AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-06-19

AI Adoption Research from Nudge Security Reveals How Widespread AI Use Is Transforming Security Governance

What happened

Nudge Security published AI adoption research in June 2026 documenting the scale and composition of enterprise AI tool use across its customer base. The research finds that AI agents, integrations, and AI-native development platforms are now embedded in standard enterprise workflows at a scale that outpaces governance controls designed for traditional SaaS procurement. OpenAI and Anthropic remain the dominant providers by integration volume. Emerging agent tools including Manus and Lindy are entering enterprise environments through individual contributor adoption rather than IT procurement channels. The report identifies data egress as the primary governance gap: enterprise data is leaving controlled environments through prompts, file uploads, and OAuth-connected integrations, in ways that existing data loss prevention and vendor risk controls were not designed to detect or restrict.

Why it matters

  • ·AI tool adoption is now primarily bottom-up. Security and compliance teams are building governance programs retroactively against a deployment baseline that already exists, not establishing controls before adoption begins.
  • ·Agent tools like Manus and Lindy that accept OAuth connections to enterprise systems create data exposure pathways that bypass traditional perimeter controls. Once connected, an agent can pull, process, and retain data outside approved data boundaries with no visibility to security teams.
  • ·Prompt and file upload egress channels are invisible to most DLP systems tuned for email and file transfers. Organizations that believe they have comprehensive data loss controls may have uncovered exposure in AI interactions.
  • ·Third-party AI vendor risk assessments focused on contract terms miss the operational risk from connected integrations and persistent data retention in provider systems, meaning PRC controls need to extend to OAuth-granted agent access.

Governance controls affected

What to do now

  • Deploy an AI tool inventory mechanism capable of discovering OAuth-connected AI applications and agents, not just approved vendors in the procurement system.
  • Extend data loss prevention policy scope to cover AI prompt and file upload channels, and test detection coverage against representative prompt-based data extraction scenarios.
  • Classify AI agents and integrations with OAuth access to production systems as third-party risk assets and apply vendor risk assessment procedures (PRC-001) to them.
  • Update acceptable-use policy to require that AI tool connections to enterprise systems go through a lightweight approval workflow, even for individual contributor tools.
  • Audit currently connected AI applications for scope of OAuth access granted and revoke permissions that exceed the documented use case.

What to watch next

Nudge Security's ongoing visibility into enterprise AI tool adoption positions them to release periodic benchmarks as agent adoption accelerates. Watch for follow-on research on agent credential patterns and OAuth scope accumulation, which will likely surface as the next major enterprise governance challenge as agentic AI deployments scale.

Related Coverage

Corporate Policy2026-07-07

OneTrust's AI Governance Committee Framework Sets a Practical Bar for Agentic AI Controls, Including Traceability and Least-Privilege Requirements

OneTrust has published a detailed account of how it built its own AI Governance Committee, including a structured 'buy versus build' decision framework for third-party AI tools and specific controls for agentic AI systems. The guidance requires decision control restrictions, full traceability of autonomous actions, and least-privilege data governance for any AI that operates with meaningful autonomy. The publication functions as a practitioner implementation guide that compliance teams at other enterprises can benchmark against their own programs.

Corporate Policy2026-07-01

Snowflake's Agentic Enterprise Framework Puts Data Governance at the Center of Marketing AI Accountability

Snowflake published a governance framework titled 'The Agentic Enterprise: AI Governance for Marketing Leaders (2026),' aimed at organizations deploying AI agents in marketing workflows. The framework argues that no AI strategy is viable without unified data governance and access controls, and it sets out privacy and accountability requirements for agents operating on enterprise data. Marketing organizations and the compliance functions that support them are the primary audience.

Standards2026-07-05

Agentic AI Governance Demands Dedicated Controls, Mayer Brown Guidance Finds: Least Privilege and Human Checkpoints Are the Core Requirements

Mayer Brown published practitioner guidance titled 'Governance of Agentic Artificial Intelligence Systems' on February 5, 2026, outlining how enterprises should adapt existing AI governance programs to address the distinct risks posed by autonomous agent systems. The guidance recommends pre-deployment testing across task execution, policy compliance, and tool usage robustness, alongside post-deployment behavioral monitoring. It emphasizes least-privilege technical controls and structured human oversight checkpoints as the foundational safeguards for agentic AI.