Report: AI Expands Corporate Shadow IT
A 2026 benchmark report from SaaS management platform Torii finds that the proliferation of AI tools is accelerating SaaS sprawl rather than consolidating it. The study reveals that 61% of applications within enterprises are unmanaged "shadow IT," increasing governance and security risks as employees adopt new AI-powered apps independently.
- The Torii report highlights that the average organization now utilizes around 830 applications, with large enterprises using an average of 2,191. Of these, only 15.5% are formally sanctioned by IT departments. - The issue of "Shadow AI" is a primary driver of this trend, representing a faster-growing and harder-to-detect successor to traditional shadow IT. Employees often adopt consumer-grade AI tools, browser extensions, and AI-embedded productivity features to improve efficiency, frequently unaware of the associated risks. - This uncontrolled adoption creates significant financial and security risks; one study found that high levels of shadow AI added an average of $670,000 to the cost of a data breach. In 20% of breaches involving shadow AI, sensitive data like customer PII (65% of cases) and intellectual property (40%) were compromised. - Employees are often motivated to use unsanctioned tools because official, IT-sanctioned software is perceived as being too slow, difficult to use, or lacking necessary features. This suggests the problem is not just one of policy violation but also a signal of unmet user needs within the organization. - The technology sector shows the highest prevalence of shadow AI, with 82% of employees using unsanctioned tools, followed by financial services at 76% and healthcare at 71%. This widespread adoption occurs in an environment where 57% of enterprises have no AI governance in place at all. - To manage this, experts recommend establishing clear governance frameworks that classify AI tools as approved, restricted, or forbidden, rather than outright blocking them, which can push usage further underground. This approach should be paired with creating secure "sandbox" environments where employees can experiment with new tools under controlled conditions. - Unlike traditional shadow IT, which often involved distinct applications, shadow AI risks are more subtle, stemming from prompts containing strategic details, financial data, or proprietary code being fed into public models. The resulting AI-generated content can then become official enterprise work product, embedding risks directly into business operations. - The amount of corporate data being fed into AI tools surged by 485% between March 2023 and March 2024, with the proportion of that data considered sensitive nearly tripling from 10.7% to 27.4%. This highlights the escalating risk of data leakage and compliance breaches.
