惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
L
LangChain Blog
Microsoft Azure Blog
Microsoft Azure Blog
雷峰网
雷峰网
Recent Announcements
Recent Announcements
WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
博客园_首页
The Cloudflare Blog
M
MIT News - Artificial intelligence
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
S
SegmentFault 最新的问题
P
Proofpoint News Feed
Y
Y Combinator Blog
Jina AI
Jina AI
博客园 - 聂微东
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
F
Full Disclosure
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Microsoft Security Blog
Microsoft Security Blog
爱范儿
爱范儿
T
Tailwind CSS Blog
J
Java Code Geeks
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
宝玉的分享
宝玉的分享
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
The Register - Security
The Register - Security
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs

Human Risk Management Blog

Trust, Verify, Protect: Modernizing Email Security for the Cloud Report: Social Engineering Remains a Central Part of AI-assisted Attacks ClickFix Social Engineering is Now the Leading Malware Delivery Method CyberheistNews Vol 16 #28 Your 2026 Phishing by Industry Benchmarks: The Findings on Human Risk Scammers Can Use AI Tools to Pinpoint Your Location Based on a Photo Report: Attackers Are Using AI to Automate Social Engineering Your KnowBe4 Fresh Compliance Plus Content Updates from June 2026 From Awareness to Digital Workforce Security Your KnowBe4 Fresh Content Updates from June 2026 Threat Actor Uses Phishing to Breach Orgs for Ransomware Gangs Invoice Phishing Attacks Are Abusing the Shop App Phishing Campaign Impersonates Interpol to Deliver Ransomware Prompt Injection and the Rise of Agentic Risk Hyper-Targeted Social Engineering Needs Real-Time Video Response Your Email is Protected. Is Your Teams Chat? CyberheistNews Vol 16 #27 [HOW TO] Your Cybersecurity Starts at Home on World Social Media Day 2026 Phishing by Industry Benchmarking Report: Findings on Human Risk Static DLP Is Leaving You in the Dark: Why It’s Time for Intelligent, Self-Serve Outbound DLP and Misdirected Content Analysis INC Ransomware Gang Targets the Legal Sector 5 Essential Cybersecurity Defenses for Cloud Email Security Cybercriminals Are Targeting the FIFA World Cup 2026 Why Bite-Sized Security Awareness Training Matters in an Age of TikTok and Digital Distraction Happy 3rd Birthday to Our KnowBe4 Community! Phishing Exposes Employee Data at 86% of Fortune 100 Companies CyberheistNews Vol 16 #26 A New Extortion Scam Uses IT Impersonation to Breach Organizations Cybersecurity Starts At Home This World Social Media Day FTC Report: Americans Lost $3.5 Billion to Imposter Scams Last Year Report: Device Code Phishing is Surging Report: Online Shoppers Increasingly Ignore Scam Warning Signs Security Training Needs Google Maps, Not Christopher Columbus Turn Account Takeover Into Real-Time Security Coaching Extortion Gang Sends In-Person Attackers to Exfiltrate Data Attackers aren’t loyal to any collaboration channel CyberheistNews Vol 16 #25 [The AI Tell] How To Expose Machine-Written Phishing Fast Social Engineering Attacks Abuse Workplace Collaboration Tools New Extortion Brand Uses IT Impersonation to Breach Organizations APWG Report: Social Media Phishing is Surging Cybersecurity Awareness Training for AI: Key Focus Areas Americans Lost $900 Million to AI-Powered Scams Last Year What AI Can’t Hide When It Writes a Phishing Email Your AI Agents Are Eager to Please And Easy to Exploit From 1% to 26%: How AIDA Orchestration Fixes the Remedial Training Gap Best AI Agent Security Tools for SMB and Enterprise in 2026 4 Hot Summer Travel Tips To Avoid Scams CyberheistNews Vol 16 #24 [FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now The Role of Agentic AI in Phishing Security Training A Credit Score for Cyber Behavior Agentic AI Security in 2026: What to Know How to Secure AI Agents: 4 Best Practices An Overview of Email Compliance Regulations and Reporting Report: AI-Assisted Fraud is Surging Attackers Use Spoofed ChatGPT Site to Deliver Malware I Love Device-Bound Session Credentials, But They Are Still Phishable and Hackable Nearly Two-Thirds of CEOs Cite Cyberattacks as Their Top Concern A Look at Spam vs. Phishing: 4 Key Differences KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards Cyber Insurance for Mid‑Market Organizations in Southeast Asia KnowBe4 Earns Multiple 2026 Buyer's Choice Awards from TrustRadius The New Frontier: Securing Japan’s Hybrid Digital Workforce (2026 & Beyond) CyberheistNews Vol 16 #23 Now Phishing Attacks Use Real Hotel Reservations to Target Travelers Report: AI-Enabled Social Engineering Attacks Are on the Rise Your KnowBe4 Fresh Compliance Plus Content Updates from May 2026 FBI: Kali365 Phishing Kit is Targeting Microsoft 365 Accounts KB4-CON - AI Is Everything How to Secure AI Adoption In Your Organization Your KnowBe4 Fresh Content Updates from May 2026 The Silent Invitation: A Deep Dive into Calendar Invite Phishing Cyber Insurance for Mid‑Market Organizations in Southeast Asia Chinese-Language Phishing Kits Are Growing More Advanced Phishing Attacks Are Using Real Hotel Reservation Info to Target Travelers Warning: Scammers are Exploiting Geopolitical Unrest Athletes Are Increasingly Targeted by Social Engineering Attacks AI Agent Governance Part 3 - Runtime Governance: The Hidden Performance Cost of Agentic AI AI Agent Governance Part 2 - What Good Looks Like: Governing AI Agents in Practice 8 Ways to Reduce False Positives in Email Security Ransomware Attacks Drive a Surge in Cyber Insurance Claims My Favorite 5 KnowBe4 Agents Perry Carpenter KB4-CON 2026 Q&A: Deepfakes & Deception Free Gift Fallacy: How Attackers Harvest Credit Cards via Fake Surveys When Global Conflict Becomes a Cyber Weapon: How Iran Tensions and Other Stressful Events Fuel Social Engineering Attacks CyberheistNews Vol 16 #21 [Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks Beyond the Chatbot: Why Your AI Agents are Your Newest (and Most Vulnerable) Colleagues Report: Adversarial Use of AI is Evolving
Shadow AI Is Not Shadow IT With a Better Marketing Budget
Javvad Malik · 2026-07-01 · via Human Risk Management Blog

I saw a venn diagram on social media. One circle is Shadow IT, one circle is Shadow AI, a substantial overlap, and the implicit message is that they are effectively the same challenge.

They aren’t and that the assumption can lead to many problems.

Looking back, shadow IT was like watching a crash in slow-motion. Employees using technology IT hadn't sanctioned. Personal Dropbox accounts. Unofficial Slack workspaces. WhatsApp groups that evolved from "just a quick coordination thing" into the actual operational backbone of a team.

These presented real risks of data sprawl, compliance headaches, lack of visibility into where data was. Organizations spent years building governance frameworks to deal with it.

But Shadow IT, at its core, was a data location problem. The data sat somewhere it shouldn’t. It was largely inert. Someone had to go and do something with it. That was the threat.

Shadow AI is different in a way that is not subtle.

When You Stop Moving Data and Start Delegating Authority

Consider what happens when an employee connects an unsanctioned AI agent to their work systems.

It gains persistent access, a memory of prior context, and the ability to take actions. Connected to email. Connected to calendar. Connected, in many cases, to the tools they use to communicate with customers and colleagues.

It has context, the relationships, the subtext buried in existing threads. It has, in most configurations that make it useful, some degree of write access. It can draft. It can send. It can schedule. It can, at the more capable end, make decisions and execute them before any human has reviewed them.

This is not a data location problem. This is an authority problem. The employee has not merely stored something in an unsanctioned place. They have delegated the ability to act in their name to something nobody in IT catalogued, governed, or in many cases even knows exists.

Whereas shadow IT could be likened to someone putting files in their own cabinet at home as opposed to the secure one in the office. Shadow AI gave itself power of attorney.

Why Employees Are Doing This

KnowBe4's Agentic Risks to Human Wins report confirmed that employees are turning to unsanctioned AI tools not out of malice or carelessness, but because the official alternatives are too slow, too restricted, or too stripped-down to be genuinely useful.

These are the same reasons which drove Shadow IT. When corporate email took 10 business days to provision, employees found their own email. When SharePoint was genuinely terrible to navigate, employees found Dropbox. When corporate messaging required a ticket and three different authentication hoops to jump through, employees found WhatsApp.

While the pattern is identical, the capability gap has widened considerably.

AI tools in 2026 are fast, capable, increasingly agentic and easy to connect to existing workflows. Enterprise AI tools are often none of those things. They've been stripped down for policy compliance, throttled for cost control or are simply months behind what's commercially available.

The employee who signs up for an unsanctioned AI assistant on a Friday afternoon is solving their own immediate needs in a way that creates everyone else's security problem on Monday morning.

The Data That's Going In

Over half (51%) of cybersecurity leaders believe the use of “Shadow AI” has had a great impact on their organizations’ cybersecurity over the past year. Employees are feeding AI agents internal strategy documents, client data, financial projections, HR records, and legal correspondence anything that would help the agent do a better job of whatever they've asked it to do.

It's entirely logical. If you want an AI agent to draft a client proposal that sounds like you and reflects the current state of the account, you need to give it the client account data. If you want it to summarize the strategic context for a meeting, you need to give it the strategy documents. The agent is only as useful as the context you provide.

The problem is that the context leaves the organization. It may train models, in some configurations. It sits in a third-party system under terms of service few employees have read. It is accessible to operators of that system and may be retained for periods neither the employee nor their employer has any visibility into.

Shadow IT sent the data somewhere. Shadow AI sends the data somewhere and then uses it to do things.

The Oversight Problem Is Structural

Shadow IT was, in principle, detectable. Traffic analysis, data loss prevention tools, network monitoring. A respectable security team, with the right instrumentation, could identify unusual data movement. It wasn't easy, but the signals were there.

Agentic Shadow AI is structurally different. Agents don't necessarily generate anomalous traffic. They operate through legitimate channels like email, calendar and communication platforms using credentials that are genuine because the employee granted them. There's no data exfiltration signature to catch. There's no login from an unusual location. There's just an entity with access and authority that nobody in IT knows about, doing things at the direction of an employee who probably hasn't thought through the implications.

Forty-four percent of organizations already report increased incidents related to AI application use. And that’s only the tip of the iceberg. There will be agents making decisions an employee didn’t intend to make, or indeed, maybe running months after the person who authorised it left the company.

What the Response Cannot Be

Many organizations will do what they’ve always done when faced with a new behavioral issue. Update the acceptable use policy to cover AI agents and send a memo to all employees.

This will have approximately the same effect it had on Shadow IT, which is to say. A small minority will comply and it will create plausible deniability for the organization, but not fix the root cause.

Employees are turning to Shadow AI because the official alternatives are not good enough. Telling them not to use better tools, without providing better alternatives, does not resolve that tension.

What organizations need is a combination of better approved tools, real-time visibility into what agents exist and what access they have, and a governance layer built for the agentic world rather than ported from the pre-agentic one.

The Point That Keeps Getting Missed

Shadow IT was a problem for managing data. Where it was. Who had access to it? How to get it back under governance?

Shadow AI is a problem about authority. Who is acting in your organization's name. What decisions they're making. What commitments they're creating. What relationships they're managing on behalf of employees who may never have read the terms of service for the agent they authorised at 11pm because the deadline was at 9am.