What is shadow AI and how to govern it

Shadow AI, the use of AI tools without IT approval, poses significant security and compliance risks as employees run AI on their own machines, bypassing corporate controls. A 2026 Gartner survey found 69% of cybersecurity leaders suspect or have evidence of employees using public generative AI at work. The Bifrost AI gateway, an open-source tool by Maxim AI, addresses this by providing policy definition and enforcement on every endpoint.

Shadow AI is the use of AI tools inside an organization without IT's knowledge or approval. This guide explains what it is, why it creates real security and compliance risk, and how the Bifrost AI gateway together with Bifrost Edge brings that usage under governance on every machine. Most of the AI tools employees rely on at work run on their own machines and reach a model provider directly, without passing through any corporate network checkpoint. A developer can install a desktop assistant, paste in proprietary source code, and send it to a third-party model before anyone in security knows the tool exists. Industry analysts call this pattern shadow AI: the use of AI tools or applications by employees without the approval or oversight of the IT department. The scale is no longer marginal, as a 2026 Gartner survey of cybersecurity leaders found that 69 percent have evidence or suspect that employees are using public generative AI at work. Shadow AI is the use of AI tools, models, and services by employees without the knowledge, approval, or governance of an organization's IT or security teams. It is a subset of shadow IT, the broader category of hardware and software that IT has not approved, but it carries risks that older shadow IT controls were never designed to handle. The distinction matters for how an organization should respond. Where shadow IT generally involves an unapproved application or storage service, shadow AI centers on systems that process, generate, and retain data in ways that are difficult to reverse. Common forms include: Salesforce's 2026 Workforce AI Survey found that 67 percent of employees use AI at work, while only 18 percent of organizations have a formal AI security policy. Adoption at that pace, with no governing layer underneath it, is what turns ordinary productivity into a security exposure. Shadow AI raises measurable security and compliance risk because sensitive data reaches systems that the organization cannot see, control, or audit. Gartner predicts that by 2030, more than 40 percent of organizations will experience security or compliance incidents tied to the use of unauthorized AI https://www.infosecurity-magazine.com/news/gartner-40-firms-hit-shadow-ai/ , and the reasons follow directly from how these tools are used. The exposure goes well beyond a single pasted prompt. Several distinct failure modes make shadow AI harder to contain than earlier forms of unapproved software: These concerns are not hypothetical; they describe what happens when fast, employee-driven adoption runs ahead of any mechanism for seeing or controlling it. Traditional network controls miss most shadow AI because the activity does not behave like the traffic those controls were built to inspect. Network proxies and data loss prevention systems observe what crosses the corporate network, yet a large share of AI usage runs on the endpoint and connects straight to a provider over an encrypted channel that resembles ordinary web traffic. Three gaps recur across the older approaches: The common thread points toward the fix: the AI runs on the endpoint, where the person and the tool actually meet, so the endpoint is the one place where every request can be seen and governed before data leaves the machine. Governing shadow AI well takes two things that fit together: one place to define policy, and a way to apply that policy to the AI running on every machine. Bifrost, the open-source AI gateway https://github.com/maximhq/bifrost built by Maxim AI, is that one place. The gateway already holds the virtual keys, budgets, and rate limits https://docs.getbifrost.ai/deployment-guides/config-json/governance that tie AI usage to a person or project, the guardrail profiles https://docs.getbifrost.ai/enterprise/guardrails that inspect prompts and responses, and the audit logs that record every exchange. The limitation, until now, has been reach: those controls governed only the traffic that someone had configured to point at the gateway. Bifrost Edge https://docs.getbifrost.ai/edge/overview closes that gap by running on each machine and routing all supported AI traffic through Bifrost, so the same virtual keys, budgets, guardrails, and audit logs that already protect gateway traffic now apply to the desktop apps, browser AI, and coding agents people use day to day. The gateway stays the single control plane, and Edge becomes its reach to the endpoint, so there is no second policy model to build or maintain. A request from any supported AI tool https://docs.getbifrost.ai/edge/supported-applications follows the same governed path on every machine: The guardrail profiles configured in Bifrost https://docs.getbifrost.ai/edge/security apply to endpoint traffic with no extra setup on the device. A guardrail runs before a prompt reaches a model and again before a response returns, so secrets and personal data are caught or redacted before they leave the machine. Built-in coverage includes Gitleaks-backed secrets detection for leaked API keys, tokens, and credentials, a PII detection template built on custom regex, and content safety, alongside integrations with AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI. Most organizations cannot say which MCP servers their employees have connected to AI tools. Bifrost Edge inventories the MCP servers https://docs.getbifrost.ai/edge/mcp-governance configured inside each supported app and builds a live picture across the fleet of which servers are in use, on which apps, and on how many devices. Administrators then allow or deny each server individually, and Edge enforces that decision on the device, even for an app that had the server configured before the policy existed. MCP discovery covers the major AI apps that support it, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor. App governance https://docs.getbifrost.ai/edge/app-governance lets administrators decide which AI applications are permitted across the organization. Approved apps run normally, with their traffic governed through Bifrost, while disallowed apps are blocked before any data leaves the machine. When Edge encounters an app or MCP server it has not seen, it requests approval from the admin console, and administrators choose whether pending items are allowed or blocked while a decision is pending. Policy changes reach the whole organization at once, without anyone revisiting individual machines. Bifrost Edge deploys through the device management platforms https://docs.getbifrost.ai/edge/deployment-mdm an organization already runs, including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, across macOS, Windows, and Linux. The managed configuration carries only the connection settings that point each machine at the organization's Bifrost, and identity and keys come from the user's single sign-on, so no secrets sit on the device. After the first sign-in, governance stays in sync with the gateway, and central changes to app policy, MCP allow and deny lists, and routing reach the fleet on their own. Shadow AI is a subset of shadow IT, but the risk profile differs. Shadow IT covers any hardware or software that IT has not approved, whereas shadow AI specifically involves tools that process and retain data in a model, which makes the exposure harder to reverse and more likely to spread across teams. Shadow AI can be detected when AI requests are observed at the point where they originate. Because much of the usage runs on the endpoint, a layer that operates on the device, such as Bifrost Edge, can inventory the apps and MCP servers in use and route their traffic through a gateway where it becomes visible and auditable. Coding agents such as Claude Code, Codex, and Cursor run locally and often connect directly to model providers and MCP servers. Routing their traffic through Bifrost applies the same guardrails, budgets, and audit logging used for the rest of an organization's AI, while app and MCP policies determine which agents and tools are allowed on each machine. Shadow AI persists because the activity happens on the endpoint and moves faster than perimeter controls can follow, so better intentions and longer policy documents do not resolve it on their own. The organizations that handle it well treat it first as a visibility problem and then as an enforcement problem, governing AI where people actually use it rather than where the network happens to see it. Pairing the Bifrost AI gateway with Bifrost Edge gives security and platform teams one control plane for that work, with the gateway defining the virtual keys, budgets, guardrails, and audit logs, and Edge, currently in alpha, extending them to every machine in the organization. Teams sizing up shadow AI can review how the combined approach works on the Bifrost Edge overview https://docs.getbifrost.ai/edge/overview and register there for alpha access.