How JumpCloud unifies IT management to tame shadow AI

Sponsored Feature IT departments have wrestled with employees' use of unauthorized technology for years. But none of that compares with shadow AI.

Unauthorized AI use is taking hold quickly. Gartner found last year that 69 percent of organizations believe employees are using prohibited public GenAI tools. Half continue to do so.

Such tools include public LLMs such as OpenAI and Claude. But they also cover AI-enabled software-as-a-service applications that individual departments buy through procurement functions.

This creates a real dilemma for IT leaders. On the one hand, they're keen to see employees use tech that enables them to be as productive as possible. On the other hand, tech leaders must manage and govern IT infrastructure safely. Getting the balance right is tricky but crucial.

Chase Doelling is principal strategist and director at JumpCloud, whose platform manages identity, access and devices. As he points out, playing an effective safeguarding role relies on IT teams overseeing what's happening across the enterprise.

"Some organizations want to block shadow AI outright and control it but, on the other side, you have mandates from executive leadership saying, 'we need to be an AI-driven business'," Doelling explains. "IT is sitting in the middle trying to say 'yes' as much as it can but also wanting to ensure the business is secure, avoids miscompliance, and prevents data leakage that could come back to haunt it."

The problems keeping IT up at night

Data can leak if employees unknowingly feed sensitive company information into a public LLM, or an application that uses one. This data is often stored on external, unencrypted servers and may be used for training future models, resulting in a potential loss of control over intellectual property and other confidential information.

But Doelling is even more concerned about the next wave, in the form of agentic AI. Agentic AI agents are autonomous. They can reason, plan, and take action to achieve specific aims with little or no human intervention. They use LLMs to independently make decisions and adapt to changing environments. This enables them to solve complex, real-world problems.

"That's the scariest part now because the technology is moving so much faster and there are more unknowns," Doelling says. "It's not just a scripted workflow where it follows precise steps. It's doing its own thing and these agents are making micro-decisions on their own, so you need to track and monitor that."

Compliance is also keeping people up at night, and the industry has yet to solve the agentic compliance problem. Doelling believes a day of reckoning is coming.

"If an agent takes a wrong action and data is exposed, you need to understand who authorized that path, who allowed the action, and how you can reverse it," he says. "So, you have to know what you're doing in reporting and auditing terms, and that's really hard to do at computational speed."

The dual disconnect

It is even more difficult to do in a hybrid world. Many organizations' IT infrastructure is open to a complex mix of AI agents, service accounts, and humans using different devices. As all of these have varying identities, monitoring and managing them has become an involved, multi-layered activity.

To make matters worse, there is also what Doelling describes as a dual disconnect in many organizations. It's a gap between how mature companies believe they are in AI adoption and usage, and how ready they are internally to implement the technology.

Such readiness includes having an effective governance framework in place and a clear understanding of the organization's security posture or status. It also includes having developed appropriate AI usage guidelines for individual departments based on their specific requirements.

"What we found in our research is that people feel much more mature than their actual readiness in adoption terms," Doelling says. "They have this overconfidence of 'yep, we'll keep going', but if they do keep going at scale, they don't have the infrastructure available to support the scaffolding of AI adoption."

Running before they can walk will cause shadow AI-related security and compliance incidents for 40 percent of enterprises by 2030, says Gartner.

Gaining that all-important visibility

More visibility over what is happening on the enterprise network is key to solving the unauthorized tech problem. That makes a strong identity and access management (IAM) foundation vital.

"Having an effective security management environment in place is necessary if you want to be ready for AI, agentic AI, and whatever else comes after that," Doelling advises. "You need a strong identity foundation to understand what both humans, non-human, and technology are doing and to tie their actions back to them so it's clear what's happening across the organization."

He goes so far as to call identity "the new security frontier." That means taking a "never trust, always verify" approach and assuming all network traffic is hostile until it is determined otherwise.

"It used to be much more about managing devices and applications," he adds. "But when you look at managing the modern workplace, it's all about managing identity so you can manage access, no matter what the device or application."

The idea here is that the identity of an employee (or AI agent) is linked to whatever kind of authorizations and permissions they have been assigned by administrators to allow system access.

"So, if an employee picks up a device and says, 'I want to get into Salesforce and start looking at customer data', for example, we can say, 'Sorry, you're not actually coming from a trusted area', or we can look at certain conditional access pieces that can be managed from within the browser," Doelling explains.

The value of a unified enterprise network view

Having multiple IAM tools splintered across the network will not work in this context. To monitor, manage and control shadow AI effectively, IT teams need a unified, enterprise view of all activity, no matter where it comes from.

Digesting all of that data calls for a centralized dashboard. It can consolidate data, alerts, and controls from disparate security systems and tools to provide a holistic, real-time view of what is happening.

This approach reduces manual work for IT teams. It enables faster threat detection and decision-making on how best to respond to any potential incidents. It also leads to more consistent policy enforcement across the entire network.

"The primary benefit is going from zero to one, so you have no visibility as to what's happening and then you have full visibility," Doelling points out. "That's usually the biggest leap we see for organizations, and our biggest requests are from folks saying, 'I just need to know'."

This new-found visibility also makes auditing and reporting more straightforward. It becomes easier to monitor and understand what unauthorized access attempts came from where, alongside how and why they happened.

It also becomes clearer whether organizations are obtaining a return on investment from their software licences, so action can be taken to remedy the situation if not. You can establish whether employees are using the company's investment in licences to authorized AI systems like Gemini Enterprise, or draining the corporate coffers by relying on unsanctioned third-party applications.

"AI isn't cheap. It's given away for free initially but there's an actual cost to running these models," Doelling adds. "So look at the financials and understand what you're already paying for in licence terms or whether it's been purchased via procurement."

Balancing AI implementation with survival

JumpCloud offers a free trial of its platform, Doelling says. Try it to test managing your devices immediately and ensure they are fully protected.

The next step is to feed disparate employee identities into the system, enabling JumpCloud to unify them into one. After that, ensure that each stage of the authentication process is valid and up to date.

This is particularly important in a world in which AI adoption is in its early days and deployment is at different levels throughout the average organization. Software engineering functions, for instance, are likely to be much further ahead in implementation terms than payroll. This means the secret to success is accommodating everyone's needs securely.

"IT teams are in a unique situation in that they're seen as both implementers and governors," Doelling concludes. "That's why having visibility makes it easier to take those difficult decisions on how to use AI while at the same time avoiding putting  your organization at risk."

Sponsored by JumpCloud.