When a worker installs an AI writing assistant, plugs a copy of code into their IDE, or starts summarizing meetings with a new browser tool, they’re doing exactly what a productive worker should be doing: finding faster ways to work.
In most organizations today, employees use three to five AI tools on any given day. Most have never been reviewed by IT. A key component connects to business data through OAuth tokens or browser sessions, giving them access to shared drives, emails, and internal documents that an employee never intended to directly expose. Security teams are rarely seen in any of them.
This is a shadow AI gap, and it’s growing fast. Many security tools are designed to monitor email and network traffic flowing through a business network. A browser-based AI tool that connects to company data with instant login authorization bypasses those controls entirely, because it never goes through the corporate network at all. According to Gartner, 69% of organizations suspect or have confirmed that employees are using AI tools that are not allowed at work, and only 37% have an AI management policy. The result is a growing disconnect between how employees work and what security teams can see.
A system that guides AI adoption in a safe, transparent, and authoritative way gives security teams the visibility they need and employees the tools they want. The five steps below show exactly how to build one.
Step 1: Build a Full Picture of What Works
A security system can only manage what it can see. The first step is to find out what AI tools are being used across the organization, and many security teams will find the answer surprising.
Three areas account for most of the shadow AI work.
- OAuth links. Many AI tools request access to Google Workspace or Microsoft 365 via OAuth, which gives them read or write permissions for business data. A quarterly audit of connected third-party applications, sorted by scope of permission, often reveals dozens of tools that the security team has never reviewed.
- Browser extensions. Most AI tools work as browser extensions and never touch the operating system, so endpoint management tools miss them entirely. A browser management solution or lightweight agent installed on employee devices can scan and identify which extensions are active across the organization.
- AI features integrated within tools are already enabled. Microsoft Copilot, Google Gemini, and Salesforce Einstein are examples of AI capabilities that may have been introduced after the vendor’s initial review, often without separate security checks.
A simple employee survey is also worth conducting. A survey conducted to help employees work safely often elicits positive responses. Many shadow tools appear in surveys where automatic detection is completely missed.
The goal of this step is a current, accurate inventory: of all the AI tools in use, who uses them, and what data they access.
Step 2: Write an Employee Policy
Most acceptable use policies for AI work for the same reason: they provide employees with a list of prohibited tools without guidance on what an approved method looks like. The policy is designed as a practical guide, which identifies approved tools and provides a clear process for requesting new ones, the basis that employees need to make good decisions.
An effective AI governance policy includes five elements.
- Current list of approved tools and where to find them.
- Clear data classification rules that specify which categories of data, including customer records, source code, and financial information, should never be included in any AI tool.
- Validated data training exit status for each approved instrument. Most AI tools use company input to develop their models automatically unless business settings are explicitly configured otherwise. Authorization should require an authenticated logout from any device that handles sensitive data.
- A defined process for requesting new tools, with a timed target change.
- A plain language explanation of why the guidelines exist.
That last thing is more important than it might seem. Employees who understand why OAuth connections carry the risk of data exposure apply that reasoning to every tool decision they make. Policy becomes a form of education where reasoning is included.
Step 3: Create a Fast Track for New Tool Requests
Shadow AI is growing most rapidly in organizations where the formal approval process cannot keep up with the rate of AI product rollout. An employee who needs a tool today and faces a six-week security review will receive a solution within days. The goal of this step is to remove that conflict.
- Many applications of AI tools do not warrant a full procurement review. A structured intake form with defined evaluation criteria is sufficient for most low-risk instruments.
- A structured intake form and a defined set of evaluation criteria make quick decisions possible. With tools that have limited access to data, many organizations find the short turnaround possible once test criteria are written and applied consistently.
- The evaluation process should include scope of data access, vendor security procedures, data exit status, compliance certifications, and whether the tool already has equivalent performance on an approved list.
Security teams that publish their list of approved tools openly and keep it up-to-date often see a meaningful reduction in shadow AI use. When employees know where to find the right tools, they use them.
Step 4: Use Monitoring as a Shared Security Layer
Continuous visibility into AI tool usage across the organization helps two teams at once.
- Security teams get the real-time picture they need to identify and address exposures before they become an incident.
- Employees get a form of protection they often don’t have for themselves: a signal that a tool they’re using might put their information or the company’s data at risk.
The browser’s native monitoring approach gives security teams visibility into AI activity without rerouting employees’ web traffic or adding friction to daily work. The signals it captures feed into a comprehensive risk profile of each employee, sitting alongside their phishing simulation results and training completion data in one place.
That integrated view is important because risky behavior is interconnected. An employee who clicks on phishing links, skips training, and uses unauthorized AI tools with access to sensitive data presents a much higher risk than any single behavior can indicate. Seeing the full picture in one place helps security teams focus on the employees who need the most attention.
Step 5: Make Good Safety Practices Easy
Security systems that make secure selection an easy choice are what employees follow. In the case of AI dominance, two things drive that: timely training and training that explains the thinking behind the rules.
Timely training provides brief, contextual information when an employee attempts to use an unauthorized tool. This works better than quarterly training modules, because the intervention happens when a decision is made. A well-designed notice tells the employee what the concern is, directs them to an approved location, and takes less than thirty seconds to read.
Training that explains how to think about AI management policies builds a kind of judgment that employees can use in all situations they encounter, including tools and threats that appear long after the training itself. The nature of AI tools is changing fast enough that no training program can anticipate all specific situations. An employee who understands that OAuth links to Google Workspace for business can expose every shared drive to a third-party vendor will apply that understanding to tools that didn’t exist six months ago.
Building a Security System Based on How Teams Work
Adoption of AI is a sign of productive teams doing their job well. Companies that build systems that work with that momentum, with clear paths to authorized tools and real-time visibility into security teams, tend to manage very well.
Security teams closing that gap are finding that the use of shadow AI is declining over time. Native visibility in the browser, clear paths to authorized tools, and timely training during a risk are what make that possible. When employees have access to effective, approved tools and a quick and transparent way to review new ones, the incentive to work in the system largely disappears.
Adaptive Security’s AI Governance product gives security teams real-time visibility into all AI tools and security applications running across their organization, with automated policies and timely employee training built in. Learn more at adaptivesecurity.com.
