Bifrost Edge

How to Govern Shadow AI Usage Across Enterprises?

How to Govern Shadow AI Usage Across Enterprises?
Shadow AI spreads when employees use AI tools never routed through a security control. Bifrost governs it by extending the AI gateway to every endpoint.

One in five organizations has already experienced a data breach linked to shadow AI, the unsanctioned use of AI tools by employees, according to IBM's 2025 Cost of a Data Breach Report. Shadow AI grows because a security control only governs the traffic routed through it, and most AI usage on employee machines never is. Bifrost, the open-source AI gateway built in Go by Maxim AI, governs AI traffic as the control plane, and Bifrost Edge extends that same governance to every machine in the organization. This guide explains how to govern shadow AI across an enterprise: what it is, why it resists traditional controls, and how to bring the AI people actually use under policy.

What Is Shadow AI

Shadow AI is the use of AI tools, models, and services by employees without the knowledge, approval, or governance of an organization's IT or security teams. It ranges from pasting proprietary source code into a chat assistant to wiring an unreviewed MCP server into a coding agent, all outside any policy layer that can see or control the data leaving the machine.

The practice is now widespread rather than occasional. IBM found that breaches involving shadow AI added roughly $670,000 to the average breach cost and were more likely to expose personally identifiable information and intellectual property. The same research reported that 63% of breached organizations had no governance policies for managing AI or detecting unauthorized use, which shows the gap between how fast employees adopt AI and how slowly enterprises govern it.

Why Shadow AI Is Hard to Govern

Shadow AI is hard to govern because the AI surfaces employees use are distributed across the device, not the data center. A centralized AI gateway can route, authenticate, and observe traffic, but only for applications that were explicitly configured to point at it. Desktop chat apps, AI in the browser, and coding agents in the terminal usually are not, so their prompts and responses bypass every control the security team has built.

Three properties make the problem worse:

  • No visibility. Security teams cannot govern what they cannot see. Most organizations have no inventory of which AI apps run on their fleet or what data those apps send to model providers.
  • The MCP blind spot. AI apps increasingly connect to MCP servers, external tools that can read files, call APIs, and take actions on a user's behalf. Few organizations know which MCP servers their users have wired into their tools, and these connections widen the attack surface considerably.
  • Sensitive data exposure. The OWASP Top 10 for Large Language Model Applications lists sensitive information disclosure among the top LLM application risks. When a prompt leaves an ungoverned app, secrets, PII, and source code can leave with it, with no audit trail and no way to recall the data.

Asking every employee to reconfigure their tools to route through a gateway does not scale, and policy documents alone do not enforce technical controls. Governance has to reach the endpoint automatically.

Approaches to Governing Unsanctioned AI

Enterprises have tried several approaches to control unsanctioned AI tools, each with trade-offs:

  • Acceptable-use policies and training: Set expectations but do not enforce anything technically. Usage continues whenever employees are under deadline pressure.
  • Network and firewall blocking: Blocks known AI domains, but employees move to new tools faster than blocklists update, and blanket blocking pushes usage onto personal devices.
  • Data loss prevention (DLP): Inspects some egress, but it rarely understands AI-specific traffic, MCP tool calls, or prompt content, and it does not bring usage under a single policy.
  • A centralized AI gateway: Governs every request that flows through it, including routing, budgets, rate limits, and guardrails, but only for traffic that was configured to use it. This leaves endpoint AI ungoverned.

The pattern across these approaches is that visibility and enforcement break down at the endpoint. The gateway is the right control plane; the missing piece is a way to extend it to the AI running on every laptop.

How Bifrost Governs Shadow AI: AI Gateway + Bifrost Edge

Bifrost governs shadow AI in two parts: the AI gateway is the control plane and policy engine, and Bifrost Edge extends that same governance to every machine. The two work together. The gateway defines and enforces policy; Edge makes sure the AI people use on their laptops actually routes through it.

At the gateway, governance is configured once and applies to all traffic that passes through Bifrost:

  • Virtual keys assign per-consumer access, scoped to projects, teams, or individual users.
  • Budgets and rate limits cap spend and request volume hierarchically across keys, teams, and customers.
  • Guardrails evaluate prompts and responses for secrets, PII, and unsafe content using reusable profiles and rules.
  • Audit logs record an immutable trail for SOC 2, GDPR, HIPAA, and ISO 27001 reporting.

These are the same controls described on the Bifrost governance resource page, and they already work for any application pointed at the gateway. Bifrost Edge closes the remaining gap. Instead of relying on each user to point their tools at Bifrost, Edge runs on every machine and brings all AI traffic under the same governance automatically: desktop chat apps, AI in the browser, coding agents, and the MCP servers those tools connect to. There is nothing new to learn on the policy side, because Edge enforces the policies already configured at the gateway. Bifrost Edge is currently in alpha.

For the user, Edge is designed to be invisible after a one-time setup. On first run, a user signs in through the browser using the organization's existing single sign-on, which links the machine to their identity and syncs their assigned policies. No API keys are copied or pasted. After that, an always-on agent in the menu bar or system tray routes AI traffic in the background, so governance applies automatically rather than depending on each user to opt in.

Bringing Endpoint AI Under Governance with Bifrost Edge

Endpoint AI governance with Bifrost Edge starts with visibility and moves to enforcement on the device. Administrators see what is running across the fleet, decide what is allowed, and the decision takes effect on each machine.

  • App governance: Administrators decide which AI applications are permitted across the organization. Allowed apps run normally, fully governed through Bifrost; disallowed apps are blocked before any data leaves the machine. When Edge detects a new app, it requests approval in the admin console, and policy changes roll out to the whole fleet without touching individual devices.
  • MCP governance: Edge inventories the MCP servers configured inside each AI app and builds a live, fleet-wide list of which servers are configured, where, and across how many devices. Administrators make per-server allow or deny decisions, and the decision is enforced on the device. A denied server cannot be used, even by an app that had it configured before the policy existed. Discovery covers major AI apps that support MCP today, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.
  • Endpoint guardrails: Because Edge routes traffic through Bifrost, every guardrail configured at the gateway applies automatically to endpoint AI. Provider coverage includes native Secrets Detection (Gitleaks-backed), Custom Regex with a built-in PII Detection template, AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI. A guardrail is applied before the prompt reaches a model and before the response returns, so sensitive content is caught before it leaves the machine.

The applications Edge governs include desktop apps such as Claude Desktop, the ChatGPT app, Cursor, and Codex; coding agents such as Claude Code, Codex CLI, and OpenCode; and AI in the browser, including ChatGPT web and Claude web, with Claude Cowork governed by the same rules. The list expands over time, and Edge governs traffic to every provider Bifrost supports.

Rollout is built for scale. Rather than asking users to install anything, organizations deploy Edge with MDM through Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, or JumpCloud, using a managed configuration that points each machine at the organization's Bifrost. The configuration carries only non-sensitive connection settings; identity and keys come from the user's sign-in. This approach fits the compliance posture that Bifrost Enterprise is built for, including regulated industries, VPC isolation, and air-gapped environments.

Building a Shadow AI Governance Program

A shadow AI governance program works best when it sequences visibility, policy, and enforcement rather than starting with a ban. Frameworks such as the NIST AI Risk Management Framework recommend grounding controls in a clear picture of how AI is actually used before applying restrictions.

A practical sequence:

  1. Inventory usage. Discover which AI apps and MCP servers exist across the fleet, and treat the findings as operational intelligence rather than a disciplinary exercise.
  2. Define policy at the control plane. Set virtual keys, budgets, rate limits, and guardrail profiles in the gateway so every governed request inherits them.
  3. Enforce at the endpoint. Extend those policies to every machine so desktop apps, browser AI, and coding agents route through governance automatically.
  4. Provide sanctioned alternatives. Unsanctioned use drops sharply when employees have approved tools that meet their needs, so allow the apps the organization trusts rather than blocking everything.
  5. Audit continuously. Use immutable logs to demonstrate control over where data flows, which is increasingly a regulatory expectation.

What is the first step to governing shadow AI?

Start with a visibility audit. You cannot govern AI usage you cannot see, so inventory the AI apps and MCP servers running across the fleet before applying any restriction. Endpoint discovery turns that audit from a survey into real, continuous data.

How is shadow AI different from shadow IT?

Shadow IT is unauthorized software and accounts; shadow AI is unauthorized use of AI models and tools that send prompts and data to external providers. The data-exposure risk is sharper with shadow AI because content leaves the organization in the prompt itself and often cannot be retrieved.

Can you govern AI in the browser and desktop apps?

Yes. Bifrost Edge routes AI traffic at the machine level, so it covers browser AI, desktop chat apps, and coding agents without per-app configuration. The same guardrails, budgets, and audit logging configured in the Bifrost gateway apply to that endpoint traffic.

Govern Shadow AI Across Your Enterprise

Governing shadow AI does not require banning the tools employees rely on. It requires a single control plane for policy and a way to extend that policy to every endpoint, so the AI people actually use is routed, observed, and protected by the same rules as the rest of your infrastructure. Bifrost is that control plane, an AI gateway built for enterprise AI workloads, and Bifrost Edge carries it to every machine. To see how the AI gateway and Bifrost Edge govern endpoint AI across your fleet, book a demo with the Bifrost team.

Read next