Risk
Unmonitored AI and Agent Experimentation
Description
Unauthorized or hidden "shadow" AI environments corporate access from unmanaged personal devices/agents, or unapproved AI tools used from corporate devices and sessions.
Example
Developer runs Claude Code on a personal laptop with corporate repo access and community MCP servers, outside any logging or proxy.
Assets Affected
Agentic Platform
Notebook
Model Files
AI Agent
MCP Server
Mitigation
- Require registration/approval of experiment sandboxes and endpoint agents
- asset inventory
- alert on new/rogue environments
- periodic discovery scans
- log analysis.
Standards Mapping
- ISO: A.3.2, A.4.2
- OWASP agentic: ASI10
- EU AI Act: Art. 17
- DASF: Operations 11.1, Agents-Core 13.13
- AIUC-1: E008, E010