EP265 Beyond Shadow IT: Unsanctioned AI Agents Don't Just Talk, They Act!

12 snips

Mar 2, 2026

Alastair Paterson, CEO and co-founder of Harmonic Security who pinpoints generative AI data leaks in enterprises. He recounts real leaks from employee AI use. He explores governance choices from bans to managed adoption. He explains why unsanctioned AI differs from past shadow IT and warns about agentic tools and citizen-built workflows.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Intern Uploaded Confidential Notes To Personal ChatGPT

An intern at a law firm uploaded meeting notes into a personal ChatGPT account, exposing confidential legal and financial documents.
Harmonic Security's analysis showed ~25% of prompts were sensitive and 16% of those went into personal accounts, making this a common leakage vector.

INSIGHT

Bans Drive Employees To Personal Devices And Shadow AI

Banning AI often fails because employees simply switch to personal devices and accounts, creating shadow AI plus shadow IT together.
Alastair recounted an insurance AI lead who used ChatGPT on a personal laptop because corporate access was blocked.

ADVICE

Begin AI Governance By Gaining Visibility

Start with visibility: understand who uses AI, for what use cases, and what data flows into external tools.
Use that visibility to craft policies and enablement so security coaches users instead of just blocking them.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Guest:

Alastair Paterson, CEO and co-founder @ Harmonic Security

Topics:

Harmonic Security focuses on securing generative AI in use. Can you walk us through a real, anonymized example of a data leak caused by employee AI usage that your platform has identified?
AI governance gets thrown around a lot. What does this mean in the context of Shadow AI? How should organizations be thinking about governing AI in light of upcoming AI regulations in the US and in the EU?
If we generally agree that employees are using AI tools before they are sanctioned, how can organizations control this? Network, API, endpoint?
Many organizations struggle with the "ban vs. embrace" debate for generative AI. Based on your experience, what's a compelling argument for moving from a blanket ban to a managed, secure adoption model? Can you share a success story where this approach demonstrably reduced risk?
The term "shadow AI" is often used interchangeably with "shadow IT" (but for AI-powered applications) but you've highlighted that AI is a different beast. What is the single biggest distinction between managing the risk of unsanctioned AI tools versus unsanctioned IT applications?
Looking forward, where do you see the biggest risks in the evolution of shadow AI? For instance, will the next threat be from highly specialized AI agents trained on proprietary data, or from the rapid proliferation of new, unmonitored open-source models?
Given the speed of change in this space, what's one piece of advice you'd give to a CISO today who is just beginning to get a handle on their organization's shadow AI problem?

Resources:

Video version
Harmonic Security research
Shadow AI Strikes Back: Enterprise AI Absent Oversight in the Age of Gen AI blog
Shadow Agents: A New Era of Shadow AI Risk in the Enterprise blog (RSA 2026 presentation coming!)
Spotlighting 'shadow AI': How to protect against risky AI practices blog
EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (aka "dirty bomb episode")
A Conversation with Alastair Paterson from Harmonic Security video