Skip to main content
pulse
satellite 19 · 8 min read

The new shadow IT, managing personal AI agents

Employees are running personal AI agents on company data without IT visibility. The first scandals are coming. Here is what this means for your team.

Satellite 19·Published April 8, 2026·8 minute read
Hero · Article 19
The new shadow IT, personal AI agents
Sanctioned · IT managed
SSO. Workspace. Security. Audit.
Approved tools the company has reviewed and provisioned. Visible. Auditable. Accountable.
Below the line · invisible to IT
Personal AI agents · no audit
Read inboxes. Summarize meetings. Query CRM. Draft replies. Take actions outside the audit perimeter.
Every software company in 2026 has both layers. Only one is visible to security teams.
Figure 01 · Pulse design system

There is a phenomenon emerging in software companies that nobody has fully named yet. Employees are deploying personal AI agents that operate on company systems, often without IT knowledge or approval.

An engineer runs Claude Code on company laptops using a personal API key, with company source code. A PM uses ChatGPT custom GPTs that ingest internal documents. A sales rep deploys a personal AI assistant that reads from their Salesforce account and reports back to them locally. An operations lead runs an autonomous agent that polls company Slack and surfaces summaries to their personal email.

None of this is malicious. The employees are trying to be more productive. But collectively it represents the next wave of shadow IT, with implications most security teams have not fully grasped.

The pattern

Three structural drivers behind shadow AI agent adoption.

Driver 1: Productivity pressure.Employees are evaluated on output. AI tools demonstrably increase output. When the company’s sanctioned tools are inadequate or slow to roll out, employees use their own. The same dynamic drove the original shadow IT wave when consumer cloud tools (Dropbox, Slack itself) outpaced corporate sanctioned options.

Driver 2: Tool availability. Powerful AI tools are now consumer priced. A modest monthly subscription gives any employee access to Claude, ChatGPT, or Cursor. The friction to start using them is zero. The decision happens at the individual level without requiring IT approval.

Driver 3: Capability gaps. Most companies do not yet have sanctioned AI tools that match what consumer tools offer. The IT approved option is often inferior, more restricted, or simply does not exist yet. Employees fill the gap with what is available.

The result: every software company in 2026 has a substantial fraction of employees using personal AI agents on company data, mostly unknown to IT, and the percentage is growing.

Why this is different from previous shadow IT

Previous shadow IT (consumer cloud storage, unsanctioned SaaS tools) created data security issues. Shadow AI agents create those plus new categories of risk.

Data exfiltration through inference. A shadow agent that reads company data and processes it through an external API has effectively exfiltrated that data. Even if the API provider does not retain it, the data crossed an unmonitored boundary. For companies with regulatory requirements (GDPR, HIPAA, SOX), this creates compliance exposure.

Decisions made by unaudited systems. A shadow agent that drafts emails, makes recommendations, or executes actions on behalf of an employee is making decisions that affect the business. Without governance, these decisions are not auditable. When something goes wrong, there is no record of how the wrong decision was made.

Accumulated training data risk.If the employee’s chosen AI provider trains on input data (some do, some do not, opt out policies vary), the company’s data is contributing to that provider’s model. This is the issue we covered in the no training cornerstone, but at the individual employee level rather than company vendor level.

Compounding capability creep.Personal AI agents start with read access (“just summarize my emails”). They expand to write access (“draft replies for me”). They expand to action execution (“send the drafts when I am not at my computer”). Each step seems incremental but the cumulative capability is significant.

Risk
Four categories of shadow AI risk
  • Risk 01 · High
    Data exfiltration through inference
    Inputs and outputs cross the perimeter quietly. What it breaks: data perimeter.
  • Risk 02 · High
    Unaudited business decisions
    Agents take actions with no operator on record. What it breaks: audit trail.
  • Risk 03 · Medium
    Training data exposure
    User content trained on by the vendor by default. What it breaks: IP and confidentiality.
  • Risk 04 · Medium
    Capability creep
    Tool gains broader scope each release. What it breaks: governance and cost.
Figure 02 · Pulse design system

What companies should do

Three responses, ranging from minimal to comprehensive.

Response 1: Acknowledge and document. Stop pretending shadow AI does not exist. Survey employees about what AI tools they are actually using. Most will tell you if you ask without threat. Document what is in use and start tracking exposure. This is the minimum response. It requires no policy changes and no new tooling. It just makes the problem visible.

Response 2: Provide sanctioned alternatives. The structural cause of shadow AI is gaps in sanctioned tooling. Close the gaps. Provide AI tools that employees actually want to use, with the governance their work requires. When the sanctioned option is competitive with the consumer option, shadow usage decreases naturally. This is the most leverage response. It addresses the cause rather than the symptom. It also requires real investment in evaluating and deploying enterprise AI tools.

Response 3: Detection and governance infrastructure. For companies in regulated industries or with high data sensitivity, additional detection infrastructure is warranted. AI traffic monitoring, browser policy enforcement, endpoint visibility, AI specific DLP. This is the most comprehensive response and the most expensive. It is appropriate for high stakes environments but overkill for many companies.

The right response depends on your industry, your data sensitivity, and your risk tolerance. Most companies should at minimum do Response 1 and Response 2. Response 3 is for specific contexts.

Where Pulse fits

Pulse is not a shadow agent detection or governance product. We do not sit on the network. We do not monitor employee endpoints. We do not track which AI tools your employees are running.

What Pulse does is provide the sanctioned alternative. When your team has access to Pulse (a sanctioned tool with proper governance, ACL inheritance, audit logging, and no training on customer data), the pressure to run shadow agents decreases. Employees who would otherwise use a personal AI agent on company Slack data can use Pulse instead, with proper trust posture.

This is the closest Pulse comes to addressing the shadow agent problem: by being the credible sanctioned alternative that reduces the underlying pressure.

For full shadow agent governance (detection, DLP, policy enforcement), that is a different product category. Companies like Lakera, Wiz, Cyberhaven, and Cloudflare are building products in that space. The capability you need depends on your specific risk profile.

What to expect

The shadow AI problem will get worse before it gets better. Three predictions.

  1. The first scandals will hit in 2026 or 2027. A company will discover that employees were exfiltrating sensitive data through personal AI agents. The story will be public. IT and security teams across the industry will react.
  2. Governance tooling will mature. New product categories will emerge specifically for AI agent governance. Some will become important enterprise tools.
  3. Sanctioned AI tooling will close the gap. Companies will invest more heavily in sanctioned AI tools to reduce shadow usage. The companies that move fast on this will avoid the worst exposure.

For software teams thinking about this proactively, the highest leverage move is deploying sanctioned AI tools that employees actually want to use. This addresses the cause. Pulse is built specifically for this purpose at the team coordination layer. Live demo at pulsehq.tech.

← Previous · Satellite 18
Atlassian Rovo vs Pulse, choosing team AI for the modern stack
Next · Satellite 20
Calibrated confidence, why your AI tool should tell you when it is unsure

Related reading

Cornerstone 05
Why AI tools should never train on your company's data
Every AI vendor uses the same privacy language. The differences underneath are enormous. The four structural commitments worth looking for, and why policy promises rarely survive competitive pressure.
Satellite 11
The trust problem with enterprise AI tools
Four diagnostic questions every AI vendor should answer with a clean yes or no. The deflections to watch for. Why structural commitments survive competitive pressure and policy ones do not.
Satellite 20
Calibrated confidence, why your AI tool should tell you when it is unsure
Most AI tools show confidence as absent or fabricated. Real calibration requires outcome tracking, recalibration, and per workspace adjustment. The three questions to ask any vendor.

See it in the product.

Every argument in this essay describes a product invariant Pulse already enforces. The live demo is walkable end to end without signup.

More from the blog