There are more and more AI agents and unapproved AI tools (also known as "shadow AI") in businesses today. To get work done faster, employees and teams often use agentic assistants, hosted LLMs, browser extensions, and automation bots that don't go through IT or security. That ease of use comes with serious risks, such as exposing data, breaking compliance rules, manipulating models (prompt injection), automation that runs away, and using someone else's identity. The good news is that defenders don't need any new magic technology to get back control.
Combining an inventory-first approach, controls that focus on identity and data, lightweight detection signals (like network, browser, and API keys), and governance that lets people safely use the system on their own will greatly lower risk without slowing down productivity. This article tells you where to find hidden AI agents, how to find out who controls them, and how to safely use AI.
"Shadow AI" is when people in an organization use AI tools like generative models, coding assistants, agentic bots, or third-party LLM services without getting permission from IT or cybersecurity. This is the next step in the evolution of "shadow IT," but the stakes are higher because models can read sensitive text, make API calls on their own, and do automated tasks across systems. Industry definitions and primers say that shadow AI happens when employees use AI apps without official supervision, which can lead to data leaks, privacy issues, and compliance problems.
In this case, an "AI agent" is a program that runs on its own or with some help from a person. It uses an LLM or another AI model to do things like scrape websites, fill out forms, send emails, or call other systems. Modern AI agent frameworks and commercial products make these behaviors possible by using browser automation, headless browsers, or managed "agent orchestration" platforms. Vendors and security researchers say that these agents are easier to find these days because they leave different fingerprints than human users through specific telemetry signals.
Not all unauthorized AI use is immediately disastrous, but there are significant situations where shadow AI poses a particular threat.
Data exfiltration and compliance violations
Employees copy and paste private designs, PII, or patient records into public LLMs to get quick answers. Unless contracts or settings say otherwise, those copies can stay in provider logs and training datasets. This is a risk for GDPR/CCPA and contracts. As a top priority for AI security, government agencies and industry groups stress the importance of data governance.
Credential and secrets exposure via automation
Agents that automate web interactions usually need credentials, API keys, or tokens to do things for employees. Agents can get into systems directly if keys are poorly managed or embedded in scripts. Startup and vendor advisories show that agents are misusing their access, which leads to unauthorized access and sharing of credentials by mistake.
Prompt injection and model manipulation
An agent or LLM-powered workflow can be tricked into revealing secrets, following wrong instructions, or breaking safety rules by malicious inputs or crafted prompts. OWASP and major providers say that prompt injection is a basic type of model-level attack that should be protected against.
Runaway automation and operational integrity
If authorization checks aren't good enough, agentic bots could do a lot of things, like delete files, give out resources, and post messages. Automation that was meant to save time could end up costing hours of work to fix. Security researchers have reported cases where agents took actions they didn't mean to because the prompts weren't clear or there weren't enough guardrails.
Network and proxy logs: A lot of agent interactions use external LLM APIs or load resources from outside sources. Queries are outbound traffic to known AI provider endpoints, nonstandard hostname patterns, or unusual POST bodies. Modern proxy and firewall logs often show ULRs and headers that show which model vendors are being used. Check your web gateway and proxy logs for spikes in API calls and endpoints that you don't know about.
Cloud and API gateway logs: If your company uses AI through cloud functions, serverless layers, or API gateways, check those logs for strange rate patterns, token churn, or calls from accounts that aren't developers. A lot of agents work through cloud automation accounts and leave traces in execution logs.
Endpoint telemetry and EDR: Agentic browsers and headless automation often have process patterns that can be seen; for example, Chromium instances started by automation frameworks, browser extensions, or packaged runtime signatures. Newer EDRs can mark processes that start browser automation or strange child processes.
Identity and access logs (IAM): Agents often use API keys, service principals, or machine identities to log in. Look at how secrets have been made and used lately (for example, new service principals/keys or the frequency of short-lived token refreshes) and connect them to ticket requests or events for onboarding new developers. Use IAM tools to treat agents like users.
Security research and vendor warnings point to useful signs of AI agent traffic.
Browser extension fingerprints and helper binaries: Many agent frameworks add helper extensions or browser binaries. A small number of unique DOM IDs, extension IDs, or UA strings can be used to reliably identify an agent session. Human Security's field research talks about a number of extension signals that are easy to spot.
Automated navigation patterns: Agents often do a lot of navigations, clicks, and form submissions in a short amount of time, which is different from how people do it (high throughput, little time to think). Look for patterns in how people navigate, intervals that are always the same, or pages that are crawled in tight loops.
Unusual prompt-like payloads: Outbound POSTs with long plaintext strings that look like prompts or structured instructions (for example, "Summarize the following, do not reveal…") are suspicious. At the proxy level, content inspection can flag these flows, but be careful about privacy and legal issues.
Here are some quick and easy ways to find things that you can use right away.
1. Network/proxy detection patterns (low friction, high value)
Blocklist/allowlist LLM endpoints: Keep a list of model endpoints that are allowed (like the APIs from vendors you trust) and send an alert when someone tries to connect to an unknown model endpoint. This is a quick policy that gets a lot of signals.
Inspect POST body lengths and MIME types: LLM prompts usually have a lot of text in them (JSON with long "input" or "prompt" fields). Set off alerts when the size of a JSON field goes over a certain limit and the destination is not on an allowlist.
Rate and pattern anomalies: Agents often create a lot of traffic that is always there and happens very often. You can use your proxy's analytics to find a lot of similar POSTs coming from the same IP or identity.
2. Endpoint and process detection (EDR)
Detect headless browser launches: Look for headless flags or automation frameworks that create multiple Chrome/Chromium instances as children of a non-browser parent. These are common in scraping agents and automating forms.
Monitor browser extension installs: Endpoint management can keep track of which extensions are installed and match new or rarely used extension IDs with strange network behavior.
3. Identity and secrets telemetry
Token creation alerts: Notify when a service principal or machine token is created, and require ticketing approval for keys that last a long time. Combine SIEM with your IAM logs to find unusual key use.
Treat agents as users: Give agents their own identities, connect their actions to service accounts, and use the same review cycles for agent privileges as you do for human privileges. A lot of IAM vendors suggest this way.
Many people are afraid that governance will slow down the teams that AI acceleration helps the most. The right way keeps speed while lowering risk:
Quick approval lanes for low-risk use: If a team asks for help with writing that isn't sensitive, automatically approve it through a simple portal. You only need to manually review data or actions that are high risk.
Toolkit and templates: Provide SDKs and prompt templates that are ready to use and built into IDEs and chatops so that teams can easily adopt safe patterns.
Developer sandboxes: Give developers a private cloud instance or local model sandbox to test things out in, and make sure that sensitive data is logged and redacted. Teams can iterate without being exposed in sandboxes.
Network telemetry found unapproved agents: Security research shows that AI agents leave patterns in networking and browser signals that can be seen. Companies that used proxies quickly found unapproved agents in their marketing and sales teams making a lot of quick calls, which is a pattern that happens in many industries. By making proxy detection work, we were able to quickly contain the problem and get people using the approved tools.
Survey evidence of governance gaps: Surveys of IT and security professionals show that most organizations want to use AI agents more, but many don't have formal policies in place. A large number of professionals also report that agents are behaving in ways that weren't intended, such as accessing data without permission or exposing it. These results show how organizations are missing good governance.
Vendors are coming out to protect agents: The rise of companies that focus on agent security (monitoring and hardening) is shown by large venture rounds. This shows that the market sees agent safety as a major platform problem, and these companies offer new telemetry and controls that work with SIEM and IAM. These tools are meant to add to existing detections, not replace them.
A mandate won't make shadow AI go away. The best way to follow the advice of NIST, CISA, and industry experts is to: (a) keep track of and map how AI is used; (b) treat agents as identities that need the same lifecycle controls as human users; (c) enforce data-centric protections (DLP, redaction); and (d) give teams safe, easy-to-use alternatives so they use approved tools instead of shadow ones.
AI agents can help businesses be very productive, but only if they have the right visibility and governance in place. Start by taking stock of your inventory, adding security to the network and identity layers, giving developers easy-to-use guardrails, and making sure that model-safety practices are part of the software lifecycle. Those steps keep your teams moving quickly, protect data, and keep trust.