If the 2024 RSA Conference is any indication of cybersecurity priorities, shadow AI is a key focus—over 100 sessions addressed AI topics. And with good reason.
Two or three years ago, AI tools weren’t readily accessible for everyday use. Today, they are mainstream in our workplaces, yet AI tools are not being secured, and in many organizations, the C-Suite prioritizes innovation over security.
While AI tools provide a multitude of efficiencies, unmanaged AI introduces new risks, jeopardizing the tools themselves and the organization’s security. Unlike SaaS applications, which have a single point of failure (the developers), AI introduces multiple risks. AI can make autonomous decisions, process, analyze, and expose proprietary information and data, potentially leading to unintended and harmful consequences.
Both shadow IT and shadow AI are on the rise, but what makes AI riskier is that many employees aren’t even aware that AI features have been added to their SaaS tools, so the user can also become a threat. Any and all data fed into AI tools is potentially at risk, yet security teams lack visibility of where and how AI software is being used, making it difficult to govern those apps.
Most AI is Shadow AI
Shadow AI occurs when employees or departments use AI applications and models without formal approval or oversight from the organization's AI governance or IT departments. Shadow AI includes AI-powered software, machine learning models, automation scripts, and other AI features—often from SaaS applications.
Employees turn to these easily accessible AI tools to solve complex problems quickly, bypassing the usual approval processes. While the employee’s intent is to boost productivity and drive innovation, shadow AI also introduces significant risks, such as security vulnerabilities and compliance issues. Additionally, many approved SaaS applications are integrating AI-based features like automated data analysis, predictive analytics, and personalized user experiences. These features are often added without user consent or an opt-out option, potentially leading to the misuse of sensitive, regulated data and compliance violations.
AI isn’t limited to AI-specific applications either. AI often works silently behind the scenes, enhancing the functionality and efficiency of various tools without being the main feature. For instance, in Microsoft 365, AI filters out spam, significantly improving the user experience by ensuring that only relevant emails reach our inboxes. This kind of background AI is integral in many applications, from predictive text in messaging apps to personalized recommendations in streaming services. However, the reality is AI is accessing your data, reading your information, and learning your writing style. Many users don’t recognize this type of AI, which makes it even more dangerous. Adding complexity to the problem, The Conference Board reports that 57% of organizations lack an AI policy to guide employees in their AI usage and provide a baseline for security teams to know when an AI tool’s capabilities exceed tolerance levels.
Gartner predicts that by 2026, more than 80% of independent software vendors will have embedded Gen AI capabilities into their SaaS applications. Grip data reveals that 85-90% of SaaS is shadow SaaS, which means that most AI usage is not visible to security teams either. When organizations are unaware of shadow AI, proper security controls can’t be implemented to safeguard data, systems, and networks.
Rogue AI: When AI Goes Wrong
Rogue AI refers to artificial intelligence systems operating outside their intended or controlled parameters, often causing unintended or harmful consequences.
Rogue AI can happen due to a variety of reasons, including:
- Lack of Proper Controls: If the AI system is not properly monitored or controlled, it might start making decisions against its creators' original goals or ethics.
- Misalignment of Goals: The AI's objectives might become misaligned with human values or the specific tasks it was designed to perform, leading to harmful or counterproductive actions.
- Self-Modification: Some AI systems may be able to modify their own code or learning algorithms. If this is not carefully managed, the AI might evolve in unpredictable and potentially dangerous ways.
- Security Breaches: If an AI system is hacked or compromised, it could be manipulated to perform malicious activities.
Rogue AI can occur in AI-specific apps or when running silently in the background, such as the Microsoft 365 example, which makes the notion even more alarming as it’s harder to detect. Preventing rogue AI is complex; however, mitigating its risks starts with visibility into the AI tools used throughout your organization, which, as previously mentioned, has been a challenge for most organizations.
The Problem and Solution for Better SaaS Insight
As shadow IT and shadow AI rapidly expand, the management of SaaS risks lags. Traditionally, these risks have been addressed through third-party risk management (TPRM) assessments, CASBs, and SSPMs. Evaluating vendor security is crucial, yet it's not enough. Some of the gaps include:
Lack of Usage Insights: It’s vital to understand how SaaS tools are used within a company, who is using them, and the context in which they are used. Vendor risk management evaluates the vendor’s security controls and security posture. However, if that SaaS app is used in a manner that compromises sensitive data or if users circumvent security protocols, the vendor’s security controls aren’t relevant when trying to secure that app.
Limitations of CASBs and SSPMs: SSPMs are blind to shadow IT and shadow AI. While CASBs can detect shadow SaaS, they generate a lot of data noise and fail to provide adequate context about the associated risks. As a result, security teams often struggle with operationalizing the data that CASBs generate.
If organizations continue to rely on insufficient tools, shadow IT and shadow AI risks will continue to proliferate. A better approach, SaaS Identity Risk Management (SIRM), uses identity to address challenges like Shadow IT and shadow AI, expanding beyond scanning network data and going deeper to uncover unsanctioned applications.
Consider this: the common denominator when anyone initiates a SaaS trial or logs into an application is their email address. Employing email and identity as central control points is an updated approach based on actual user behaviors, providing visibility into all SaaS usage, known and shadow.
Modern SaaS risk management strategies must focus on securing the workforce while enabling productivity and innovation rather than hindering them. With identity as a consistent element across all SaaS accounts, an identity-centric risk management strategy provides a comprehensive and transparent overview of activities within an organization's SaaS landscape, including shadow IT and shadow AI.
Learn more about how to reduce shadow AI risks.
Shadow AI: What’s at Stake
We are amid an AI revolution. In the past, organizations relied on contractors for tasks like coding, data analysis, or specific operational tasks. Today, we use machines for the same work. However, unlike contractors who undergo background checks when working with company data, organizations don’t apply the same due diligence to AI tools, largely due to their rapid adoption and because most AI tools are unknown to IT departments. While managing shadow IT is a problem that organizations must solve, shadow AI poses even greater risks due to its profound impact on areas such as brand reputation, data integrity, protection of proprietary information, compliance and regulatory repercussions, and overall security. Grip is here to help uncover the shadow IT and shadow AI that exists in your organization—book time with us now.