Shadow AI

AI capability operating outside IT governance visibility. The 2024 framing meant unsanctioned tools — workers pasting data into consumer chatbots outside IT review. The 2026 pattern is different: agentic capability silently activating inside already-approved tools through configuration changes the original procurement did not anticipate, such as Custom GPT actions, Copilot custom agents, and MCP server connections from approved IDEs.

Discovery has to look at capability state, not vendor identity. An inventory that asks which AI vendors the organisation has approved misses the deployments where the vendor was approved but the agentic capability arrived later through configuration. That distinction is the load-bearing claim of AM-036, reviewed on a 60-day cadence.

Tracked claims that use this term

• AM-036· HoldingEnterprise shadow AI in 2026 is structurally different from enterprise shadow AI in 2024. The 2024 framing assumed unsanctioned tool adopti…
• AM-168· HoldingThe dominant 2026 shadow-AI gap is not unsanctioned vendors but sanctioned vendors that have shipped agentic capabilities inside already-ap…

Articles that analyse this term

• The shadow-AI discovery playbook: finding the agents your org already has
• Approved tool, unapproved capability: the 2026 shadow-AI gap your discovery playbook does not see

Primary sources

• TechHQ. Agentic AI Governance Is the CIO's Most Urgent Blind Spot
• Agent Mode AI. The shadow-AI discovery playbook: finding the agents your org already has