Shadow AI in Your Dev Environment
Last month I sat across from a CISO at a Series D fintech — someone who runs a genuinely good security program — and asked how many AI agents were active in her engineering org. She said twelve. Her team had approved four.
I didn't correct her. I pulled up a scan we'd run during a proof-of-concept the week before. The number was forty-one.
That gap isn't unusual. It's the norm. Gartner's latest research estimates over 75% of employees will use AI tools that IT hasn't provisioned or approved by 2027. But the word "employees" hides the real shift. In 2024, shadow IT meant someone expensing a Notion seat. In 2026, shadow AI means an agent with write access to your production infrastructure, operating on credentials nobody in security knows exist.
That's not the same problem. Not even close.
What I actually see in the field
I spend half my weeks on calls with security teams. Here's what shadow AI looks like in practice — not the sanitized vendor slide, the real thing:
A senior engineer connects their personal Cursor instance to a production database. They're debugging a performance issue at 11pm. They don't want to wait for a staging refresh. The agent now has read access to live customer data through that engineer's credentials, and nobody outside that terminal session knows it happened.
A PM wires up an MCP server to Jira and Slack. They want an AI assistant that can triage bugs and draft updates. Reasonable goal. But the agent can now read every ticket, every internal channel it's been added to, every attachment. The PM didn't think about that because the PM isn't a security engineer.
A developer pastes a customer dataset into a non-sanctioned AI chat to generate test fixtures. That data — names, emails, transaction records — just left your perimeter and landed in a training pipeline you don't control.
These aren't hypotheticals. I've seen all three in the last sixty days.
We had dashboards for every SaaS app in the org. We had zero visibility into what our AI agents could actually do.
Why your existing security stack is blind here
I'll be direct: the security tools you already own weren't designed for this. Not because they're bad — because the threat model is structurally different.
EDR/XDR monitors process execution. When Claude Code reads ~/.aws/credentials, it looks like your terminal reading a file. Sanctioned process, normal behavior. No alert.
DLP watches for sensitive data leaving the network. When an agent sends a database schema to an inference API, DLP sees HTTPS traffic to a known SaaS endpoint. Nothing to flag.
SIEM correlates security events. But agent tool calls aren't security events in the traditional sense. An MCP connection isn't a firewall log. A tool invocation isn't a login attempt.
The result: your security team literally cannot answer "which AI agents are running in our environment, what are they connected to, and what have they done?" Not with the tools they have today.
The part I got wrong
When Hamza and I started Quint, I assumed the market framing was right — that shadow AI was fundamentally a compliance problem. Unsanctioned tools, missing audit trails, regulators asking questions you can't answer. And that's real. It matters.
But I was wrong about what matters most.
Shadow AI in the agent era isn't a compliance problem. It's an architectural problem. And the distinction is critical.
Here's what I mean by architectural:
Agents compound permissions. An agent with read access to a filesystem AND write access to an API has an emergent capability that neither permission grants independently: it can exfiltrate. Most access control models evaluate permissions in isolation. Agents combine them.
Autonomous actors expand blast radius. When a developer connects an agent to prod "just to debug something," that agent inherits everything the developer's credentials can reach. If the agent gets manipulated — prompt injection, tool poisoning, a compromised MCP server — the blast radius isn't one action. It's every system those credentials touch.
No behavioral baseline means no anomaly detection. If you don't know what an agent normally does, you can't tell when it's doing something it shouldn't. A compromised agent can operate for weeks before anyone notices. If they notice at all.
This is why I keep saying: the risk isn't that your engineers are using AI tools you didn't approve. The risk is that those tools are agents with access to your infrastructure, and you have no layer in your stack that understands what agents do.
The lockdown trap
The instinct is to block everything. Disable MCP. Kill AI tools in the IDE. Restrict agent access to sandboxed environments.
This fails for the same reason every heavy-handed IT policy has failed since the invention of the personal laptop: developers route around it. If the sanctioned tools are slower or less capable, shadow AI usage doesn't decrease — it increases. Now you have a visibility problem and an adversarial workforce.
I've watched this play out at three different companies in the last quarter alone. The pattern is always the same. Security locks down, engineering complains, exceptions get carved out, and within six weeks you're back to the status quo but with worse data about what's actually happening.
The right approach — the one we're building toward at Quint — is visibility and enforcement at the action layer. Let developers use their tools. Intercept what those tools do. Establish behavioral baselines per agent. Enforce compliance rules in real time, at the moment an action would violate a policy, not in a quarterly audit six months later.
The window
The EU AI Act enforcement date for high-risk systems is August 2, 2026. SOC 2 auditors are already adding AI agent controls to their questionnaires. IBM's 2024 Cost of a Data Breach report puts shadow IT as a top-three cost amplifier, and that was before agents had tool access.
The unmonitored AI agents in your environment aren't just a security risk. They're a compliance liability with a deadline attached.
The teams that get this right will choose visibility over lockdown — giving engineers the AI tools they need while maintaining the security posture their regulators require.
I'm Amer — co-founder and CEO at Quint. If you're a security leader trying to figure out what AI agent governance actually looks like in practice, I'm always up to talk. Find me at amer in the Quint Discord or @amer313 on X.