We've approved certain AI tools for our team, but it feels like it's in vain since people are still using random tools anyway. Just last week, someone uploaded customer data to a questionable Chrome extension, and our data loss prevention system missed it because it didn't interact with our network. We try to block what we can at the web filtering level, but new tools keep emerging. By the time we identify and block one tool, it's like half the team has already moved on to the next. It feels like we're constantly playing catch-up with enforcement conversations. Is this just how things are now? Is there an effective way to implement AI security at scale without becoming a compliance bottleneck?
11 Answers
Using Zscaler ZIA is a great start. You could block certain categories and only allow whitelisting upon request, which gives you control while not paralyzing operations.
Don’t forget, Defender can monitor clipboard activity, adding another layer of oversight.
You might have two choices: either block tools and face the fallout, or see what management expects and operate accordingly. Remember, it's not your company, and if management isn't concerned, it's tough for you to be.
Instead of just blocking tools, focus on risk management and fostering a strong culture. Determine which data needs strict control, educate the team on the potential consequences, and make approved tools easier to use than the shadow options. Otherwise, you’ll just be chasing shadows.
Management needs to be your ally. Start with a clear policy: anyone caught putting company data into unauthorized tools will face serious consequences. Whitelisting Chrome extensions could help but be prepared for potential rabbit holes—like ensuring that people can't install unapproved versions elsewhere.
We block a lot through our web filter and have policies in place along with ongoing training for users about the dangers of using unsanctioned tools. All browser extensions are managed through our policies for Microsoft Edge, and our security team regularly reviews SaaS applications being accessed.
Make sure to file a report with HR if someone breaches data protocols. Include all relevant details and management; this isn't just a minor issue—it’s a serious infraction. Protect yourself by documenting the breach and outlining the necessary actions to take next.
Have you considered whitelisting browser extensions? That could help keep unapproved tools in check.
The belief that merely blocking tools will eliminate Shadow AI is outdated. Shadow AI isn't just about new SaaS solutions; it's about employees pasting corporate info into random Chrome extensions that never connect to your corporate DNS. We need something that recognizes content patterns, not just tool names. This is where layering in AI-focused safety measures alongside traditional data loss prevention can really help. It creates a more robust security environment that scales with AI use.
Creating a culture where employees feel comfortable seeking permission can make a big difference, especially if you have an efficient app approval process. For Chrome extensions, you can enforce policies based on your company's environment. As for whether this is the new normal, this level of shadow tech has been an issue for some time, ever since SaaS really took off.
We tackle this from a legal angle. We’ve got a data disclosure policy in place that clearly states that using unapproved systems for company data is against the rules and violates NDAs. It sounds harsh, but if someone wants to access software, they go through a review process that ensures it's safe. IT can’t do it all; it’s also about policy and HR involvement.
Totally agree! It’s key not to speak to individual employees directly, as their managers and team leads should also be involved in the compliance process.