The problem isn't that employees are using AI without permission—it's that companies are demanding AI adoption while pretending they can still control how it happens.
The Summary
- Vanta, a trust management platform with 16,000+ customers, reports that 70% have "shadow AI" happening inside their organizations—employees using AI tools that haven't gone through formal security review
- They're launching Vanta Agent for Risk to map vendors, data assets, compliance requirements, and controls across 4,000+ integrations
- The contradiction is built into the system: executives push AI adoption, then act surprised when employees actually adopt AI
The Signal
Shadow AI isn't shadow IT with a new coat of paint. Shadow IT was bottom-up. Someone bought a PC or signed up for Dropbox because the approved tools were garbage. Shadow AI is top-down chaos disguised as innovation mandate.
The pattern is predictable. Leadership announces an AI initiative. Middle management sets vague productivity goals. Employees get the message: use AI or get left behind. Then everyone acts shocked when sensitive customer data ends up in ChatGPT's training set because nobody specified which AI tools were actually approved.
"70% of companies have shadow AI, which means 70% of companies are running the exact experiment they're terrified of."
Vanta's numbers tell the real story. Across 16,000 customers, the majority have already lost the control they think they have. Christina Cacioppo frames it as tools that "might provide a lot of promise and value" but haven't been reviewed. That's diplomatic. The reality is messier: employees are feeding proprietary data into systems the company doesn't own, can't audit, and barely understands.
What makes the Vanta Agent for Risk interesting isn't the technology. It's what the product reveals about enterprise readiness. They need 4,000+ integrations and 1,400 continuous security tests just to get visibility into what's actually happening. That's not a solution. That's a diagnostic tool for how far behind the curve most companies are.
Here's what the integrations actually mean:
- 4,000+ potential entry points where data can leak
- Every SaaS tool is a potential AI tool now
- The perimeter dissolved before anyone noticed
The agent maps relationships between vendors, data assets, compliance requirements, and controls. Translation: it tells you which disasters are already in progress and which ones are scheduled for next quarter. Jeremy Epling, Vanta's chief product officer, positions it as understanding "all the different things that are happening in your company." But understanding isn't control. You can have perfect visibility into a system that's fundamentally ungovernable.
The Implication
The Vanta approach is reactive by design. You can't secure what you can't see, and you can't see what you haven't mapped. But by the time you've mapped 4,000 integrations, you're not managing risk anymore. You're documenting it.
The smarter play is to accept that shadow AI is now just AI. Stop treating employee experimentation as a security breach and start treating it as the operating model. Build guardrails that assume people will use whatever tools work, not whatever tools got approved in Q3 planning. The alternative is spending six figures on monitoring tools while your best people route around your controls anyway.