Millions of AI agents are running without oversight. Is yours one of them?

Shadow IT has been a challenge for security teams for years—and now AI is raising the stakes. As organizations race to adopt new tools, shadow AI is now spreading across teams. 

‍

Vanta data shows that 70% of companies have AI tools accessing their environment without going through proper procurement channels, and fewer than 2% of unmanaged vendors ever receive a security review. The result is a growing gap between adoption and control—one that’s harder to manage because these systems can take action, not just store data.

‍

To close that gap, organizations need a clearer way to see, manage, and control how AI is used across the business. In this guide, we’ll cover how to:

‍

• Identify where AI is being used across your organization
• Define the right level of autonomy for each agent
• Put guardrails and access controls in place
• Monitor activity continuously
• Assign clear ownership

‍

AI agents are already everywhere

They sit inside customer support platforms, procurement tools, engineering workflows, and compliance processes. They both assist with and participate in how work gets done.

‍

Eight in 10 organizations are already deploying (or planning to deploy) agentic AI. Looking ahead, Forbes published that Gartner predicts that 40% of enterprise applications will include task-specific AI agents by the end of 2026.

‍

AI agents are spreading across marketing, sales, HR, finance, and security, but ownership doesn’t always follow. Most organizations don’t have a reliable way to answer basic questions like:

‍

• How many agents are running?
• Where are they deployed?
• What systems can they access?
• What actions can they take?

‍

Without a baseline, governance can be reactive and incomplete by default.

‍

Adoption is coordinated—understanding isn’t

There’s a noticeable mismatch between how quickly organizations adopt AI and how well they understand it. That’s when the shadow AI starts to take hold.

‍

Vanta data shows that shadow IT is growing 36% year over year, fueled in part by AI adoption. Organizations uncover an average of about 140 unmanaged tools within 90 days of connecting to Vanta.

‍

Microsoft’s Cyber Pulse Report also found that 29% of employees report using unsanctioned AI tools at work—often to move faster or fill workflow gaps. For example, a team might give an agent broad API access just to get it working, or skip review because a tool seems low risk. Over time, those decisions add up to systems no one fully owns or understands.

‍

AI incidents are outpacing governance

As AI spreads across more systems without clear guardrails, incidents are becoming more common, and harder to catch before they cause damage. The missing piece is dependable governance.

‍

The data reflects that shift:

‍

• AI-related incidents increased 56% year over year, with 233 reported cases in 2024 (Stanford AI Index 2025)
• Around 40% of organizations report an AI-related privacy or security incident (Protecto AI, 2025)
• 97% of organizations that reported an AI-related security incident didn’t have proper AI access controls (IBM Cost of a Data Breach Report 2025)

‍

These cases are a byproduct of fast adoption without consistent oversight. One example: an AI agent pulling sensitive data into logs, triggering the wrong workflow, or exposing information through downstream systems. Without clear visibility, it’s hard to trace what happened or where it started.

‍

At the same time, most teams don’t have the capacity to keep up. Nearly two-thirds of organizations say they spend more time proving security than improving it, and teams already spend about 12 weeks a year on compliance work. That leaves little room to manage systems that are constantly changing—especially when they can act on their own.

‍

As incidents become more common, some patterns are starting to emerge in how organizations respond.

‍

What effective AI governance looks like in practice

As AI risk grows, a few patterns are starting to emerge in how organizations approach governance. The shift is toward more consistency in how AI systems are understood and controlled.

‍

In many environments, AI agents are increasingly treated like identities. If a system can access data or take action, it’s given defined permissions, with clearer boundaries around what it can and can’t do.

‍

There’s also more attention on autonomy. Rather than letting capabilities expand organically, teams are starting to define where automation is appropriate and where human review still matters.

‍

Monitoring is shifting, too. Periodic reviews are giving way to more continuous visibility, especially as systems begin to act across multiple tools and datasets.

‍

And as AI spreads across teams, ownership is becoming more explicit. Instead of shared or unclear responsibility, organizations are starting to define who is accountable for how each system behaves.

‍

Across all of this, the direction is consistent: moving from fragmented oversight to systems that can keep pace with how quickly AI is actually used.

‍

Where teams are starting with AI governance

For most organizations, this shift doesn’t begin with a full governance overhaul. It usually starts with visibility.

‍

As AI use expands, teams are working to answer a basic set of questions: what’s running, where it’s connected, and what it’s allowed to do. That baseline is often incomplete at first—especially in environments where tools have been adopted quickly.

‍

From there, structure tends to build gradually. Teams start adding guardrails around higher-risk actions, clarifying access, and introducing more consistent monitoring as systems evolve.

‍

The process isn’t always linear. But over time, organizations that invest in visibility and control tend to move away from reactive fixes toward something more sustainable—where AI governance can keep up with how AI is actually used.

‍

Customers expect security—and proof

There’s another dynamic shaping how organizations approach managing AI: external expectations are on the rise.

‍

• 82% of organizations say security and compliance directly impact customer trust
• 77% report that stakeholders expect verified proof of security and compliance

‍

Those expectations extend to AI. Customers want to understand how AI is being used, what controls are in place, and how risks are managed, and partners are asking similar questions as procurement processes evolve.

‍

When organizations can clearly show how they control and monitor their AI systems, it builds confidence with buyers, makes security reviews smoother, and helps unblock deals that might otherwise stall.

‍

AI governance plays a direct role in revenue, partnerships, and growth.

‍

You can’t manage what you can’t see

You can’t manage what you can’t see, and AI adoption isn’t slowing down. It’s only getting more embedded, more distributed, and more essential to how work gets done.

‍

However, most organizations don’t yet have a clear picture of their own AI footprint. They might not know exactly how many agents are running, where they’re deployed, or what they’re allowed to do.

‍

Without visibility, a quiet risk develops—one that grows alongside adoption. Unmanaged AI might not fail loudly in the beginning. Instead, it accumulates small gaps with unclear permissions, missing oversight, and fragmented ownership. But those gaps can connect.

‍

The most practical place to start is also the most foundational: make AI visible. Once you can see it clearly—where it lives, what it touches, how it behaves—you can begin to shape it.

‍

And if you’re looking for a faster way to get there, platforms like Vanta can help you centralize visibility, track controls, and turn AI governance into audit-ready evidence. Request your demo.

‍

{{cta_withimage28="/cta-blocks"}} | Download now