What "IT" is lurking in the Shadows?

Ed’s comments: Can you work into a subtitle thequote "And if you gaze long into an abyss, the abyss also gazes into you.”(and of course it’s AI gazing back lol)

For decades, IT leaders have battled afamiliar challenge: Shadow IT.

Employees, frustrated by how slow procurementprocesses or only have access to limited corporate tools, would adopt their ownsoftware solutions—file-sharing platforms, project management apps, cloudstorage services—without approval from IT or security teams.

These tools often improved productivity, but theyalso created significant governance, security, sovereignty and compliance risksas they were typically not authorized and, in many cases, were solutions outsideof the enterprise’s domain and even sometimes, hosted outside of Canada.

Today, a new and potentially more disruptiveform of Shadow IT is emerging : AI agents.

Unlike traditional software, AI agents don'tsimply store information or automate predefined workflows. They can do moresuch as,

o  Make decisions

o  Execute tasks

o  Interact with systems

o  Generate content

o  Analyze data

o  Adapt and learn

and even go as far as act or post autonomouslyon behalf of employees.

Asorganizations race to embrace AI, many employees are already deploying personalor department-level AI agents without formal oversight.

The result? A rapidly expanding ecosystem ofinvisible automation operating outside established governance frameworks.

From Unsanctioned Apps to Unsanctioned Intelligence

Traditional Shadow IT consisted mostly of systems,large tools and “hidden” data stores.

AI agents are about capability.

An employee can now connect a Large Language Modelto company systems, grant it access to internal documents, integrate it withSaaS applications, and create a functioning digital worker in a matter ofhours.

Nosoftware development team required.

A digital worker without oversight or supervision.

Marketing teams are creatingcontent-generation agents.

Sales teams are building prospecting agents.

Operations teams are deploying workflowautomation agents.

Finance teams are experimenting with reportingand analysis agents.

Many of these initiatives start with goodintentions. Employees want to move faster, eliminate repetitive work, andincrease productivity. The problem is that these agents often operate beyondthe visibility of security, compliance, risk, and IT teams.

The rise of the "Shadow AI"—and AIagents are being seen often and most places, meaning its quickly becoming oneof the most powerful manifestation.

Why AIAgents Create Greater Risk Than Traditional Shadow IT

The risks associated with Shadow IT wererelatively straightforward and are the big 3,

1.    Data leakage

2.    Compliance violations

3.    Unmanaged software.

AI agents introduce a more complex challengebecause they can take actions.

AI agents introduce new risks as they can representthe Organization/Corporation, replacing past formal and authorized press releases.

AI agents introduce new risks as they can conductinterviews of new hires and make hiring-related decisions.

AI agents introduce new risks as they can executeon corporate policy without oversight.

And organizations are starting to see that in someuse cases, operating AI agents can incur significant costs, more than a humanemployee. Humans are typically paid by some time period, not by tokens from a Third-Party.

An unauthorized cloud storage account mightexpose sensitive data.

An unauthorized AI agent could access customerinformation, generate inaccurate recommendations, trigger workflows, approvetransactions, or interact with external systems at scale. Potential liabilitiesabound.

Several characteristics make AI agentsuniquely risky.

They are as follows:

1. MultipleSystems can be operated

Modern agents rarely work in isolation. Theyconnect to CRM platforms, knowledge bases, communication tools, ERP systems,and cloud applications and services.

Each integration expands the potential attacksurface and increases the complexity of access management.

2.Decisions are made

Unlike traditional automation scripts, AIagents often operate with varying degrees of autonomy. They interpretinstructions, policies, evaluate context, and determine actions dynamically.

This flexibility creates tremendous value—butalso makes behavior harder to predict and audit.

3. They CanScale Mistakes Instantly

A human employee may make a bad decisionoccasionally.

Consider that employees are trained on companypolicies, practices, tools, procedures/methodologies and typically are rated ontheir performance on a regular basis.

An AI agent can repeat that decision hundredsor thousands of times before anyone notices.

The speed and scale of AI amplify bothproductivity and risk. The scalability of AI can be a double-edged sword.

4. TheyOften Bypass Existing Governance Models

Most governance frameworks were designedaround applications, databases, and users.

AI agents don't fit neatly into any of thesecategories.

Organizations frequently lack clear policiesfor:

• Agent     identity management
• Agent     permissions
• Agent     monitoring
• Agent     lifecycle management
• Agent     accountability
• Agent     ethics

This results in agents that can proliferatefaster than governance structures can adapt and expose the organization at a breakneck pace.

TheVisibility Problem

One of the defining characteristics of ShadowIT has always been invisibility.

The same challenge now exists with AI agents.

Security teams may know which SaaSapplications employees use, but they often have limited visibility into:

• Which     agents exist
• What     data agents access
• Which     models agents rely on
• What     actions agents can perform
• How     agent decisions are monitored
• Who is     accountable for agent behavior
• Whose     ethics do the agents follow

This creates a dangerous gap betweenorganizational awareness and actual operational reality.

In many enterprises, dozens—or eventuallyhundreds—of AI agents may be operating long before leadership has an accurateinventory.

TheGovernance Gap

Many organizations are approaching AIgovernance primarily through model policies and acceptable-use guidelines.

While important, these measures are notsufficient for agentic systems.

An organization may approve a specific AImodel while still lacking controls over what autonomous agents can do with thatmodel.

The conversation must evolve from:

"Which AI tools are employees allowed touse?"

to

"What authority are AI agents allowed toexercise?"

This shift mirrors the evolution fromapplication security more to identity security and reputational risks.

As agents become active participants inbusiness processes, organizations will need to treat them as a new category ofdigital identity with clearly defined permissions, responsibilities, andoversight.

WhatEnterprise Leaders Should Do Now

The goal should not be to eliminateemployee-driven AI innovation.

History has shown that banning new technologyrarely succeeds.

Instead, organizations should focus oncreating a framework that enables safe experimentation while maintainingcontrol.

Key priorities include:

Build anAgent Inventory

Organizations cannot govern what they cannotsee.

Establish processes for discovering,cataloging, and tracking AI agents across departments.

ImplementAgent Identity and Access Controls

Every agent should have clearly definedpermissions based on least-privilege principles.

Agents should not inherit unrestricted accesssimply because their creators possess it.

MonitorAgent Activity

Logging, auditing, and behavioral monitoringshould become standard requirements for production agents.

Organizations need visibility into bothactions and outcomes.

DefineAccountability

Every agent should have a human ownerresponsible for its performance, risks, and compliance obligations.

CreateAgent Governance Policies

Policies should address:

• Approved     use cases
• Data     access restrictions
• Security     requirements
• Human     oversight requirements
• Risk     classification standards
• Incident     response procedures

The Futureof Shadow IT Is Autonomous

The first era of Shadow IT was driven by cloudapplications.

The next era will be driven by AI agents.

Employees now have unprecedented power tocreate intelligent systems that can reason, act, and automate workindependently. This capability promises enormous gains in productivity andinnovation, but it also introduces new categories of operational and securityrisk.

Organizations that treat AI agents as merelyanother software tool may find themselves unprepared for the governancechallenges ahead.

The most successful enterprises will recognizea fundamental reality: AI agents are not just applications. They are digitalactors.

And just as companies once learned to governthe software employees used, they must now learn to govern the autonomousintelligence employees create.

The organizations that solve this challengefirst will not only reduce risk—they will unlock AI's full potential withconfidence.

‍