Shadow AI is quickly becoming the next wave of unmanaged software risk. Employees adopt AI tools faster than governance processes can track them, often outside procurement, security review, or license control. This creates new blind spots across cost, compliance, and data protection. IT Asset Management gives you a practical way to restore visibility, assign ownership, and govern AI usage before risks scale across your environment.
What shadow AI means for your organization—and why it’s growing so fast
Shadow AI refers to any AI tool, application or feature used within an organization outside its approved IT framework. It is not a future risk. It is a current operating condition — and it is spreading faster than most governance models can track.
According to Gartner’s “Emerging Risk Deep Dive: Shadow AI”, August 2025(1), shadow AI ranked in the top five emerging risks in organizations. Risk leaders flagged it as one of the most commonly identified concerns with the potential to materialize in the near term — yet most organizations do not feel prepared to manage it.
The reason it spreads so fast is structural. Employees activate AI tools in minutes, often through freemium tiers or personal credit cards that bypass procurement entirely. Recent analyst research found that 52% of workers use both personally obtained and organization-provided AI tools for work. A separate survey cited by Gartner found that 32% of workers hide their AI use from employers — and of those, 36% do so to maintain a personal productivity advantage. The pressure to perform is driving adoption faster than policy can respond.
Shadow AI creates visibility, cost, and compliance risks—not just security issues
The security conversation around shadow AI is legitimate but incomplete. Gartner’s Q2 2025 Emerging Risk Report data shows that 79% of cybersecurity leaders report employees misusing approved public GenAI tools and 69% report use of prohibited public GenAI tools. Those are significant exposure numbers. But for ITAM/SAM managers and IT Directors, the operational consequence runs deeper than breach risk.
When an AI tool enters the environment without review, you lose inventory control — it is not in your CMDB, it has no assigned owner and it sits outside your software lifecycle processes. You lose license and contract visibility — data handling terms, retention practices and third-party processing rights go unreviewed. You lose cost control — AI pricing is increasingly usage-based, and credits or token consumption can scale unpredictably, particularly when embedded AI features activate inside existing vendor contracts. And you lose renewal governance entirely, because an unowned tool has no one watching its renewal date.
The consequences Gartner identifies are consistent with this: IP loss, increased cybersecurity vulnerability and legal and compliance exposure. Most organizations currently lack codified AI governance policies — which means there is no baseline from which to guide employees or enforce safeguards.
Why ITAM is the right governance layer for AI
ITAM teams already operate the discovery, ownership and lifecycle processes that AI governance requires. The framework is not new. The asset class is.
Gartner’s strategic planning assumption from its October 2025(2) research makes the trajectory clear: by 2028, 25% of large organizations will have consolidated information governance teams drawing from digital workplace, data and analytics, and security functions — compared to less than 1% today. That cross-functional model is exactly what mature ITAM programs are positioned to anchor.
For a deeper look at how AI is reshaping software asset management practice, explore USU’s AI in ITAM infographic covering discovery, governance and lifecycle management.
How to Bring Shadow AI Under Control with IT Asset Management
The operating model for governing shadow AI already exists inside your IT Asset Management practice. You don’t need a new framework. You need to extend the one you already use.
-
Start with discovery. Identify AI tools accessed through browsers, SSO logs, expense data and finance systems—not just what IT deployed.
-
Then classify what you find. Assign ownership, review what data enters each tool and identify overlap with approved alternatives already in your environment.
-
Apply policy based on risk. Route higher-risk tools through formal review and define which applications teams can safely use.
-
Optimize where AI capabilities already exist. Rationalize add-ons inside SaaS contracts, remove duplicates and connect usage data to renewal decisions.
-
Finally, integrate AI tools into your standard IT Asset Management and SaaS management workflows to bring them under continuous governance instead of treating them as one-time security exceptions.
This isn’t a new program. It’s IT Asset Management extended to a new asset class that is already present in your environment.
Start by adding AI tools to your next SaaS discovery cycle. Treat browser-based AI apps and embedded AI features from existing vendors as first-class inventory items. Assign ownership and extend your renewal and policy workflows to cover them.
Shadow AI isn’t a separate governance challenge. It’s shadow IT with faster activation, weaker ownership and higher data risk. IT Asset Management already gives you the structure to bring it under control.
Want to understand where your organization stands on SaaS cost control and governance maturity? Explore USU’s SaaS Cost Transparency for Finance and IT Leaders — practical guidance on visibility, cost allocation and spend control across your SaaS estate.
Sources
(1) Gartner, “Emerging Risk Deep Dive: Shadow AI,” Ben Fisher and Laura Reul, 18 August 2025
(2) Gartner, “The Impacts of Shadow AI on Digital Employee Experience,” Jason Wong, Christopher Trueman, Sunil Kumar, 3 October 2025
