Controlling the sprawl of shadow AI
There’s a gap widening across UK organisations that nobody is properly discussing. It’s not between technology and security. It’s between what leaders think is happening with AI tools and what the workforce is actually doing.
According to Okta’s AI Agents at Work 2026 study, 96 per cent of UK executives believe they have visibility into AI tool usage. Yet, 55 per cent of UK knowledge workers use unapproved “shadow AI” tools.
James Simcox, Chief Product Officer at Equals, sees this as a leadership challenge, “It has to be that even your executive teams feel like they own security,” he says. “For forward thinking organisations, shadow AI isn’t a problem to be locked down, it’s a signal that governance frameworks need to evolve.”
That’s the core tension. This isn’t a result of bad people. It’s the outcome of good people solving problems with the tools at hand.
How shadow AI spreads in practice
Imagine that someone on your team finds a tool that solves a problem in five minutes instead of thirty. They mention it to a colleague. Two more of their colleagues tried it. A week later it’s normalised. They’re just being practical, not reckless.
The numbers tell you why this pattern keeps repeating. Globally, 80 per cent of workers reach for unapproved tools because they’re faster and easier. 78 per cent do it because their team already uses it and it’s considered normal. When 57 per cent say the approval process is too slow or difficult, and 49 per cent say approved tools don’t meet their needs, you’re looking at a system that doesn’t fit how work actually happens. So, people work around it.
“I love my teams using AI, but these tools are sometimes designed to make you want to overshare,” notes Simcox.
The key is having visibility and the right governance framework so we can innovate confidently.
When visibility becomes a false comfort
Globally, 58 per cent of executives reported their organisation experienced an AI-related security incident or close call in the past year. When employees routinely share confidential company documents (29 per cent), HR related information (36 per cent) and login credentials and passwords (16 per cent), the risk is tangible.
But the gap goes deeper than data sharing. Okta’s research shows a 22-point chasm between executive and worker perceptions of policy clarity. 65 per cent of executives globally believe their AI usage policies are “very clear,” but only 43 per cent of knowledge workers agree. When the blueprint and the reality don’t align, governance breaks down.
Why shadow AI isn’t just shadow IT 2.0
But shadow AI is just the newest version of shadow IT, right? Well, not entirely. With shadow IT, someone may download some new software that contains malware, but the risk is contained. On the other hand, an AI agent with integrations across your systems carries exponentially more risk. “If you accidentally bring in an AI agent type system that’s hooked up to a bunch of services and no one notices, that’s a real problem” says James Simcox.
A malicious shadow AI agent can access databases, connect to APIs, execute workflows across multiple platforms – all without your knowledge. Without visibility into what agents are active, what they’re connected to and what permissions they hold, you can lose control very quickly.
Why this is happening
Employees aren’t reaching for unapproved tools out of rebellion. They’re reaching for them because those tools help them do their jobs better.
When an unapproved tool gets the job done faster than your approved alternative, workers face a dilemma. Do they follow governance or hit targets? You can communicate your expectations clearly and train people on policies, but if the unapproved path is faster, governance will lose. The gap exists because your governance framework doesn’t reflect the realities of what is going on in the workforce.
Closing the blindspot
Start with discovery. Assume shadow AI exists and use tools to gain visibility into what’s running.
Make the approved path competitive. If your official tools are slower than what employees find themselves using, you’re asking people to choose between performance and compliance. Make your approved ecosystem faster and more integrated.
Govern the full lifecycle. Don’t just control tool selection – govern access, permissions and identity throughout. Get visibility into what’s actually happening. “Great security actually speeds things up, not slows us down,” says Simcox. “With Okta’s tools like ISPM integrated across our ecosystem, we’ve got the guardrails to enable innovation while protecting our customers.”
This isn’t about enforcement versus control. It’s about alignment. When your workforce uses unapproved tools, that’s feedback – your system telling you exactly where it needs to evolve. Tighter restrictions won’t fix this. Better governance will. Governance that’s faster, more accessible and actually works with how people operate, not against it.