Two years ago, the riskiest thing in your environment was a person clicking a bad link. Today, it might be an AI tool nobody told you about, authenticated to your data through a credential that never logs in like a human does. Welcome to the world of shadow AI and non-human identities.
What is a non-human identity (NHI)?
A non-human identity (NHI) is any service account, API key, or OAuth-granted application that can access company data without a person signing in. Your environment is full of them: the app that syncs your CRM, the integration that posts to Slack, the AI assistant a sales rep connected to their inbox last week. Each one holds a standing grant to your data — and most companies have no inventory of them at all.
NHIs are attractive to attackers because they’re powerful, long-lived, and rarely watched. A stolen API key doesn’t trigger an impossible-travel alert. A malicious OAuth grant looks like just another app.
What is shadow AI?
Shadow AI is AI tools used inside your company without IT’s knowledge or approval — a marketer pasting customer data into a public chatbot, a developer wiring an AI coding tool to your repos, an analyst connecting an AI app to your Google Drive. It’s shadow IT, but with a data-exfiltration engine attached.
The scale is already systemic:
- 60% of IT teams have no visibility into employees’ GenAI usage. (Cisco 2025 Cybersecurity Readiness Index)
- 86% of organizations experienced an AI-related security incident in the past year. (Cisco 2025)
- Shadow AI was involved in 20% of breaches and added $670,000 to the average breach cost. (IBM Cost of a Data Breach 2025)
- 97% of organizations that suffered an AI-related breach lacked proper AI access controls, and 63% have no AI governance policies at all. (IBM 2025)
Why this is invisible to your existing tools
Your EDR watches endpoints. Your email security watches inboxes. Neither watches an OAuth grant authorizing an AI app to read your entire Google Workspace, or a sanctioned-looking service account quietly pulling data it was never meant to touch. Shadow AI and NHI risk live in the gap between your tools — which is exactly why they account for a growing share of breaches.
How to govern shadow AI and NHIs
Governing this surface takes capabilities most SMB stacks don’t have:
- An NHI inventory — every OAuth grant and service account, with risk scoring, so you can see which AI tools and apps touch your data.
- Attestation — a periodic review (Centeye uses a 90-day cycle) where standing grants are re-justified or revoked, instead of living forever.
- Content DLP — detecting sensitive data flowing into AI tools.
- Behavioral DNS detection — spotting AI-service traffic and anomalous data egress at the network layer.
How Centeye’s Shield-AI surface works
Centeye’s Shield-AI / NHI surface delivers exactly this: an OAuth-grant NHI inventory with risk scoring, 90-day attestation, content DLP, and DNS behavioral detection — so you finally see which AI tools and non-human identities can reach your company data, sanctioned or not. Kavach correlates a risky new OAuth grant with the identity and DNS surfaces, turning “an app you didn’t know about is reading your drive” into an incident you can act on.
As IBM’s data shows, the companies that get breached through AI are the ones with no controls. Shield-AI is how you stop being one of them.
Need definitions? See NHI and shadow AI in our glossary. Want to see your own NHI inventory? Get a demo.
Figures cited from the Cisco 2025 Cybersecurity Readiness Index and the IBM Cost of a Data Breach Report 2025.