Ivanti Blog: Posts by

Is Shadow AI Quietly Reshaping Your Workplace Security Posture?

Mon, 15 Dec 2025 14:00:01 Z

AI tools have seen a meteoric rise in the workplace. What was once the domain of highly specialised tech roles is now commonplace: Ivanti’s 2025 Technology at Work Report found that 42% of office workers say they’re using gen AI tools, like ChatGPT, at work — up 16 points from the previous year.

The catch? These productivity gains happen under the table. Among those who reported using gen AI tools, 46% say that some (or all) of the tools they use are not employer-provided. And, one in three workers keep AI productivity tools a secret from their employers.

Gen AI tools can be a productivity multiplier. But they’re also a risk to data security — particularly when they’re used without employer oversight.

What is shadow AI?

Unsanctioned use of AI is just another flavour of shadow IT (i.e. the use of technology without IT approval).

The risks that shadow AI introduces are similar to other shadow IT risks, but with an additional layer of concern: the sheer amount of proprietary data generative AI requires to be effective. Free generative AI tools (and some paid tools as well) may use an organisation’s data or employee searches to train their model, amplifying the risk of data leaks and noncompliance.

The recent revelation that shared ChatGPT conversations were crawlable by search engines (although OpenAI swiftly changed course) should be a wake-up call that, without proper controls, third parties can use your data in ways you object to. Some free tools, ChatGPT included, can be configured to meet security policies, but that’s simply not possible when employees use them covertly.

Free tools like ChatGPT aren’t the only shadow AI risk. An unexpected source is actually existing software. With the rush to add AI features, tools that might previously have been IT-approved may now pose new risks, and if infosec teams don’t know about and evaluate these new features, they effectively circumvent third-party risk management processes.

Why a risk-first approach to AI is crucial

Whether for gen AI or other tools, shadow IT is the result of not having a defined and reasonable way to test tools or get work done. Given that AI isn’t going away, companies need to approach adoption proactively, because banning tools doesn’t mean employees won’t try to use them in an effort to boost their productivity and make their jobs easier.

I spend the bulk of my time assessing risk, including the risks AI tools pose. Often, we have to assess risk as it relates to an opportunity to improve the business — in this case, employee productivity gains and second-order impacts (like employee satisfaction or having time to work on more strategic projects).

In short, we need to ask: Is there a way to introduce the tools employees are asking for and reap the benefits they offer while keeping the risk to an acceptable level?

This is where a risk-first approach enters the picture. A risk-first approach to AI adoption focuses on the data that needs to go into the AI and how the third party handles that data. This approach is similar to vendor risk management, allowing organisations to use established practices and processes, but adjusted for AI-focused questions.

Key question to ask include:

Will our data be used to train the AI model?
How long is our data retained?
What protections exist to reduce the risk of our data being exposed?
Who has the rights to intellectual property generated using the AI?

Minimising AI sprawl is a critical piece of this work. As more vendors introduce specialised AI tools — and as you bring on more vendors and grant their AI tools access to your data — your risk increases. This is also true of existing tools that suddenly introduce AI without cost or contract changes, making it difficult to keep an accurate inventory of AI tools.

Adopting an AI governance framework at Ivanti

Within Ivanti, we combat shadow AI with a risk-first approach that starts and ends with employee engagement.

Bringing AI use out of the shadows

While we’d never encourage shadow AI, employees that use it have valuable knowledge to share about how to integrate AI into workflows. So instead of banning all AI use, we have to make sure that employees have a clear path to request AI tools to use at work and that there are regular opportunities for open dialogue.

Fostering open dialogue makes employees feel comfortable discussing which tools help them succeed and ultimately means they will use them (or equivalent tools) safely. This provides an opportunity for employees to be active partners in developing appropriate governance — rather than trying to skirt restrictions.

A measured approach to AI implementation and adoption

Once a tool is approved, it is important to ensure proper implementation and that you understand what data you have given it access to. This is particularly important when you consider the data governance and security risk that gen AI tools pose to organisations. When we view AI through the lens of data governance, it can help address many parts of AI risk.

At Ivanti, we take a measured approach: We dedicate a team to run controlled tests of gen AI tools with other teams. We then establish feedback loops, and adoption rolls out gradually to avoid disruption.

Building a feedback loop for AI tools

We have to consistently ask:

How are Ivanti's employees using AI?
Do they like it?
What feedback do they have?
How can we improve the tool?

This ongoing conversation ensures we're using AI responsibly while meeting employees' productivity needs.

It’s not about jumping on the AI bandwagon. It’s about knowing if it’s worth it — for the business and for the people using it. Shadow AI boosts the productivity of one person. But take that productivity and expand it, and you have a meaningful improvement for the company as a whole.

Proactively combating shadow AI

The running theme here is that even though AI, and particularly shadow AI, poses new and concerning risks, it is here to stay. Employees who use AI under the radar aren’t ill intentioned; if anything, they’re trying to benefit the business, even if they’re going about it the wrong way.

A proactive, risk-first approach to AI adoption recognises this reality. Instead of reactive bans that only encourage circumvention, we have to engage employees to understand the problems they’re using AI to solve so that we can provide them with safe options that meet our security and data privacy requirements.

An Update on Ivanti's Ongoing Commitment to Enhanced Product Security

Tue, 11 Feb 2025 13:00:01 Z

In April 2024 the Ivanti CEO issued an open letter on our commitment to product security. We are very proud of the progress we have made, but as we all know, Security is a journey of continuous improvement. Ivanti is committed to this journey and to protecting our customers as the threat landscape continues to evolve.

Similar to other companies that develop network security and edge products, our edge products have been targeted and exploited by sophisticated threat actor attacks. While these products are not the ultimate target, they are increasingly the route that well-resourced nation state groups are focusing their effort on to attempt espionage campaigns against extremely high-value organisations.

Our response to any incident is to learn from it, invest in improving our products, and ultimately make it harder for our products to be abused by sophisticated adversaries.

A final, important point: we all continue to reap value from important security industry partnerships. By collaborating closely with government and security industry partners we are stronger and more secure together. We thank our collaborators and look forward to redoubling our efforts in the future.

Bolstering Product Security and Embracing Secure by Design Frameworks

Specialised Security Resources: the Ivanti Security team is comprised of highly skilled security specialists who support Ivanti’s overall security, and a dedicated Product Security Team focused on the security of our solutions. The size of this team has increased more than 8X over the past few years, along with meaningful elevation in threat expertise.
Leading Third-Party Partnerships and Tooling: we have expanded engagements with leading security and threat intelligence experts and utilise industry leading static and dynamic code analysis tooling during the development process to validate the security of our solutions and ensure Ivanti developers adhere to secure coding practices.
Secure by Design Alignment: our development process includes robust security protocols throughout the product lifecycle, including rigorous threat modelling, vulnerability assessment, and security measures specifically to improve our solutions’ resilience against current and emerging threats – additional details can be found on our website.
Product Security Optimization: we have invested significant resources in our Ivanti Neurons cloud platform to alleviate the burden of security for our customers, including automated security updates, MFA enabled out of the box, and unified role-based access control (RBAC) system.
Network Security Group Enhancements: we have evolved the Network Security Group, which is responsible for developing Ivanti Connect Secure, in both focus, size and product leadership. As of October, this group is led by Michael Riemer – an industry veteran and cybersecurity expert with deep knowledge on this product line. Under Michael’s leadership we have increased internal engineering resources and engaged additional specialised contracted resources, which are in high demand across the network security industry.
Prioritising Product Security Enhancements for Ivanti Connect Secure (ICS): we have prioritised product security enhancements for ICS. This includes our new 25.x version that upgrades to Oracle Linux OS to be completed in 2H 2025. We have also made other significant security enhancements in our Network Security products such as Secure Boot with TPM key management, Non-Root Privilege Access Control, a modernised web service, and WAF component.
Enhancements to the Integrity Checker Tool (ICT): the ICT has been an effective tool at identifying threat actor efforts since its introduction in 2021 and is a prime example of Ivanti’s commitment to proactive security for our solutions. This tool has aided in our forensic efforts and in the case of the vulnerability disclosed on January 8, alerted our customer to threat actor activity on the same day it occurred. This allowed us to respond swiftly and develop a fix for the issue.

Elevating our Vulnerability Management Programme

Vulnerability Identification: we have enhanced internal scanning, manual exploitation and testing capabilities, increased collaboration and information sharing with the security ecosystem, and further enhanced our responsible disclosure process, including becoming a CVE Numbering Authority. While this creates a natural and intended increase in vulnerability disclosure (and consequently, media coverage), it is not indicative of increased risk; on the contrary, it demonstrates our commitment to transparency and going above and beyond industry standards.

Providing Enhanced Support for Secure Product Deployments in the Field

Platform Upgrades: we are working with customers to accelerate customer migration from End-of-Life solutions, including eliminating barriers—be they contractual, technical, or financial—that slow adoption of our most advanced and secure solutions. Together with our customers, we are making significant strides towards achieving full migration to our latest solutions.
On-Prem Security Support: for customers that require on-prem solutions, we have systematically improved our product documentation and are providing best practices to equip them with the tools and knowledge necessary to navigate and mitigate security challenges within their unique operational environments.

Sharing Information with our Customers and Community

Information Sharing and Transparency: we have actively participated in events and created multiple forums for dialogue with our customers, which has deepened our understanding of evolving needs, and enabled us to share crucial insights and lessons learned. We have formalised a strategic programme to collect feedback from customers throughout the customer's lifecycle, enabling a continuous loop of feedback to ensure ongoing alignment with customer needs.