Post by SANS Institute
371,405 followers
"If you don't think you have a shadow AI problem, you do." In a recent survey of 300 CISOs, not one reported full visibility into their organization's AI usage. (Pentera AI Security & Exposure Benchmark 2026) 67% flagged it as a known issue. The remaining 33% should probably take a closer look. Shadow AI spreads not because employees are reckless, but because they are trying to do their jobs. Faster emails, quicker data analysis, tighter turnarounds. When organizations have not established clear guidance on approved tools, people find workarounds. SANS Field CISO and VP of AI Security Chris Cochran describes the fix as three moves, in order: ➡️ Stand up an AI governance council that includes voices across the business. AI use cases exist in every function. Security and IT cannot govern what they do not have visibility into, and they cannot get visibility without organizational buy-in. ➡️ Train the workforce you already have. The 2025 SANS Cyber Workforce Study found the primary gap in cybersecurity is skills, not headcount. Employees who already understand the business are the fastest path to AI readiness. ➡️ Revisit third-party risk assessments. If a vendor you approved six months ago has since embedded AI into their product, that original assessment may no longer reflect actual exposure. The organizations that start now will have the advantage. Be on the lookout for Chris's AI Security Maturity Model dropping later this month and listen to his full conversation with Eva Benn on #SecurityMondays here: https://lnkd.in/eKZmvTjy #ShadowAI #AI #AISecurityMaturityModel