AI Adoption Research from Nudge Security Reveals How Widespread AI Use Is Transforming Security Governance
What happened
Nudge Security published AI adoption research in June 2026 documenting the scale and composition of enterprise AI tool use across its customer base. The research finds that AI agents, integrations, and AI-native development platforms are now embedded in standard enterprise workflows at a scale that outpaces governance controls designed for traditional SaaS procurement. OpenAI and Anthropic remain the dominant providers by integration volume. Emerging agent tools including Manus and Lindy are entering enterprise environments through individual contributor adoption rather than IT procurement channels. The report identifies data egress as the primary governance gap: enterprise data is leaving controlled environments through prompts, file uploads, and OAuth-connected integrations, in ways that existing data loss prevention and vendor risk controls were not designed to detect or restrict.
Why it matters
- ·AI tool adoption is now primarily bottom-up. Security and compliance teams are building governance programs retroactively against a deployment baseline that already exists, not establishing controls before adoption begins.
- ·Agent tools like Manus and Lindy that accept OAuth connections to enterprise systems create data exposure pathways that bypass traditional perimeter controls. Once connected, an agent can pull, process, and retain data outside approved data boundaries with no visibility to security teams.
- ·Prompt and file upload egress channels are invisible to most DLP systems tuned for email and file transfers. Organizations that believe they have comprehensive data loss controls may have uncovered exposure in AI interactions.
- ·Third-party AI vendor risk assessments focused on contract terms miss the operational risk from connected integrations and persistent data retention in provider systems, meaning PRC controls need to extend to OAuth-granted agent access.
Governance controls affected
What to do now
- ☐Deploy an AI tool inventory mechanism capable of discovering OAuth-connected AI applications and agents, not just approved vendors in the procurement system.
- ☐Extend data loss prevention policy scope to cover AI prompt and file upload channels, and test detection coverage against representative prompt-based data extraction scenarios.
- ☐Classify AI agents and integrations with OAuth access to production systems as third-party risk assets and apply vendor risk assessment procedures (PRC-001) to them.
- ☐Update acceptable-use policy to require that AI tool connections to enterprise systems go through a lightweight approval workflow, even for individual contributor tools.
- ☐Audit currently connected AI applications for scope of OAuth access granted and revoke permissions that exceed the documented use case.
What to watch next
Nudge Security's ongoing visibility into enterprise AI tool adoption positions them to release periodic benchmarks as agent adoption accelerates. Watch for follow-on research on agent credential patterns and OAuth scope accumulation, which will likely surface as the next major enterprise governance challenge as agentic AI deployments scale.