Shadow AI is the use of unvetted AI tools connected to corporate systems — usually via OAuth — without the security team’s knowledge or approval. It’s the 2026 version of Shadow IT, and it emerged as a primary SaaS threat vector per the DoControl 2026 SaaS Security Trends Report.
Definition
Shadow AI is any AI tool an employee wires into corporate SaaS or data without review. The defining mechanism is a standing grant of access to a third-party AI service — and, often, a pathway for corporate data to reach an external model.
How Shadow AI happens (the OAuth pathway)
An employee clicks “Connect with Google” or “Connect with Microsoft” on an AI tool and grants it scopes — read email, read calendar, read CRM. That OAuth grant persists, tied to the individual, invisible to security, until someone audits the grants.
The scale of the problem
The average mature SaaS environment has 30+ unauthorized AI integrations connected via OAuth. Most security teams can’t name them without running an audit.
Detection tools
Nudge Security, DoControl, Spin.AI, and Material Security discover and monitor OAuth-connected AI integrations. A one-time OAuth audit gives you the starting inventory.
Governance patterns
The most effective governance is an approval workflow plus revocation capability: approved tools, a fast path to vet new ones, logged decisions, and the ability to cut off any integration centrally. The applied version is in Shadow AI and non-human identities.
Audit and questionnaire implications
Procurement is increasingly explicit about Shadow AI governance. The audit-defensible answer is inventory + approval + revocation — the same discipline as broader identity sprawl management.
Related reading: