Rescue

Shadow AI and Non-Human Identities: The New Questionnaire Section Stalling Deals

Employees connecting unvetted AI tools to corporate systems via OAuth. The procurement question of 2026, what an OAuth audit reveals, and how to actually govern it.

By Hemant Attri, Founder, Attri Edge Updated June 18, 2026 2 min read

“Half our procurement team’s AI questions are about Shadow AI. Most teams don’t even know what’s connected.” Shadow AI — employees wiring unvetted AI tools into corporate SaaS via OAuth — emerged as a primary 2026 SaaS threat vector (per the DoControl 2026 report), and it’s now a questionnaire section that stalls deals.

What Shadow AI looks like in practice

An employee grants an AI note-taker access to their calendar and email. Another connects an AI tool to the CRM to “summarize accounts.” Each is an OAuth grant that hands a third party standing access to corporate data. The average mature SaaS environment has 30+ unauthorized AI integrations connected this way — most invisible to security.

The OAuth audit (and what it reveals)

Pull the OAuth-grant list from Google Workspace or Microsoft 365 and your major apps. You’ll typically find AI tools no one reviewed, with broad scopes, tied to individual employees rather than the company. That list is both your risk picture and the start of your inventory.

Governance policies that actually work

Provide approved AI tools and a fast approval path; require review before new OAuth grants to corporate data; log every decision; and keep the ability to revoke. The most effective governance is an approval workflow plus revocation capability — not a blanket ban that drives usage underground.

The buyer questions and audit-defensible answers

Buyers ask: “How do you prevent employees connecting unvetted AI tools?” The defensible answer is concrete: “We inventory OAuth-connected AI via [tool], require approval for new grants, log decisions, and can revoke centrally.” Vague answers here cost weeks; see the AI questionnaire-section article.

Tooling for Shadow AI detection

Nudge Security, DoControl, Spin.AI, and Material Security inventory and monitor third-party AI integrations. Start with a one-time OAuth audit, then keep the inventory current — it’s the same discipline as identity sprawl governance.

Where Attri Edge fits

Standing up the Shadow AI inventory, approval workflow, and the questionnaire answers around it is part of the retainer. The diagnostic includes an OAuth-grant review so you see what’s connected today.

Related reading:

Frequently asked questions

How do we discover Shadow AI in our environment?
Audit OAuth grants in Google Workspace / Microsoft 365 and your major SaaS apps — that's where employees connect AI tools. Detection tools (Nudge Security, DoControl, Spin.AI, Material Security) inventory third-party AI integrations automatically.
What approval workflow makes sense for AI tools?
A lightweight request-and-review: employee requests a tool, security checks the vendor's data handling, approves or denies, and the decision is logged. The point is a defensible record plus the ability to revoke — not bureaucracy that drives people back to shadow use.
Can we block all AI tools? Should we?
You can block at the OAuth/identity layer, but a blanket ban usually pushes usage underground. Better to provide approved tools and a fast approval path, then block the unvetted ones. Governance beats prohibition.
What do enterprise buyers want to see?
An inventory of connected AI tools, an approval workflow, and revocation capability. 'We know what's connected, we vet it, and we can cut it off' is the audit-defensible answer.
How does this interact with our existing identity governance?
Shadow AI is a subset of non-human identity and OAuth-grant governance. Fold it into the same inventory and review cadence you use for service accounts and API tokens — see identity sprawl.