Bifrost Edge

What Is Shadow AI? The Ungoverned AI Risk Inside Every Company

What Is Shadow AI? The Ungoverned AI Risk Inside Every Company
Shadow AI is the ungoverned use of AI tools inside a company. Learn what it is, why it creates risk, and how Bifrost governs it from gateway to endpoint.

Shadow AI is the use of AI tools, assistants, and models inside an organization without formal approval, security review, or governance. Employees paste source code into chat assistants, run coding agents in the terminal, and connect MCP servers to their desktop apps, all without a policy layer in between. IBM's Cost of a Data Breach Report 2025 found that one in five breaches involved shadow AI, adding as much as $670,000 to the average breach cost. Closing this gap means governing AI traffic at both the network and the device, which is where Bifrost, the open-source AI gateway built in Go by Maxim AI, and its endpoint layer Bifrost Edge come in. This article explains what shadow AI is, why it stays invisible to most security teams, and how an AI gateway paired with endpoint governance brings it under control.

What Is Shadow AI?

Shadow AI is the unsanctioned use of AI applications, assistants, browser extensions, and personal AI accounts inside an organization, without approval, visibility, or governance from IT and security teams. It is the AI equivalent of shadow IT: tools adopted directly by employees because they make work faster, operating entirely outside central control or any audit trail.

The term parallels shadow IT, the unauthorized cloud apps that spread through companies a decade ago. The difference is what AI does with data. A shadow IT tool might store a file on an external server. A shadow AI tool actively sends prompts, source code, customer records, and strategy documents to third-party model providers, where that content is processed and, in some cases, retained. Bifrost, the AI gateway, was built to govern exactly this kind of traffic, and its centralized governance extends from the data center to the laptop.

Shadow AI vs. Shadow IT: Why the Risk Is Greater

Shadow AI carries the risks of shadow IT plus a category of exposure that unsanctioned software never created before: data flows outward to external models, not just into unapproved storage. The traffic leaves the company perimeter the moment a prompt is sent.

The risks that make shadow AI distinct:

  • Data leaves the building. When an employee pastes a contract or codebase into a public AI tool, that content is transmitted to a third-party provider rather than stored internally.
  • Prompts reveal intent, not just data. A request like "summarize this contract and flag terms unfavorable to us" exposes negotiating strategy, not only the document text.
  • Outputs drive decisions. Employees act on AI answers. An ungoverned tool that returns flawed legal, financial, or technical guidance creates downstream risk with no record of how the decision was reached.
  • There is no audit trail. Because the traffic never passes through a controlled system, there is no log of what was sent, to which model, or by whom.

Bifrost addresses this by routing AI traffic through a single control point where every request can be inspected, logged, and governed, rather than leaving each tool to send data wherever it wants.

The Risks of Ungoverned AI Inside Companies

Ungoverned AI creates risk across security, compliance, and operations at the same time. IBM's 2025 Cost of a Data Breach Report found that 97% of organizations reporting AI-related breaches lacked proper AI access controls, and 63% had no AI governance policy in place at all.

The most common forms of exposure include:

  • Data leakage: sensitive code, PII, and intellectual property sent to external models the security team cannot see.
  • Compliance exposure: regimes such as GDPR and HIPAA apply to data sent to AI tools, and ungoverned prompts can create violations no one logged.
  • No visibility into MCP servers: AI apps increasingly connect to MCP servers that can read files and call APIs, and most organizations cannot list which ones are running.
  • Cost sprawl: duplicate subscriptions and personal accounts spread AI spend across the company with no budget control.
  • No accountability: without immutable audit logs, incidents cannot be reconstructed after the fact.

For regulated and large-scale environments, Bifrost Enterprise ties these controls to air-gapped, VPC, and on-prem deployment so governed AI traffic never has to leave a trusted boundary.

Common Examples of Shadow AI in the Enterprise

Shadow AI is rarely a single rogue application. It is the sum of the AI surfaces employees already use every day:

  • Desktop chat apps such as Claude Desktop and ChatGPT, installed directly by employees.
  • AI in the browser, including chat assistants and AI features inside web apps and extensions.
  • Coding agents like Claude Code, Cursor, and terminal agents that read source code and run commands.
  • MCP servers wired into those tools to give them access to files, databases, and internal APIs.
  • Personal accounts used for work, where company data sits under an individual's consumer subscription.

The risk is not theoretical. In 2023, Samsung restricted employee use of generative AI tools after engineers uploaded sensitive source code to ChatGPT, as reported by CNBC. Banning the tools is one response, but employees route around bans, and blocking AI outright sacrifices the productivity that drove adoption in the first place. Bringing these surfaces under control, rather than off, is what the Bifrost platform is designed to do.

Why an AI Gateway Alone Does Not Eliminate Shadow AI

An AI gateway governs the traffic that is configured to flow through it. Bifrost, the AI gateway, enforces virtual keys, budgets, rate limits, guardrails, and audit logs on every request it receives. That is the right control plane for any team running production AI.

The limitation is structural: a gateway only sees traffic that someone pointed at it. Shadow AI is, by definition, the traffic nobody configured to route through the gateway. An employee who installs a chat app and signs in with a personal account never touches the control plane, so the gateway's policies never apply. This is the gap endpoint governance closes. The policy engine stays where it belongs, in the gateway; what changes is its reach.

How to Govern Shadow AI: AI Gateway + Bifrost Edge

Governing shadow AI takes two layers working together: the Bifrost AI gateway as the control plane where policy is defined, and Bifrost Edge as the layer that carries that policy out to every machine. The gateway decides; Edge enforces those same decisions on the endpoint. The same virtual keys, budgets, guardrails, and audit logs you already configure are what Edge applies on each laptop, so there is nothing new to learn on the policy side. Bifrost Edge is currently in alpha.

Edge runs on macOS, Windows, and Linux, and routes AI traffic from desktop apps, browser AI, coding agents, and the MCP servers those tools connect to through Bifrost automatically. After a one-time browser sign-in through the organization's existing SSO, the agent runs in the background with no base URLs to change and no SDKs to swap. The same centralized governance that protects gateway traffic now follows the user to the device.

Visibility into every AI app and MCP server

Before control comes visibility. Bifrost Edge inventories the AI apps and MCP servers configured on each device and builds a live, fleet-wide list of which servers are running, where, and across how many machines. For the first time, a security team can answer "what MCP servers are running on our fleet?" with real data instead of guesswork. MCP discovery covers AI apps including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.

App and MCP governance enforced on the device

Administrators decide which AI applications and MCP servers are permitted, and Edge enforces that decision on each machine. With app governance, allowed apps run normally and fully governed through Bifrost, while disallowed apps are blocked before any data leaves the device. Denying an MCP server is enforced on the machine, not advisory: a denied server cannot be used even by an app that had it configured before the policy existed. Decisions are managed centrally and picked up automatically, so allowing or blocking a tool takes effect across the fleet without touching individual devices.

Your guardrails, everywhere

Because Edge routes endpoint traffic through Bifrost, every guardrail already configured applies automatically to the AI people use on their machines. A guardrail runs before a prompt reaches a model and before a response returns, so sensitive content such as API keys, credentials, and PII is caught before it leaves the laptop. The endpoint security layer applies the same reusable profiles and rules that protect gateway traffic, with no extra setup on the device.

Fleet rollout via MDM

Edge is built for fleet-wide deployment rather than manual installs. Deployment via MDM supports Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, pushing Edge to every machine with a managed configuration that points it at the organization's Bifrost. No secrets live on the device; identity and keys come from the user's SSO sign-in. Every request then inherits the organization's audit logging, budgets, and guardrails, which supports SOC 2, GDPR, HIPAA, and ISO 27001 obligations on the endpoint, not just in the data center.

Frequently Asked Questions About Shadow AI

How is shadow AI different from approved AI use?

Approved AI use runs through tools the organization has vetted and can monitor. Shadow AI runs outside that perimeter, with no visibility, logging, or policy enforcement, which is what makes the same prompt far riskier when it leaves through an ungoverned tool.

Can you stop shadow AI by blocking AI tools?

Blocking tools tends to push usage onto personal accounts and devices, where it is even harder to see. Governing the traffic rather than banning the tools preserves the productivity employees want while restoring control, which is what Bifrost and Bifrost Edge are built to do.

What data is most at risk from shadow AI?

Source code, customer PII, and intellectual property are the most commonly exposed. IBM's 2025 report found that shadow AI breaches exposed customer PII in 65% of cases, above the 53% rate across all breaches, making the most sensitive data the most likely to leak.

Getting Started with Bifrost

Shadow AI is not a tooling problem to ban away; it is a governance problem to solve. The combination of an AI gateway and endpoint governance brings the AI people already use, on every machine, under the same controls that protect the rest of your infrastructure. Bifrost defines the policy, and Bifrost Edge enforces it from gateway to laptop.

To see how Bifrost can govern shadow AI across your fleet, book a demo with the Bifrost team, or explore the Bifrost resource library for governance guidance.

Read next