The Security Strategist 17 July 2026 6 MIN

Shadow AI to Shadow Agents: What's Actually Changed in 2026?

"Even into 2024, Shadow AI was not the main priority for enterprises, it gained traction heading into 2025 and dramatically increased in 2026."

Key frontier models are now capable of spotting vulnerabilities that no one thought even existed. They are finding software vulnerabilities at scale without any prompting, presenting both opportunities and challenges for security teams. For instance, recently, the Associated Press reported on the Anthropic Mythos model, spotting vulnerabilities in highly sensitive U.S. government computer systems during a testing exercise. Security researchers describe this ability as dual-use.

The Mythos model, part of Anthropic’s project Glasswing, partnered with national intelligence agencies to find and fix vulnerabilities in critical systems before attackers get to them, as per AP. The frontier AI model “broke into almost all of our classified systems, not in weeks, but in hours,” Joshua Rudd, National Security Agency (NSA) chief, seems to have informed Senator Mark Warner of Virginia. 

This kind of scanning capability helps defenders patch vulnerabilities faster, and also provides attackers with a more effective tool. As our guest noted in the recent The Security Strategist podcast episode, it's "almost like a new weapon." Both sides of the security battle believe they can leverage it to their advantage.

This tension sets the stage for a conversation that has been growing in enterprise security circles throughout the year – Shadow AI. 

In this episode of The Security Strategist podcast, host Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360Tech, sat down with Guru Sethupathy, Head of AI Governance at Optro, to break down Shadow AI and its looming threats in 2026 and beyond.

Over the last couple of years, Shadow AI has mainly involved employees entering sensitive data into ChatGPT while IT teams rushed to respond. This summer, the narrative has changed. The EU AI Act's regulatory clock is ticking. Meanwhile, Shadow AI is transforming into autonomous "shadow agents" that operate without waiting for human approval at every step. 

Sethupathy believes many enterprises are about to realise they can't comply with regulations for systems they don’t even know they're using.

Rogue Chatbots to Rogue Agents

Shadow AI isn’t a new concept, but Sethupathy challenged the notion that enterprises have been aware of it for years. "Even into 2024, Shadow AI was not the main priority for enterprises," he said. It only gained traction heading into 2025, and "it has dramatically increased in 2026."

Two factors are driving this shift, he explained. The first is the "democratisation of AI." Any employee within an enterprise can now access and interact with AI tools directly. The second factor is the countless ways AI can enter a company. AI can come through third-party vendor tools, web browsers, internal development, or no-code and low-code platforms. When you combine these entry points with the number of employees interacting with them, he noted, "you can see why there’s so much AI in an organisation that isn’t being tracked."

However, the real change, Sethupathy argued, isn’t from chatbots but from what followed. "With chatbots, companies could exert control," he said, highlighting the relative ease of restricting the tools staff could use and controlling how data flowed through them. AI Agents present a different challenge entirely: "It’s not just about data leakage. It’s not just about data security. These agents are taking actions, making decisions, and acting." 

This, he said, poses "a level of risk that is much higher."

Why is Governance Failing Against AI?

If agentic AI is the new area of risk, why hasn’t governance caught up? Sethupathy attributes this to tempo. "Governance in the past has typically been a point-in-time exercise," he said. But autonomous agents operate constantly. They learn consistently and take actions, access tools, and data around the clock.

"Imagine you’re driving, and your car only informs you of your speed every half hour. That would be pointless,” the Head of AI explained. The same reasoning applies to agents, he argued. With their continuous work, oversight needs to be continuous as well. This creates two major problems for organisations: a process issue (rebuilding governance frameworks around ongoing review) and a technology issue. As Sethupathy plainly stated, "humans cannot do continuous monitoring. We have to sleep." 

AI needs to monitor other AIs.

Why the EU AI Act to Shadow AI?

The compliance deadline for high-risk systems under the EU AI Act has not simply been pushed to August 2026 and left there. Sethupathy clarified that the European Commission revised the timeline recently, dividing it into two separate tracks:

The first is transparency and watermarking obligations; the rules requiring enterprises to disclose their AI usage have actually been moved forward to December 2026. Secondly, high-risk system obligations involving the detailed governance, risk assessment, and audit requirements for high-risk AI — have been pushed back to December 2027.

Are you enjoying the content so far?

"There have been updates on the EU Act," Sethupathy told Dua. The rules "around transparency of AI use and watermarking have actually been moved forward to December of this year," while the high-risk governance requirements have "been pushed back to the latter half of next year, particularly December 2027."

Alluding to the challenge of shadow AI challenge, he added that enterprises can't run a compliance process for high-risk systems they haven't identified. "You don’t know what high-risk systems you have if you have shadow AI," he said, adding that he doesn’t think most enterprises could have solved that discovery issue by the original August 2026 deadline. 

Sethupathy believes the extended timeline is a positive development, as long as companies take advantage of it. "I think it’s actually good that the EU has given folks more time. But they need to get started."

Ultimately, he asks CISOs to "think of governance as your insurance against that investment," referring to the billions of enterprises that are investing in AI. Without buy-in from the top, Sethupathy warned, "governance will become just a side task. Eventually, something will break."

Key Takeaways

  • Shadow AI is becoming a significant concern for enterprises.
  • The rise of AI democratisation has increased risk exposure.
  • Governance must be continuous and real-time to be effective.
  • The EU AI Act's compliance deadlines are crucial for enterprises.
  • Enterprises need to identify high-risk AI systems to comply with regulations.
  • Technology is essential for the continuous monitoring of AI systems.
  • CISOs must take ownership of AI governance within enterprises.
  • Training employees on AI risks is vital for effective governance.
  • Investing in governance is an insurance against AI investments.
  • Top-down support from leadership is necessary for successful governance.

Chapters

  • 00:00 Introduction to Shadow AI and Its Implications
  • 03:12 Understanding the Rise of Shadow AI
  • 05:52 Governance Challenges in the Age of AI
  • 09:00 The EU AI Act and Its Impact on Enterprises
  • 12:09 Technological Solutions for Managing Shadow AI
  • 14:50 The Dual Nature of AI in Security
  • 17:34 Strategies for Effective AI Governance
  • 21:06 The Role of the C-Suite in AI Governance

For more on Optro’s approach to continuous AI governance, visit optro.ai

Shubhangi Dua
Follow
Message