Shadow AI and the Leadership Gap: Scaling AI to Your Advantage – solutionsreview.com

SANS Institute’s Rob Lee offers commentary on shadow AI and the leadership gap, and how to scale AI to your advantage. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

This rise of decentralized AI adoption – or shadow AI – is not new, but rather a growing trend that poses significant risks to a corporate entity’s organizational security and operations. According to MIT’s Project NANDA study, roughly 90% of employees report using AI tools without informing their IT departments.
The problem isn’t AI adoption. It’s how enterprise leaders choose to govern it.
For most security teams, “The Framework of No” has served as a baseline response to implementing new AI technology within an organization and managing its potential risk. This methodology – rejecting platforms that can’t be easily secured and banning them in an effort to ‘protect the company’ – ultimately creates operational blind spots that do more harm than good over time.
Discouraging AI use on an organizational level leads to a disjointed AI adoption rollout, leaving employees more motivated to take AI implementation into their own hands.
Organizations will ultimately benefit from bringing shadow AI into the light. It’s no longer enough to ignore or restrict AI usage out of fear. Enterprise leaders need a robust governance framework that aligns with business goals while enabling safe and transparent adoption.
Restrictive policies are often the go-to solution in response to a weak AI roadmap, but the consequences of such an approach can be far-reaching. Control without context can exacerbate disorganization within the culture. When new technologies are restricted, innovation moves underground as employees find ways to activate them outside of approved channels.
An organization can’t protect what it can’t see. Prompt injections, IP leakage, model misuse, and other vulnerabilities arise when security teams are not aware of or not involved in AI adoption decisions. Most importantly, a “no” culture erodes both trust and the willingness of teams to engage with security.
Replacing control with clarity is the best path forward. Organizations must shift from a security posture that restricts and isolates AI adoption to one that partners with AI innovation to ensure it is safe, secure, and aligned with team objectives.
To ensure AI is properly implemented, leadership must take the proper steps to know what’s happening in their organization and foster a culture where its use feels safe and clear:
Examples of roles that support scaled, responsible AI use include:
The proliferation of shadow AI presents both challenges and opportunities for organizations navigating AI adoption’s complexities. By following this outlined approach, leaders are enabled to not only mitigate risk but also recognize AI as a strategic asset that converts said challenge into a competitive advantage.
This article was written by Rob Lee on January 30, 2026
Rob T. Lee is Chief AI Officer and Chief of Research at the SANS Institute, where he advises boards, CISOs, and government leaders on how to govern, deploy, and defend AI at scale. He authored the SANS Secure AI Blueprint, introducing the three-pillar model of Protect, Utilize, and Govern, led the development of the SANS Critical AI Security Guidelines, and published widely- cited work on Shadow AI and safe harbor protections. His forthcoming white paper, “From Asymmetry to Parity: Building a Safe Harbor for AI-Driven Cyber Defense” (Fall 2025), addresses the challenges of AI-driven cyber defense.
Solutions Review brings all of the technology news, opinion, best practices and industry events together in one place. Every day our editors scan the Web looking for the most relevant content about Endpoint Security and Protection Platforms and posts it here.
© 2012-2026 Solutions Review. All rights reserved.

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.