Cybersecurity Awareness Month Is for Security Leaders, Too

Think you know all there is to know about cybersecurity? Guess again. Shadow AI is challenging security leaders with many of the same issues raised by other “shadow” technologies. Only this time, it’s evolving at breakneck speed.

Cybersecurity Awareness Month, led every October by the U.S. National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), is aimed at teaching employees and the general public how to stay safe online.

Security leaders and practitioners working on the frontlines every day may rightfully believe they’ve heard it all already. But I’ve got news for you: we’re in the midst of a technology transformation that will make the early days of shadow IT seem like a walk in the park.

I’m talking about shadow AI.

While you’re reading this, some of your employees are probably using AI to paste sensitive information into tools like Microsoft Copilot and Google Gemini so they can do their jobs faster. Some of your developers are likely using it for “vibe coding,” sending the output straight to production without quality control. Business managers are probably using large language models to make strategy recommendations for their next quarterly business review meeting.

The vast majority of organizations are formally embracing AI. A recent study commissioned by Tenable and developed in collaboration with the Cloud Security Alliance found that 89% of organizations are either using AI (55%) or piloting it (34%).

In the best of circumstances, organizations are rolling out sanctioned AI deployments accompanied by clear usage guidelines and education about best practices. Even so, the CSA study found a third of organizations (34%) have already suffered an AI-related breach. While some of these breaches are the result of security flaws or model manipulation specific to AI itself, many are caused by the same old issues that have plagued us for years: exploited software vulnerabilities and insider threats.

Even when your organization has an approved list of AI tools available for employees, odds are they’re also making use of shadow AI. That’s because AI is a core driver of business innovation and, like the cloud and smartphones and every innovative technology that came before it, nothing is going to hold AI back from being an enabler of business.

For security leaders, AI is redefining the modern attack surface, with new models, agentic actions, and complex data flows constantly surfacing. The velocity of AI creates too many new exposures, too quickly, because AI agents are taking actions with no human supervision, making this an even faster evolution than any that have come before.

Security teams lack visibility into what AI tools are being used. They often have no inventory of AI models, agents, data inputs and outputs, or integrations, making it nearly impossible to monitor or enforce controls effectively. The complexity of modern AI ecosystems further increases risk for organizations that build AI. AI stacks rely on layered cloud services, APIs, and vector databases, introducing misconfigurations, over-permissioned roles, and inherited vulnerabilities. Plus, AI workloads are particularly exposed; a study by Tenable Cloud Research found that 70% contain at least one unpatched critical flaw, compared to 50% for non-AI workloads.

Addressing shadow AI requires a proactive approach

Security, historically a reactive function, is playing catch-up. The traditional cycle of finding and patching individual vulnerabilities is too slow to handle the exponential growth of AI. To close this gap, security needs to move from a reactive posture to a preventative one focused on proactive exposure management.

With exposure management, you get:

• A unified view of the entire attack surface, so you can find and mitigate AI risks across endpoints, networks, cloud, data, and AI platforms;
• The ability to understand how employees interact with tools like ChatGPT Enterprise and Microsoft Copilot, including what data is involved, how AI assistants and AI agents behave, and which workflows those interactions trigger across the organization’s environment;
• A way to spot and disable prompt manipulation techniques like direct and indirect prompt injection or jailbreaks; and
• A means of protecting against malicious actions triggered by AI agents, whether accidental or attacker-driven, while also uncovering misconfigurations, unsafe workflows, or tools connected to risky external systems.

In short, you get the ability to predict likely attack paths. Including those targeting AI, so you can proactively secure AI before it is compromised.

It’s time to be aware of shadow AI as a new category of enterprise risk, one we ignore at our own peril. The lesson here is that AI security is not optional. It is not a future concern. It is not someone else’s problem. It is the next frontier of enterprise risk, and security leaders have a responsibility to educate themselves and implement programs like exposure management to reduce risk.

Learn more

• Download the Tenable Cloud AI Risk Report 2025 and the State of AI and Cloud Security 2025
• Read the blog Introducing Tenable AI Exposure: Stop Guessing and Start Securing Your AI Attack Surface
• Visit the Exposure Management Resource Center