Shadow AI discovery: the visibility you think you have

Bottom line. The Cloud Security Alliance found that 82% of enterprises discovered an AI agent running without their security or IT team’s knowledge in the past year, while 68% of the same organisations said they had strong visibility into their agent estate. CrowdStrike is detecting more than 1,800 distinct AI applications across its customer base. The gap between believed visibility and found reality is the finding: discovery, not policy, is the binding first control.

The Cloud Security Alliance and Token Security surveyed 418 IT and security professionals in January 2026 and published the results, “Autonomous but Not Controlled,” on 21 Apr 2026. The headline is a contradiction the respondents hold at once: 82% had discovered at least one AI agent or autonomous workflow created entirely without their security, IT, or governance team’s knowledge, and 68% nonetheless believed they had strong visibility into the agents running across their environment. Two in three, 65%, had an AI agent security incident in the past 12 months; of those that had an incident, 61% involved data exposure. Only 21% run any formal process to decommission an agent.

The vendor that ran the survey put the mechanism plainly:

“AI agents are outpacing the identity systems meant to secure and control them, and it’s already showing up in unknown agents and real incidents.”

— Itamar Apelblat, CEO and Co-Founder, Token Security, on the 21 Apr 2026 survey.

The scale comes from the endpoint side. CrowdStrike reported on 23 Mar 2026 that its sensors detect more than 1,800 distinct AI applications running on enterprise devices, across nearly 160 million unique instances, and shipped a Shadow AI Discovery for Endpoint capability to inventory the agents, LLM runtimes, and MCP servers it finds.

Figures from the CSA and Token Security survey, 21 Apr 2026.

The estate is built faster than it is seen

The two datasets describe one pattern: the AI estate is being assembled faster than it is being seen. A written AI-use policy does not change the count of agents already running; it changes what is permitted for the ones you find next, and it cannot be enforced against agents nobody can see. The 82% who found an unknown agent mostly did not lack a policy so much as a way to know the policy was being followed.

This is the discovery-side view of the same lifecycle gap the non-human identity governance vacuum read describes from the identity side. There, machine credentials outnumber humans and lack an owner; here, the agents that wield those credentials are themselves uncounted. The 21% decommissioning figure connects the two: an abandoned agent keeps its credentials and its data access, so an estate nobody decommissions is an estate that only grows its attack surface.

The 68% is the number that should worry the board

For a CISO, the uncomfortable figure is not the 82%. It is the 68%. Believed visibility that high, against an 82% find rate, means the confidence the board is hearing has come loose from the exposure underneath it. The reassuring number and the real number are moving in opposite directions, and the gap is invisible until an incident closes it.

The pattern holds across the incident data too. Of the 65% that had an agent incident, 61% saw data exposure, which is the failure mode you would predict when agents with data access proliferate faster than the inventory that tracks them. The exposures are not exotic; they are the ordinary consequence of an asset class that no one is counting.

Discovery is a feed, not a document

The first control is continuous discovery, not a policy document. Policy is necessary, but it is the second move; you cannot govern, scope, or revoke an agent you have not found. The shadow-AI discovery playbook is the method, and the approved-tool-unapproved-capability read covers the case where the agent was sanctioned but its capability was not.

One unhedged line for the security leader: treat your AI-agent inventory as a live feed with a find rate you measure, not a spreadsheet you update quarterly. If you cannot say how many agents ran last week and who owns each one, your visibility number is the 68%, and the 82% is what you have not seen yet.

Holding-up note

The primary claim of this piece (that enterprises systematically overestimate their AI-agent visibility, that most have already discovered agents they did not know were running, and that continuous discovery rather than written policy is the binding first control) is on a 90-day review cadence. Three kinds of evidence would move the verdict: a later large-sample survey showing the find-rate and believed-visibility figures converging; discovery tooling becoming a default capability in the major endpoint and cloud platforms, which would close the gap structurally; or incident data showing policy maturity, not discovery, separates the breached from the unbreached. The Holding-up record for AM-205 captures what changes, dated. Figures are from the CSA and CrowdStrike as of 8 Jun 2026.