never folds usage into one policy.

Notice what ties these together: at the endpoint, both visibility and enforcement give out. A gateway is indeed the right control plane. What is absent is a means of carrying it to the AI that runs on each and every laptop.

How Bifrost Governs Shadow AI: AI Gateway Plus Bifrost Edge

Two components handle shadow AI for Bifrost, and they operate in tandem. The AI gateway is the control plane and the policy engine. Bifrost Edge takes that same governance out to every machine. Policy gets defined and enforced by the gateway, and Edge guarantees that the AI a person runs on their laptop genuinely travels through it.

Configure governance once at the gateway, and it covers every bit of traffic that crosses Bifrost:

• Virtual keys hand out per-consumer access, scoped down to projects, teams, or single users.
• Budgets and rate limits hold spend and request volume in check hierarchically across keys, teams, and customers.
• Guardrails inspect prompts and responses for secrets, PII, and unsafe content by way of reusable profiles and rules.
• Audit logs preserve an immutable trail suited to SOC 2, GDPR, HIPAA, and ISO 27001 reporting.

The Bifrost governance resource page lays out these very same controls, and they are already live for any application aimed at the gateway. The leftover gap is what Bifrost Edge closes. Edge does not wait for each user to redirect their tools toward Bifrost. Instead it sits on every machine and folds all AI traffic into the same governance on its own: desktop chat apps, browser AI, coding agents, and any MCP servers those tools reach for. On the policy side there is nothing fresh to absorb, because Edge simply enforces what was already set at the gateway. At present Bifrost Edge is in alpha.

What does the user experience? After one setup pass, Edge is built to fade from view. The first launch sends the user through a browser sign-in using whatever single sign-on the organization already runs, which ties the machine to that identity and pulls down the policies assigned to them. Nobody copies or pastes an API key. Thereafter an always-on agent living in the menu bar or system tray quietly routes AI traffic, so governance kicks in by default rather than waiting on anyone to opt in.

Bringing Endpoint AI Under Governance with Bifrost Edge

With Bifrost Edge, governing endpoint AI opens with visibility and then advances to enforcement right on the device. An administrator sees what is running across the fleet, settles on what is allowed, and that ruling lands on each machine.

• **MCP governance:** Edge catalogs the MCP servers set up inside each AI app and keeps a live, fleet-wide picture of which servers are configured, in what location, and on how many devices. An administrator issues per-server allow or deny rulings, and each one is enforced on the device itself. Deny a server and it cannot be used, even from an app that already had it wired in before the policy existed. Discovery reaches the major MCP-capable AI apps in use now, Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor among them.
• **App governance:** An administrator picks which AI applications are cleared for the organization. Cleared apps behave as usual and remain fully governed through Bifrost, while anything not cleared is blocked before a single byte leaves the machine. The moment Edge notices a new app, it asks for approval in the admin console, and any policy change spreads to the whole fleet without anyone touching the individual devices.
• **Endpoint guardrails:** Because Edge sends traffic through Bifrost, whatever guardrail was set at the gateway lands automatically on endpoint AI too. The roster of providers covers native Secrets Detection (Gitleaks-backed), Custom Regex paired with a built-in PII Detection template, AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI. A guardrail fires before any prompt reaches a model and again before any response comes back, which means sensitive content is caught while it is still on the machine.

So what does Edge actually govern? Desktop apps including Claude Desktop, the ChatGPT app, Cursor, and Codex; coding agents including Claude Code, Codex CLI, and OpenCode; and browser AI such as ChatGPT web and Claude web, with Claude Cowork bound by the identical rules. That roster keeps expanding, and Edge governs traffic headed to every provider Bifrost works with.

The rollout was designed to scale. No one is asked to install a thing. Organizations instead deploy Edge with MDM by way of Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, or JumpCloud, handing each machine a managed configuration that aims it at the organization's Bifrost. Only non-sensitive connection settings ride along in that configuration; the identity and the keys show up from the user's own sign-in. Such an approach lines up with the compliance posture Bifrost Enterprise was built around, regulated industries, VPC isolation, and air-gapped environments included.

Building a Shadow AI Governance Program

The strongest shadow AI governance programs put visibility, then policy, then enforcement in order rather than leading with an outright ban. The NIST AI Risk Management Framework and frameworks like it counsel rooting any control in a clear read of how AI is genuinely used before restrictions go on.

Here is a sequence that works in practice:

1. Inventory usage. Surface which AI apps and MCP servers are out there across the fleet, and handle the results as operational intelligence, not as material for a disciplinary file.
2. Define policy at the control plane. Set up virtual keys, budgets, rate limits, and guardrail profiles inside the gateway so that every governed request inherits them.
3. Enforce at the endpoint. Push those policies to each machine so that desktop apps, browser AI, and coding agents route through governance on their own.
4. Provide sanctioned alternatives. Once employees hold approved tools that actually do the job, unsanctioned use drops off hard, so clear the apps the organization trusts rather than blocking the lot.
5. Audit continuously. Lean on immutable logs to prove you control where data goes, something regulators increasingly expect.

What is the first step to governing shadow AI?

Lead with a visibility audit. AI usage you cannot see is AI usage you cannot govern, so take stock of the AI apps and MCP servers live across the fleet before any restriction goes on. Endpoint discovery turns that audit into continuous, real data rather than a one-off survey.

How is shadow AI different from shadow IT?

Unauthorized software and accounts are shadow IT. Unauthorized use of AI models and tools that fire prompts and data off to external providers is shadow AI. The exposure runs sharper in the AI case, since the content departs the organization inside the prompt itself and frequently cannot be recovered.

Can you govern AI in the browser and desktop apps?

Yes. Because Bifrost Edge routes AI traffic at the level of the machine, it reaches browser AI, desktop chat apps, and coding agents with zero per-app configuration. Whatever guardrails, budgets, and audit logging you set in the Bifrost governance layer carry straight onto that endpoint traffic.

Govern Shadow AI Across Your Enterprise

To govern shadow AI is not to ban the tools employees lean on. What it takes is one control plane for policy together with a way to carry that policy to every endpoint, so that the AI people genuinely use gets routed, observed, and protected under the same rules as the rest of your infrastructure. That control plane is Bifrost, an AI gateway made for enterprise AI workloads, and Bifrost Edge delivers it to every machine. Want to watch the AI gateway and Bifrost Edge govern shadow AI across your fleet? book a demo with the Bifrost team.