Full Report
Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. [...]
Analysis Summary
# Best Practices: Managing Shadow AI and AI Governance
## Overview
These practices address the "Shadow AI gap"βthe security risk created when employees use unapproved generative AI tools, browser extensions, and OAuth-connected assistants without IT oversight. The goal is to move from a restrictive "block-all" stance to an enablement-focused governance model that secures corporate data while maintaining employee productivity.
## Key Recommendations
### Immediate Actions
1. **Conduct an OAuth Audit:** Review third-party application permissions in Google Workspace or Microsoft 365. Identify and revoke AI tools with broad read/write access to emails and shared drives that haven't been vetted.
2. **Inventory Browser Extensions:** Use a browser management solution or endpoint agent to identify AI-based browser extensions currently active on employee devices.
3. **Run an AI Usage Survey:** Distribute a "safe-work" survey to employees to identify AI tools currently in use. Frame the survey as a way to provide better support rather than a policing effort.
4. **Identify "Silent" AI Updates:** Audit recently updated enterprise tools (e.g., Salesforce, Microsoft 365, Zoom) for newly bundled AI features that may require configuration or data-sharing opt-outs.
### Short-term Improvements (1-3 months)
1. **Formalize AI Acceptable Use Policy (AUP):** Draft a practical policy that includes a whitelist of approved tools, data classification rules, and a clear request process for new tools.
2. **Mandate Data Training Opt-outs:** Reach out to vendors of approved AI tools to ensure "Training Opt-out" settings are active, preventing corporate data from being used to train public LLM models.
3. **Establish Data Guardrails:** Define specific categories of "No-Go" data (e.g., customer PII, source code, financial records) that are strictly prohibited from being entered into any AI prompt.
### Long-term Strategy (3+ months)
1. **Continuous Visibility Integration:** Move from periodic audits to continuous monitoring using tools that can detect new AI tools as they are introduced via browsers or OAuth logins.
2. **Adaptive Security Awareness:** Implement training specifically for AI-powered social engineering (deepfakes, sophisticated phishing) and safe prompting behavior.
3. **Governance Lifecycle Management:** Establish a recurring review cycle for the AI whitelist to ensure tools continue to meet evolving security and privacy standards.
## Implementation Guidance
### For Small Organizations
* **Focus on Low-Hanging Fruit:** Use the built-in app discovery features in Google Workspace/Microsoft 365 to find OAuth apps. Use a simple spreadsheet for the "Approved AI List."
* **Culture Lead:** Rely on direct communication and surveys to understand tool usage.
### For Medium Organizations
* **Centralized Request Process:** Use existing ticketing systems (Jira, ServiceNow) to create a specific "AI Tool Request" workflow with a target SLA.
* **Browser Management:** Deploy a centralized browser management policy (Chrome/Edge) to manage extensions across the fleet.
### For Large Enterprises
* **Automated Discovery:** Deploy specialized security agents or Cloud Access Security Brokers (CASB) to monitor Shadow AI in real-time.
* **Tiered Approvals:** Create a multi-tiered approval process where low-risk tools (e.g., grammar checkers) are fast-tracked, while high-risk tools (e.g., data analysis platforms) undergo deep security reviews.
## Configuration Examples
* **OAuth Scopes:** Restrict apps from requesting "Full Access" or "Send on your behalf" permissions unless strictly necessary.
* **Enterprise Managed Settings:** For tools like OpenAI (ChatGPT Enterprise) or Microsoft Copilot, ensure the following are toggled:
* `Training Opt-Out: Enabled`
* `Data Retention Policy: Defined (e.g., 30 days)`
* `SSO Integration: Enabled`
## Compliance Alignment
* **NIST AI 100-1 (AI Risk Management Framework):** For mapping risks and establishing governance.
* **ISO/IEC 42001:** For establishing and maintaining an Artificial Intelligence Management System (AIMS).
* **CIS Controls:** Specifically Control 02 (Inventory and Control of Software Assets).
## Common Pitfalls to Avoid
* **The "No-Policy" Stance:** Failing to provide a policy defaults to a "Wild West" environment where employees assume everything is permitted.
* **Friction-Heavy Processes:** If the approval process takes 6 months, employees will continue to use shadow tools.
* **Ignoring OAuth:** Monitoring network traffic but ignoring OAuth connections leaves a major back-door access point to company data wide open.
## Resources
* **NIST AI Framework:** [hXXps://www.nist.gov/nistir/8470]
* **Adaptive Security Research (Tool Discovery):** [hXXps://www.adaptivesecurity.com]
* **CIS AI Security Guide:** [hXXps://www.cisecurity.org/ai]