What Is Shadow AI? The Ungoverned AI Risk Inside Every Company

When a company's AI tools run with no governance over them, that is shadow AI. Here we cover what it means, the risk it produces, and the way Bifrost governs it from gateway through to endpoint.

Across an organization, whenever AI tools, assistants, and models get used with no formal sign-off, no security review, and no governance, you are looking at shadow AI. People paste source code into chat assistants. They fire up coding agents from the terminal. They hook MCP servers onto their desktop apps. Not one of these passes through a policy layer first. IBM's Cost of a Data Breach Report 2025 reported shadow AI in one of every five breaches, with as much as $670,000 piled onto the average breach cost. To shut that gap, AI traffic has to be governed both on the network and on the device. That is the role of Bifrost, the open-source AI gateway Maxim AI built in Go, together with its endpoint layer Bifrost Edge. What follows defines shadow AI, accounts for why most security teams never spot it, and shows how pairing an AI gateway with endpoint governance brings it to heel.

What Is Shadow AI?

Inside an organization, the unsanctioned use of AI applications, assistants, browser extensions, and personal AI accounts, with no approval, no visibility, and no governance from IT and security, is what shadow AI describes. Picture the AI version of shadow IT: employees grab the tools on their own because the tools make work move faster, and the whole thing operates clear of central control and any audit trail.

There is a deliberate echo of shadow IT in the name, the unauthorized cloud apps that swept through companies ten years back. What separates them is how AI treats data. A shadow IT tool may drop a file onto an external server and stop there. A shadow AI tool keeps pushing prompts, source code, customer records, and strategy documents to third-party model providers, which process that content and at times hold onto it. Governing this exact kind of traffic is the reason Bifrost, the AI gateway, exists, and its centralized governance stretches from the data center down to the laptop.

Shadow AI vs. Shadow IT: Why the Risk Runs Higher

Every risk that shadow IT brings, shadow AI brings too, and then it adds an exposure type unsanctioned software never managed to create: data heading outward to external models instead of merely landing in unapproved storage. The very second a prompt goes out, that traffic has already left the company perimeter.

What makes the shadow AI risks their own category:

• Prompts reveal intent, not just data. Ask something like "summarize this contract and flag terms unfavorable to us" and you have just handed over negotiating strategy, not simply the words of the document.
• Data leaves the building. Drop a contract or a codebase into a public AI tool and that content travels off to a third-party provider rather than staying in internal storage.
• There is no audit trail. The traffic never crosses a controlled system, so no log records what got sent, which model received it, or who was responsible.
• Outputs drive decisions. People act on what AI tells them. An ungoverned tool that hands back faulty legal, financial, or technical guidance seeds downstream risk, and there is no record of how the call was made.

What Bifrost does about this is funnel AI traffic through one control point where each request can be inspected, logged, and governed, in place of letting every tool fling data wherever it pleases.

The Risks of Ungoverned AI Inside Companies

Security, compliance, and operations all take on risk at once when AI goes ungoverned. According to IBM's 2025 Cost of a Data Breach Report, 97% of the organizations that reported AI-related breaches were missing proper AI access controls, and a full 63% had no AI governance policy whatsoever.

Exposure tends to show up in these forms:

• Compliance exposure: data sent to AI tools falls under regimes like GDPR and HIPAA, and an ungoverned prompt can spawn violations that nobody ever logged.
• Data leakage: sensitive code, PII, and intellectual property pushed out to external models that the security team has no way of seeing.
• Cost sprawl: duplicate subscriptions and personal accounts smear AI spend across the company with no budget control anywhere.
• No visibility into MCP servers: AI apps keep attaching to MCP servers able to read files and call APIs, and most organizations cannot even enumerate which ones are live.
• No accountability: absent immutable audit logs, there is no reconstructing an incident once it has happened.

In regulated and large-scale settings, Bifrost Enterprise binds these controls to air-gapped, VPC, and on-prem deployment, which keeps governed AI traffic inside a trusted boundary at all times.

Common Examples of Shadow AI in the Enterprise

You will seldom find shadow AI as one rogue application. It adds up from the AI surfaces employees are already reaching for every single day:

• AI in the browser, chat assistants along with the AI features built into web apps and extensions.
• Desktop chat apps such as Claude Desktop and ChatGPT, put on machines directly by employees.
• MCP servers wired into those tools so they can reach files, databases, and internal APIs.
• Coding agents like Claude Code, Cursor, and terminal agents that read source code and execute commands.
• Personal accounts pressed into work use, where company data ends up beneath someone's individual consumer subscription.

This is not a hypothetical danger. Back in 2023, Samsung clamped down on employee use of generative AI tools after engineers uploaded sensitive source code to ChatGPT, per CNBC's reporting. Banning the tools is one way to react, yet employees simply route around bans, and switching AI off altogether throws away the productivity that pulled people toward it to begin with. The aim of the Bifrost platform is to bring these surfaces under control, not to shut them down.

Why an AI Gateway Alone Does Not Eliminate Shadow AI

Whatever traffic is configured to pass through it is what an AI gateway governs. On every request it takes in, Bifrost, the AI gateway, enforces virtual keys, budgets, rate limits, guardrails, and audit logs. For any team running AI in production, that is the correct control plane.

The catch is structural. A gateway can only observe traffic somebody pointed toward it, and shadow AI is, by its very definition, the traffic nobody ever configured to route through the gateway. Install a chat app, sign in with a personal account, and you have never once touched the control plane, so none of the gateway's policies reach you. Endpoint governance is what shuts this gap. The policy engine stays put inside the gateway where it belongs; the thing that shifts is how far it can reach.

How to Govern Shadow AI: AI Gateway Plus Bifrost Edge

Two layers acting in concert are what it takes to govern shadow AI. One is the Bifrost AI gateway, the control plane where policy is set. The other is Bifrost Edge, the layer that delivers that policy out to every machine. Decisions come from the gateway; Edge puts those same decisions into force at the endpoint. Whatever virtual keys, budgets, guardrails, and audit logs you have already set up are exactly what Edge applies on each laptop, which leaves nothing new to learn on the policy side. At present Bifrost Edge is in alpha.

Across macOS, Windows, and Linux, Edge runs and, on its own, routes AI traffic from desktop apps, browser AI, coding agents, and the MCP servers those tools attach to straight through Bifrost. One browser sign-in via the organization's existing SSO, done once, is all it takes; after that the agent runs in the background with no base URLs to alter and no SDKs to swap out. The same centralized governance guarding gateway traffic now rides along with the user to the device.

Visibility into every AI app and MCP server

Control follows visibility, not the other way around. Bifrost Edge takes stock of the AI apps and MCP servers set up on each device and puts together a live, fleet-wide list of which servers are running, in what location, and across how many machines. A security team can, for once, respond to "what MCP servers are running on our fleet?" with hard data in place of guesswork. The reach of MCP discovery includes AI apps such as Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.

App and MCP governance enforced on the device

Which AI applications and MCP servers are allowed is the administrators' call, and Edge puts that call into force on each machine. Under app governance, an allowed app runs as normal and stays fully governed through Bifrost, while a disallowed app is blocked before any data slips off the device. Denying an MCP server is no mere advisory; it is enforced on the machine itself, so a denied server stays unusable even within an app that had it configured before the policy ever existed. Because decisions are run centrally and picked up automatically, allowing or blocking a tool propagates across the fleet without anyone laying a finger on the individual devices.

Your guardrails, everywhere

Edge routes endpoint traffic through Bifrost, which means every guardrail you have already configured applies, automatically, to the AI people are using on their machines. The guardrail fires before a prompt arrives at a model and again before a response heads back, so sensitive content like API keys, credentials, and PII gets caught while it is still on the laptop. The endpoint security layer puts the same reusable profiles and rules that shield gateway traffic to work, and the device needs no extra setup for it.

Fleet rollout via MDM

Manual installs are not the model here; Edge was made for fleet-wide deployment. Deployment via MDM works with Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, pushing Edge onto every machine through a managed configuration that aims it at the organization's Bifrost. The device holds no secrets; identity and keys turn up from the user's SSO sign-in. From there each request takes on the organization's audit logging, budgets, and guardrails, which carries SOC 2, GDPR, HIPAA, and ISO 27001 obligations onto the endpoint rather than confining them to the data center.

Frequently Asked Questions About Shadow AI

How is shadow AI different from approved AI use?

Tools the organization has vetted and can keep an eye on are what approved AI use runs through. Shadow AI operates beyond that perimeter, free of visibility, logging, or any policy enforcement, and that is precisely why the identical prompt grows far riskier the moment it exits through an ungoverned tool.

Can you stop shadow AI by blocking AI tools?

Block the tools and usage usually slides onto personal accounts and devices, where seeing it gets harder still. Governing the traffic instead of banning the tools holds onto the productivity employees are after while handing control back, and that is what Bifrost and Bifrost Edge were built to deliver.

What data is most at risk from shadow AI?

The data exposed most often is source code, customer PII, and intellectual property. IBM's 2025 report found shadow AI breaches exposing customer PII in 65% of cases, ahead of the 53% rate across all breaches, which leaves the most sensitive data also the most prone to leaking.

Getting Started with Bifrost

Shadow AI is no tooling problem you can ban into submission; it is a governance problem waiting to be solved. Put an AI gateway and endpoint governance together and the AI people are already using, on every machine, comes under the same controls that guard the rest of your infrastructure. Policy is defined by Bifrost, and it is enforced from gateway to laptop by Bifrost Edge.

Want to see Bifrost govern shadow AI across your fleet? book a demo with the Bifrost team, or dig through the Bifrost resource library for governance guidance.