Try Bifrost Enterprise free for 14 days. Request access

Shadow AI: The Ungoverned Tools Your Employees Are Already Using

Shadow AI: The Ungoverned Tools Your Employees Are Already Using
Bifrost is the open-source AI gateway that governs shadow AI, extending virtual keys, budgets, guardrails, and audit logs to every AI tool on company machines.

Shadow AI is the ungoverned use of AI tools that never routes through any policy layer: employees install Claude Desktop, type sensitive data into ChatGPT in the browser, run coding agents like Cursor and Claude Code in the terminal, and wire MCP servers into those tools, all without security teams seeing any of it. Bifrost, the open-source AI gateway built in Go by Maxim AI, is the control plane enterprises use to govern that traffic, and Bifrost Edge (currently in alpha) extends the same governance to every endpoint. A 2025 IBM report found that breaches involving these ungoverned tools cost organizations an average of $670,000 more than incidents without them, and that 97% of organizations that suffered an AI-related breach lacked proper AI access controls. This post explains what the problem is, why it is now a top-tier data-exposure risk, and how the combination of an AI gateway and endpoint governance closes the gap.

What Is Shadow AI

Shadow AI is the use of AI applications, models, and agents inside an organization without IT or security oversight, governance, or approval. It is the AI equivalent of shadow IT: tools adopted directly by employees that bypass the controls a security team relies on to protect data.

It shows up in four surfaces on a typical company machine:

  • Desktop chat apps: Claude Desktop and the ChatGPT desktop app, where employees paste code, contracts, and customer data.
  • Browser AI: ChatGPT on chatgpt.com and Claude on claude.ai, accessed through personal or unmanaged accounts.
  • Coding agents: Claude Code, Codex CLI, Cursor, and similar agents that read source code and can execute actions.
  • MCP servers: external tools wired into AI apps through the Model Context Protocol that can read files, call APIs, and take actions on a user's behalf.

The defining trait of this usage is invisibility. Security teams cannot govern traffic they cannot see, and none of these surfaces routes through a gateway by default.

Why Shadow AI Is a Data-Exposure Risk

Ungoverned AI turns every employee laptop into an unmonitored egress point for sensitive data. Prompts routinely contain source code, credentials, customer PII, and internal documents, and when those prompts flow to an external model through an ungoverned tool, there is no audit trail, no budget control, and no guardrail in between.

The scale of the problem is documented across recent industry research:

  • Roughly half of employees use unsanctioned AI tools at work, and 58% access AI through personal devices or accounts, according to reporting on enterprise AI adoption from CIO.
  • Breaches involving ungoverned AI cost an average of $670,000 more than breaches without it, per IBM's 2025 Cost of a Data Breach Report.
  • Among organizations that reported an AI-related breach, 97% lacked proper AI access controls, per the same IBM report.

The gap is structural, not behavioral. Blocking AI outright pushes employees toward personal accounts and unmanaged devices, which is worse. The workable path is to bring the tools people already use under governance rather than trying to ban them.

Why can't a firewall or DLP tool solve shadow AI?

Traditional network controls see connections, not context. A firewall can see that a machine reached an AI provider's API, but it cannot inspect the prompt, apply a per-user budget, enforce a virtual key, or redact a secret before it leaves. Governing this traffic requires a policy layer that understands AI requests, which is what an AI gateway provides.

The AI Gateway as the Control Plane for Shadow AI

An AI gateway is a unified entry point that routes, authenticates, observes, and governs traffic to multiple LLM providers from a single API. Bifrost is the policy engine where an organization defines what governed AI looks like, and every request that flows through it inherits those controls.

The governance primitives that matter here are configured once at the gateway:

  • Virtual keys: the primary governance entity, assigning per-consumer access permissions, budgets, and rate limits per project, team, or user.
  • Budgets and rate limits: hierarchical cost control at the virtual key, team, and customer levels.
  • Guardrails: content and safety checks applied before a prompt reaches a model and before a response returns, including native secrets detection and PII redaction.
  • Audit logs: immutable trails that support SOC 2, GDPR, HIPAA, and ISO 27001 compliance.

Bifrost is built for enterprises and large teams that need this control across regulated workloads, with support for in-VPC deployments and air-gapped environments. The full governance model is described on the Bifrost governance resource page. The one thing a gateway cannot do on its own is govern traffic that was never configured to flow through it, which is exactly the problem shadow AI creates.

How Bifrost Edge Extends Governance to Every Endpoint

Bifrost Edge is the endpoint layer of the Bifrost platform. Rather than relying on each employee to point their tools at the gateway, Bifrost Edge runs on each machine and routes all AI traffic through Bifrost automatically, so the same governance configured at the gateway applies on the laptop. Edge is currently in alpha, and teams register to be onboarded.

The division of labor is clean:

  • The gateway is the brain: virtual keys, budgets, guardrails, and audit logs are defined and enforced here for all configured traffic.
  • Edge is the reach: it carries those same policies to the endpoint, covering the desktop apps, browser AI, coding agents, and MCP servers that would otherwise stay invisible.

Edge is designed to be invisible after a one-time setup. The first time it runs, the user signs in once through their browser using the organization's existing single sign-on, which links the machine to the user and syncs the policies assigned to them. No API keys are copied or pasted. After that, Edge lives in the menu bar on macOS or the system tray on Windows and Linux, and governance follows the user rather than waiting for them to opt in. Because Edge routes at the machine level, it covers every supported app with no base URL changes and no SDK swaps.

App governance: decide which AI apps are allowed

Administrators decide which AI applications are permitted across the organization, and Edge enforces that decision on each device. Allowed apps run normally, fully governed through Bifrost. Disallowed apps are blocked before any data leaves the machine. When Edge detects a new app, it requests approval in the admin console, and admins configure whether pending apps are allowed or blocked while under review.

MCP governance: see and control every MCP server on the fleet

Most organizations have no visibility into which MCP servers users have wired into their AI tools. Edge inventories the MCP servers configured inside each AI app and builds a live, fleet-wide inventory: which servers are configured, where, and across how many devices. Admins make per-server allow or deny decisions, and the decision is enforced on the device, not advisory. A denied server cannot be used even by an app that had it configured before the policy existed. MCP discovery covers major AI apps including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.

Guardrails everywhere: your policies applied to endpoint AI

Because Edge routes AI traffic through Bifrost, every guardrail already configured applies automatically to endpoint AI. A prompt typed into ChatGPT in the browser is evaluated against the same rules and profiles that protect gateway traffic, so secrets and PII are caught before they leave the machine. Guardrail coverage configured at the gateway and applied at the endpoint includes native secrets detection, custom regex with a built-in PII template, AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI. There is nothing extra to set up on the device.

Rolling Out Endpoint AI Governance via MDM

Endpoint AI governance is only useful if it reaches every machine, which is why Edge deploys fleet-wide through existing device management platforms. Rather than asking users to download and configure anything, an organization pushes Edge to every machine through its MDM with a managed configuration that points it at the organization's Bifrost.

Supported MDM platforms:

  • Jamf: deploy to a Mac fleet with a configuration profile and managed settings.
  • Microsoft Intune: push to Windows, macOS, and Linux devices alongside existing policies.
  • Kandji: distribute across managed Apple devices with zero-touch provisioning.
  • Omnissa Workspace ONE: roll out to Windows, macOS, and Linux endpoints.
  • JumpCloud: deploy across macOS, Windows, and Linux devices.

The managed configuration delivers only non-sensitive connection settings, so machines arrive pre-pointed at the right Bifrost. No secrets live on the device: identity and keys come from the user's SSO sign-in. On first launch, Edge installs silently, asks for one setup approval, prompts the user to sign in through SSO, and then governance turns on for all supported AI traffic. After setup, Edge keeps policy in sync with Bifrost on its own, so central changes to app policy or MCP allow and deny lists reach the fleet without revisiting individual machines.

How does endpoint AI governance support compliance?

Endpoint governance extends the same audit logging, budgets, and guardrails that support SOC 2, GDPR, HIPAA, and ISO 27001 all the way to the laptop, not just the data center. Because Edge enforces the enterprise governance and audit capabilities already part of Bifrost, every request from a desktop app, browser AI session, or coding agent inherits an audit trail. This is what turns "we think employees are using AI" into a documented, governable inventory.

Closing the Shadow AI Gap

Shadow AI is not a fringe risk. With roughly half of employees using unsanctioned AI tools and breaches involving these tools costing hundreds of thousands of dollars more per incident, ungoverned AI on employee machines is now one of the largest unmonitored data-exposure surfaces in the enterprise. The answer is not to ban AI, which pushes usage further into the shadows, but to bring the tools people already use under governance.

The combination is what makes this work: Bifrost as the AI gateway and control plane where policy is defined, and Bifrost Edge as the endpoint layer that carries that policy to every machine. Together they turn shadow AI into governed AI, with virtual keys, budgets, guardrails, and audit logs applied to desktop apps, browser AI, coding agents, and MCP servers across the fleet. You can explore the full platform through the Bifrost resources hub or the Bifrost GitHub repository.

To see how the Bifrost AI gateway and Bifrost Edge bring shadow AI under governance across your organization, book a demo with the Bifrost team.