Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.
Shadow IT has long been a challenge for organizations, with employees adopting unsanctioned applications to boost productivity or occasionally for more personal reasons (like playing games remotely). While businesses have made strides in managing these risks, a new wave of shadow IT has emerged—one powered by generative
This week, we chatted with Bradon Rogers, Island's Chief Customer Officer, to explore how AI is reshaping security challenges and how enterprise browsing solutions are evolving to address them.
Here are the key takeaways from the podcast discussion on shadow AI and enterprise security:
Key Takeaways
AI is Accelerating Shadow IT Risks
AI is embedded within approved enterprise applications, making its presence less obvious.
Some AI-powered tools automatically opt users into data sharing or model training.
Enterprise data may be cross-contaminated with other customers’ data, raising security and compliance concerns.
AI-generated derivative data can bypass traditional DLP solutions, making data loss harder to detect.
Application boundaries prevent corporate data from leaking into personal AI tools.
Instead of outright blocking AI, companies should guide users toward sanctioned AI environments.
Transparency is key: employees need clear communication on AI risks and corporate policies.
Editor’s Note
This is your annual notice that we will be at RSAC, and we do plan to record an episode or two if possible. We’ve received a bunch of pitches to meet with guests but have not yet scheduled anything. If you want to record on-site, please be sure to pitch stories instead of people. I am also looking for potential guests for Microsoft’s Threat Intelligence Podcast and possibly another larger one if you have a non-vendor global CISO handy. Slide into my inbox if you have something of interest: elliot @ elliotvolkman[.]com.
Outside of that, swing by the Palace hotel where we’ll be hosting plenty of auxiliary sessions including a threat intel panel on Wednesday morning.
Shadow IT: Then and Now
“It’s like shadows within shadows now… You've got the obvious generative AI destinations like ChatGPT, but then you’ve got other things that are less obvious, where generative AI is built into the application,” said Rogers.
Bradon traced the origins of shadow IT to employees seeking convenient tools that organizations had not yet provided. Early examples included cloud storage solutions like Dropbox, which employees used to bypass outdated or unavailable corporate alternatives. As businesses caught up and introduced secure, sanctioned solutions, traditional shadow IT concerns declined.
However, the rise of generative AI has created a new frontier. Unlike past shadow IT, AI-driven tools are often embedded within applications, making them less obvious. Employees now leverage AI chatbots, automated workflows, and content generators—sometimes unknowingly opting into AI models that use company data for training. This creates unseen vulnerabilities that IT teams must address.
The Challenges of AI-Driven Shadow IT
According to Bradon, AI-powered applications present unique risks, including:
Embedded AI: Many AI features are baked into existing, approved tools without clear notifications to users.
Global Data Pools: Enterprise AI models often rely on aggregated data, meaning sensitive information could be exposed beyond an organization's control.
Derivative Data Risks: AI can transform sensitive data into new formats, making traditional detection methods ineffective.
As AI adoption surges, businesses must implement policies that balance productivity with security. These policies must ensure that data remains protected while enabling employees to use AI responsibly.
“You’ve got end users trying to find cheat codes to do their jobs faster, executives pushing to gain a competitive edge—sometimes without fully understanding the risks—and providers embedding AI into products to stay ahead. That creates a complex security landscape.”
The Role of Enterprise Browsers in Security
One of the key takeaways from the discussion was how enterprise browsers, like those developed by Island, can help mitigate shadow IT risks while enhancing user experience. Bradon emphasized that enterprise browsers create secure environments for accessing corporate applications without sacrificing usability. Key benefits include:
Application Boundaries: Enterprise browsers define clear lines between corporate and personal apps, preventing unauthorized data movement.
Zero Trust Network Access (ZTNA): Instead of traditional VPNs, enterprise browsers provide secure, seamless access to internal applications without exposing the broader network.
Granular Policy Enforcement: Organizations can enforce AI-specific security measures, such as blocking sensitive data uploads to AI tools or directing downloads to secure corporate storage.
A Future-Proof Approach to Security
As AI-driven shadow IT continues to evolve, organizations must adopt security strategies that go beyond simple blocking mechanisms. Enterprise browsers offer a “say yes” approach—allowing employees to leverage innovative tools while maintaining security and compliance. By enforcing contextual policies and ensuring data stays within approved applications, businesses can navigate this new landscape with confidence.
Share this post