Advertisement
AI is spreading through workplaces faster than any other technology in recent memory. Every day, employees connect AI technologies to enterprise systems, often without permission or oversight from IT security teams. The result is what experts call shadow AI – a growing web of tools and integrations that access company data unmonitored.
Dr. Tal Shapira, Co founder and CTO at SaaS security and AI governance solution provider Reco, says this invisible sprawl could become one of the biggest threats facing organisations today, especially since the current speed of AI adoption has outpaced enterprise safeguards.
“We went from ‘AI is coming’ to ‘AI is everywhere’ in about 18 months. The problem is that governance frameworks simply haven’t caught up,” Shapira said.
Shapira said most corporate security systems were designed for an older world where everything stayed behind firewalls and network borders. Shadow AI breaks that model because it works from the inside, hidden in the company’s own tools.
Many modern AI tools connect straight into everyday SaaS platforms like Salesforce, Slack, or Google Workspace. While that is not a risk in itself, AI often does this through permissions and plug-ins that stay active after installation. Those ‘quiet’ links can keep giving AI systems access to company data, even after the person who set them up stops using them or leaves the organisation. That’s a big shadow AI problem.
Shapira said: “The deeper issue is that these tools are embedding themselves into the company’s infrastructure, sometimes for months or years without detection.”
The new class of risk is especially difficult to track as many AI systems are probabilistic. Instead of executing clear commands, AI makes predictions based on patterns, so their actions can change from one situation to the next, making them harder to review and control.
The damage from shadow AI is already evident in real-world incidents. Reco recently worked with a Fortune 100 financial firm that believed its systems were secure and compliant. In days of deploying Reco’s monitoring, the company uncovered more than 1,000 unauthorised third-party integrations in its Salesforce and Microsoft 365 environments – over half of them powered by AI.
One integration, a transcription tool connected to Zoom, had been recording every customer call, including pricing discussions and confidential feedback. “They were unknowingly training a third-party model on their most sensitive data,” Shapira noted. “There was no contract, no understanding of how that data was being stored or used.”
In another case, an employee linked ChatGPT directly to Salesforce, allowing the AI to generate hundreds of internal reports in hours. That might sound efficient, but it also exposed customer information and sales forecasts to an external AI system.
Reco’s platform is built to give companies full visibility into what AI tools are connected to their systems and what data those tools can access. It scans SaaS environments for OAuth grants, third-party apps, and browser extensions continuously. Once identified, Reco shows which users installed them, what permissions they hold, and whether the behaviour looks suspicious.
If a connection appears risky, the system can alert administrators or revoke access automatically. “Speed matters because AI tools can extract massive amounts of data in hours, not days,” Shapira said.
Unlike traditional security products that rely on network boundaries, Reco focuses on the identity and access layer. That makes it well suited for today’s cloud-first, SaaS-heavy organisations where most data lives outside the traditional firewall.
Industry analysts say Reco’s work reflects a larger trend in enterprise security: A shift from blocking AI to governing it. According to a recent Cisco report on AI readiness, in 2025 62% of organisations admitted they have little visibility into how employees are using AI tools at work, and nearly half have already experienced at least one AI-related data incident.
As AI features become embedded in mainstream software – from Salesforce’s Einstein to Microsoft Copilot — the challenge grows. “You may think you’re using a trusted platform,” Shapira said, “but you might not realise that platform now includes AI features accessing your data automatically.”
Reco’s system helps close the gap by monitoring sanctioned and unsanctioned AI activity, helping companies build a clearer picture of where their data is flowing, and why.
Shapira believes enterprises are entering what he calls the AI infrastructure phase – a period when every business tool will include some form of AI, whether visible or not. That makes continuous monitoring, least-privilege access, and short-lived permissions essential.
“The companies that succeed won’t be the ones blocking AI,” he observed. “They’ll be the ones adopting it safely, with guardrails that protect both innovation and trust.”
Shadow AI, he said, is not a sign of employee recklessness, but of how quickly technology has moved. “People are trying to be productive,” he said. “Our job is to make sure they can do that without putting the organisation at risk.”
For enterprises trying to harness AI without losing control of their data, Reco’s message is simple: You can’t secure what you can’t see.
Image source: Unsplash
Google has rolled out Private AI Compute, a new cloud-based processing system designed to bring the privacy of on-device AI to the cloud. The platform aims to give users faster, more capable AI experiences without compromising data security. It combines Google’s most advanced Gemini models with strict privacy safeguards, reflecting the company’s ongoing effort to make AI both powerful and responsible.
Advertisement
If you’ve ever thought companies talk more than act when it comes to their AI strategy, a new Cisco report backs you up. It turns out that just 13 percent globally are actually prepared for the AI revolution.
For all the progress in artificial intelligence, most video security systems still fail at recognising context in real-world conditions. The majority of cameras can capture real-time footage, but struggle to interpret it. This is a problem turning into a growing concern for smart city designers, manufacturers and schools, each of which may depend on AI to keep people and property safe.
Adopting AI at scale can be difficult. Enterprises around the world are discovering the pace of AI deployment is frustratingly slow as they face implementation, integration, and customisation challenges. Generative AI is undoubtedly powerful, but it can be complex, particularly for businesses starting from scratch.
The AI adoption in China has reached unprecedented levels, with the country’s generative artificial intelligence user base doubling to 515 million in just six months, according to a report released by the China Internet Network Information Centre (CNNIC).
The content available on this website (including text, graphics, images, and information) is intended for general informational purposes only. Materials, details, terms of use, and descriptions presented on these pages may be changed without prior notice.
Popular News
