AI Expands 'Shadow IT' in Enterprises
AI tools are accelerating SaaS sprawl rather than consolidating software stacks, according to a new benchmark report from Torii. The 2026 report finds that 61% of applications in the average enterprise are now unmanaged "shadow IT," as employees adopt new AI-powered tools without formal approval, increasing governance and security risks.
- The proliferation of unmanaged AI tools is a direct response to employee demand for increased productivity; some studies show workers can boost their output by 40% using generative AI. This rush to adopt new technology often happens without IT or security approval, creating what is now termed "Shadow AI". - A primary risk of shadow AI is data leakage, where employees paste proprietary code, customer information, or other sensitive data into public AI tools. This is a significant concern as many AI tools retain user prompts for training their models, and this data could be exposed in a future breach of the AI vendor. - For developers and indie hackers, AI coding assistants like GitHub Copilot, which reached 20 million users in mid-2025, are becoming essential infrastructure. While these tools accelerate MVP development from months to days, they also introduce risks like bug-ridden or insecure code, making experienced developer oversight crucial. - The AI code assistant market is projected to grow from $4.7 billion in 2025 to $14.6 billion by 2033. This growth is shifting development paradigms from simple autocomplete to agentic AI, which can plan and execute tasks autonomously and is expected to be embedded in 40% of enterprise applications by the end of 2026. - This rapid, employee-driven adoption of AI mirrors the rise of SaaS, where tools are adopted from the bottom up. Research indicates that while 40% of organizations have enterprise LLM subscriptions, over 90% of employees use AI tools, often through personal accounts. - The integration of AI agents into existing SaaS platforms like Slack, Microsoft 365, and Salesforce creates "AI sprawl," where AI capabilities are distributed across the tech stack. These agents can create new, unmonitored data pathways between applications, increasing the complexity of security and governance. - Unsanctioned AI tools, particularly those from indie developers or small startups, may lack the security, legal, and compliance rigor of enterprise-grade software. This can lead to violations of regulations like SOX or ISO 27001 if the tools do not meet required data handling standards. - Beyond security, shadow AI introduces financial risks through "cost creep." Hidden costs can accumulate from redundant subscriptions, pay-per-use services that are never deactivated, and API-call overages from unmanaged integrations.
