AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News
Research2026-06-19

AI Adoption Research from Nudge Security Reveals How Widespread AI Use Is Transforming Security Governance

What happened

Nudge Security published AI adoption research in June 2026 documenting the scale and composition of enterprise AI tool use across its customer base. The research finds that AI agents, integrations, and AI-native development platforms are now embedded in standard enterprise workflows at a scale that outpaces governance controls designed for traditional SaaS procurement. OpenAI and Anthropic remain the dominant providers by integration volume. Emerging agent tools including Manus and Lindy are entering enterprise environments through individual contributor adoption rather than IT procurement channels. The report identifies data egress as the primary governance gap: enterprise data is leaving controlled environments through prompts, file uploads, and OAuth-connected integrations, in ways that existing data loss prevention and vendor risk controls were not designed to detect or restrict.

Why it matters

  • ·AI tool adoption is now primarily bottom-up. Security and compliance teams are building governance programs retroactively against a deployment baseline that already exists, not establishing controls before adoption begins.
  • ·Agent tools like Manus and Lindy that accept OAuth connections to enterprise systems create data exposure pathways that bypass traditional perimeter controls. Once connected, an agent can pull, process, and retain data outside approved data boundaries with no visibility to security teams.
  • ·Prompt and file upload egress channels are invisible to most DLP systems tuned for email and file transfers. Organizations that believe they have comprehensive data loss controls may have uncovered exposure in AI interactions.
  • ·Third-party AI vendor risk assessments focused on contract terms miss the operational risk from connected integrations and persistent data retention in provider systems, meaning PRC controls need to extend to OAuth-granted agent access.

Governance controls affected

What to do now

  • Deploy an AI tool inventory mechanism capable of discovering OAuth-connected AI applications and agents, not just approved vendors in the procurement system.
  • Extend data loss prevention policy scope to cover AI prompt and file upload channels, and test detection coverage against representative prompt-based data extraction scenarios.
  • Classify AI agents and integrations with OAuth access to production systems as third-party risk assets and apply vendor risk assessment procedures (PRC-001) to them.
  • Update acceptable-use policy to require that AI tool connections to enterprise systems go through a lightweight approval workflow, even for individual contributor tools.
  • Audit currently connected AI applications for scope of OAuth access granted and revoke permissions that exceed the documented use case.

What to watch next

Nudge Security's ongoing visibility into enterprise AI tool adoption positions them to release periodic benchmarks as agent adoption accelerates. Watch for follow-on research on agent credential patterns and OAuth scope accumulation, which will likely surface as the next major enterprise governance challenge as agentic AI deployments scale.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Insight2026-07-16

Agentic Developer Tools Are the New Shadow IT, With a Larger Blast Radius

The Grok Build incident is not a data breach story. It is a category error story: organizations are applying shadow IT controls to a class of tools that bypasses those controls by design. Agentic coding assistants have codebase-level access, transmit code as part of their core function, and expose data in proportion to the developer's own privileges. The governance frameworks built for unauthorized SaaS subscriptions are not built for this.

news2026-07-16

xAI Grok Build CLI Silently Uploaded Full Repositories and Secrets Files Before Server-Side Fix; Opt-Out Did Not Block Transmission

An independent wire-level analysis of xAI's Grok Build CLI (version 0.2.93) found that the tool transmitted entire repository contents, including secrets files and git history, to xAI's servers regardless of what the AI agent was instructed to read. xAI has since disabled the upload server-side and added a privacy opt-out, though the researcher's testing found the opt-out controls data retention rather than blocking transmission. Elon Musk has publicly committed to deleting previously uploaded data, though that deletion has not yet been confirmed complete.

Corporate Policy2026-07-07

OneTrust's AI Governance Committee Framework Sets a Practical Bar for Agentic AI Controls, Including Traceability and Least-Privilege Requirements

OneTrust has published a detailed account of how it built its own AI Governance Committee, including a structured 'buy versus build' decision framework for third-party AI tools and specific controls for agentic AI systems. The guidance requires decision control restrictions, full traceability of autonomous actions, and least-privilege data governance for any AI that operates with meaningful autonomy. The publication functions as a practitioner implementation guide that compliance teams at other enterprises can benchmark against their own programs.