Nearly 9 out of 10 AI tools inside enterprises are invisible to IT. That’s the finding of a LayerX study that should send shivers down the spine of any executive: AI is shaping decisions, summarizing meetings, and analyzing data without the knowledge — or control — of the very teams meant to secure it. What sounds like a technical oversight has become a board-level crisis, worsened by new global regulations.
Last month, the EU’s AI Act entered its next enforcement stage, forcing enterprises to document how general-purpose AI tools process data and threatening penalties of up to €35 million or 7% of global turnover. Yet weeks later, many organizations remain unprepared, struggling even to inventory which AI features are active in their environments. As regulators demand transparency, most enterprises can’t meet the basic threshold of visibility.
That gap is where the real danger lies. AI isn’t only the domain of headline-grabbing tools like ChatGPT; it’s embedded in the everyday software stack. Zoom can transcribe and summarize meetings, Salesforce can auto-generate reports, Slack can analyze conversations. These features arrive through silent updates, slipping under IT’s radar while handling sensitive data.
Call it AI sprawl. Platforms ship “smart” features by default, leaving enterprises with dozens — sometimes hundreds — of parallel AI apps. IT teams often monitor only a fraction. A report from security platform Zluri found that four out of five AI tools inside enterprises are unmanaged, leaving leaders unsure what data they touch, whether they comply with retention rules, or if they’ve been activated at all.
