Shadow AI is the practice of employees deploying AI agents and automations without IT or security team knowledge or approval. At RSAC 2026, the top innovation award went to Geordie, a platform that does one thing: find the AI agents already running inside your organization that your IT team doesn't know about. The biggest cybersecurity conference in the world gave a standing ovation to a flashlight. That tells you where we are.
According to IBM's Cost of a Data Breach 2025 report, shadow AI breaches cost $670,000 more than standard breaches. Token Security found 600 ungoverned agents inside a single Fortune 500 company in 24 hours. And according to a Gravitee survey of 919 organizations in February 2026, 86% of AI agents are deployed without security approval.
Your employees figured out AI agents months before your IT team did. The agents are already running. The question isn't whether to govern them. The question is whether you can even see them.
Why Did RSAC 2026 Give Its Top Award to a Shadow AI Discovery Tool?
Geordie won the RSAC 2026 Innovation Sandbox because shadow AI is the defining security problem right now. Not a future problem. A current one.
Most organizations cannot produce a list of what AI agents are running, who approved them, or how to shut them down. When the most credentialed security conference in the world rewards a visibility tool above everything else in the field, that is the industry saying: we have lost track of what is running inside our own organizations.
The governance gap between AI adoption (86%) and proper oversight (26% of organizations have AI governance policies, per a CSA survey at RSAC 2026) is not closing. It is widening. Shadow AI is the reason.
What Are the Three AI Agent Governance Gaps Enterprises Face?
CrowdStrike CEO George Kurtz identified three gaps appearing consistently inside companies deploying AI at scale.
Invisible reasoning. Your AI agent makes a decision, takes an action, and moves on. There is no record of why. When something goes wrong, you have nothing to trace. You are left with an outcome nobody can explain.
No kill switch. Kurtz asked executives how they would stop a compromised agent. Most could not answer. They had deployed something with no documented way to shut it down.
Speed mismatch. You act in minutes. Your AI agent acts in milliseconds. By the time your security team notices something is off, the agent has already taken 50 more actions. The damage is done before the first meeting gets scheduled.
If any of these three describe your current environment, you are not alone. Most enterprises have all three.
What Is ClawHavoc and Why Does It Matter?
ClawHavoc is the first known supply chain attack on agentic AI infrastructure. It targeted OpenClaw and poisoned 1,100 skills that agents could download and execute. This was not a research proof of concept. It was a real attack that happened in the wild.
Your AI agents are already a target. The only question is whether you will know when they are hit.
Why Does Zero Trust Break with AI Agents?
Zero Trust was built on one idea: never trust, always verify. Verify identity. Verify device. Verify access rights. Grant the minimum needed. Monitor behavior.
That model carries a hidden assumption nobody talks about. The entity being verified is a human who acts slowly enough for a security team to monitor and respond.
AI agents shatter that assumption.
Human Employee | AI Agent | |
Identity | Consistent | Credential that can be shared, spoofed, or compromised |
Behavior | Baseline you can monitor | No consistent behavioral pattern |
Speed | Slow enough to detect | Acts in milliseconds, damage done before detection |
Controls needed | Access control | Action control |
As John Kindervag, creator of Zero Trust, told me at RSAC: no single identity signal is enough. Real security comes from evaluating the full collection of signals together.
The distinction that matters most: access control versus action control. Access control determines what systems an agent can reach. Action control determines what an agent can do within those systems. "Can access your email" is access control. "Can send email on your behalf" is action control. Cisco's Jeetu Patel called this the defining shift from the RSAC keynote stage. Most AI deployments have not made this distinction yet.
What Is the Agentic Trust Framework and How Does It Address This?
The Agentic Trust Framework (ATF) is a free, open governance standard for AI agents published by the Cloud Security Alliance in February 2026. It extends Zero Trust by adding two things the original model never needed: action-level controls (not just access-level) and real-time behavioral monitoring (not retrospective audits after the damage is done).
Every major RSAC 2026 keynote independently described elements of ATF without knowing it existed. Microsoft named four pillars of continuous agent governance: identity, policy-driven, behavior-aware, self-enforcing. Cisco named the access-to-action shift. CrowdStrike named the three governance gaps. Splunk's John Morgan literally called for "an agentic trust and governance model" from the stage.
They were describing the same thing from different stages. ATF is the framework that connects them.
Microsoft's engineering team built their Agent Governance Toolkit against the ATF spec 30 days after the CSA publication, without coordination. Berlin AI Labs documented 12 production deployments across all five ATF elements. Neither was asked. Both validated independently.
The full spec is free at agentictrustframework.ai.
What Should a CEO Do About AI Agent Security This Quarter?
Five governance decisions that do not require a new vendor, a new platform, or a six-month implementation.
Require a full agent inventory. Every AI agent running in your environment, who approved it, what it accesses, and what it is permitted to do. If your team cannot produce that list in 72 hours, that is your first board agenda item.
Require a kill switch policy. Every agent gets a documented shutdown procedure before it goes live. Not after something goes wrong.
Separate access from action. Agents get permission to perform specific actions for specific tasks. "Can read email" and "can send email on my behalf" are not the same permission. Treat them differently.
Require audit logging on every agent decision. If your agent takes an action and there is no record of why, that agent does not run in your environment.
Assign a human owner to every agent. Not a team. A person. Someone whose name is on it. Accountability changes behavior, even when the behavior is set by a machine.
Governed agents earn trust. Trusted agents get more autonomy. That is where the real productivity lives.
How Do You Find Shadow AI Agents in Your Organization?
Take these four questions to your leadership team this week.
"Can you show me every AI agent running in our environment right now?" If they cannot produce a list in 24 hours, you have a shadow AI problem.
"If one of our agents was compromised right now, how would we know? And what is the documented process to shut it down?" No documented process means no kill switch.
"When our agents make decisions, is there a record of why?" No audit trail means no accountability.
"What is each agent permitted to DO, not just access?" Access to your email system is not the same as permission to send an email on your behalf.
Not sure where your organization stands? The free AI agent self-assessment at verifiedagents.ai takes 10 minutes and shows you exactly where your governance gaps are against the ATF's five elements.
Frequently Asked Questions
What is shadow AI? Shadow AI refers to AI agents and automations deployed by employees without IT or security team knowledge or approval. Shadow AI breaches cost $670,000 more than standard breaches (IBM Cost of a Data Breach 2025). 86% of AI agents are deployed without security approval (Gravitee, February 2026, n=919).
What is the Agentic Trust Framework? The Agentic Trust Framework (ATF) is a free, open governance standard published by the Cloud Security Alliance in February 2026. It extends Zero Trust to AI agents by adding action-level controls and real-time behavioral monitoring. It covers five elements: identity, behavioral monitoring, data governance, segmentation, and incident response. The full spec is at agentictrustframework.ai.
What is the difference between action control and access control for AI agents? Access control determines what systems an agent can reach. Action control determines what an agent can actually do within those systems. "Can access your email" is access control. "Can send email on your behalf" is action control. Most AI deployments only enforce access control, which is insufficient for autonomous agents that take real-world actions.
What was ClawHavoc? ClawHavoc was the first known supply chain attack on agentic AI infrastructure. It targeted OpenClaw and poisoned 1,100 skills that agents could download and execute. It was a real attack in production environments, not a research proof of concept.
How do I create a kill switch for AI agents? A kill switch is a documented shutdown procedure that can stop an agent instantly and remotely. It must be designed and tested before deployment, not after an incident. Every agent needs a named person authorized to trigger it and a process that executes in seconds. If your team cannot answer "how do we stop this agent right now," it should not be running in production.
What did RSAC 2026 say about AI agent security? Every major RSAC 2026 keynote independently described the same governance problem. Microsoft named four pillars of agent governance. Cisco called for the shift from access to action control. CrowdStrike identified three governance gaps. Splunk called for an agentic trust model. The Innovation Sandbox top award went to Geordie, a shadow AI discovery platform. The consensus was clear: governance is the defining challenge of agentic AI deployment.
How many ungoverned AI agents does a typical enterprise have? Token Security found 600 ungoverned AI agents inside a single Fortune 500 company in a 24-hour discovery scan at RSAC 2026. 86% of organizations deploy AI agents without security approval (Gravitee, February 2026). Most organizations do not know how many agents are running in their environment.
Author Bio:
Josh Woodruff is the Founder and CEO of MassiveScale.AI, a security-first AI consultancy. CSA Research Fellow. IANS Faculty. RSAC 2026 speaker. Author of Agentic AI + Zero Trust (foreword by John Kindervag).
Don't know where your AI agents stand? The AI Agent Audit gives you a complete assessment in one week. Start with the Agentic Trust Framework to see the four questions every agent needs answered before deployment.