The 2025 State of Shadow AI Report reveals the widespread and persistent use of unsanctioned AI applications in enterprises, highlighting critical security risks, especially related to tools like OpenAI and low-security-rated apps such as Jivrus Technologies and Happytalk. It emphasizes the urgent need for real-time discovery, governance, and remediation strategies to manage shadow AI exposure, particularly in small and mid-sized organizations. #ShadowAI #OpenAI #RecoSecurity
Keypoints
- The report is structured into main sections: Executive Summary, Methodology, Glossary, Detailed Findings, Recommendations for Security Leaders, Solutions using Reco, and Conclusion. Each part covers introduction and scope, data collection and analysis methods, definitions of key terms, deep dives into shadow AI usage and risks, actionable advice for organizations, technology solutions, and final insights.
- Key statistics include 53% of shadow AI enterprise usage accounted for by OpenAI, with over 10,000 users tracked; 27% of employees in small companies (11-50 staff) using unsanctioned AI tools; three applications (Jivrus Technologies, Happytalk, Stability AI) failing basic security controls; and unsanctioned AI apps running unsupervised for over 400 days on average (e.g., CreativeX, System.com).
- Notable trends show that high adoption rates of AI tools do not correlate with strong security, as widely used applications like CreativeX and Otter.ai have poor security scores, while some secure tools have low adoption.
- The report identifies recurring themes such as the invisibility of shadow AI to traditional security measures, accumulation of security debt due to embedded AI use, and the disproportionate risk faced by smaller organizations with limited security resources.
- Significant findings highlight the challenges in governance due to the rapid and uncontrolled AI tool adoption, the critical impact of OpenAIβs market dominance, and the pressing need for specialized controls and continuous monitoring to mitigate growing enterprise risks.
- Recommendations focus on deploying real-time shadow AI discovery tools, establishing OpenAI-specific policies, curating pre-approved AI tool lists, remediating high-risk applications promptly, scaling security practices for smaller teams, and monitoring autonomous AI agents and non-human identities.
- Recoβs dynamic SaaS security platform is presented as a comprehensive solution offering real-time detection, behavioral analytics, and AI-driven prioritization that addresses the multifaceted shadow AI challenges identified in the report.
- The report concludes that shadow AI is now a permanent fixture in enterprises, requiring proactive governance to convert potential risks into competitive advantages, stressing that ignoring shadow AI threats risks operational disruption and compliance failures.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)