The Shadow AI Running Inside Your Clients' Environments and How MSPs Can Get Ahead of It
It's Monday morning. A client's controller is on the phone. She spent Friday afternoon cleaning up the vendor list inside their accounting platform's new AI assistant. The AI flagged three vendor records as likely duplicates and recommended consolidating them. She clicked yes.
By Sunday night, four weeks of journal entries were tied to a vendor that no longer existed. Reconciliation was broken. AP was a mess. The auditor was due Wednesday.
AI made a confident recommendation that turned out to be wrong. That happens. What matters more is the question that follows.
Who knew this tool existed in the environment, and what controls were in place to govern how it was used?
That's the conversation not enough MSPs are having with their clients. Given how fast AI has been folded into the SaaS tools clients already use, it's becoming harder to justify not having it.
The Confidence Problem
Your clients are running AI inside applications you didn't deploy, with permissions you didn't review, generating recommendations they're acting on without checking the output. AI agents don’t signal uncertainty when they get something wrong, and from the user's seat, a confident wrong answer looks identical to a confident right one.
A 2025 benchmark from Artificial Analysis tested 40 commercial AI models. On hard questions, all but four were more likely to give a confidently wrong answer than to admit they didn't know. That's not a flaw that'll be patched out in the next release. It's a characteristic of how these models work, and understanding that is the starting point for a useful conversation with clients.
The Gap Between What Organizations Say and What's Actually Happening
The Purple Book Community surveyed more than 650 senior security leaders for their State of AI Risk Management 2026 report. The numbers are instructive.
90% of organizations say they can see what data is flowing to AI systems. 59% admit they have shadow AI. Both can't be true, and yet both are reported as true by the same organizations. 86% claim they maintain a complete AI inventory, but those inventories only cover formally approved tools. They don't cover the Copilot features baked into the SaaS stack, the AI assistants quietly enabled by default, or the employee who pastes client data into a public chatbot to summarize a contract on a Tuesday afternoon.
78% of organizations are deploying or piloting agentic AI, systems that take actions without a human in the loop. 66% are using AI extensively in software development. And 70.4% report confirmed or suspected vulnerabilities introduced by AI-generated code in production, while 92% of those same organizations say their tools effectively detect those vulnerabilities.
Most of them are finding the problem after the code is in production. Adoption has outpaced governance, and most organizations aren't closing the loop.
Why This Matters for MSPs
When something goes wrong and the investigation starts, the questions that follow are predictable. Did the MSP know AI was in use across the client environment? When was the last inventory? Was there a policy defining what AI could and couldn't do? Was there a documented conversation with the client about hallucination risk? Were AI-initiated actions logged separately from human ones? Did the client sign a risk acceptance acknowledging the gap?
These aren't unfair questions. They're the same questions that get asked after any control failure. The standard applied is whether reasonable security was exercised, and reasonable security in 2026 includes governance around the AI already running inside your clients. It's the baseline now, not an emerging best practice.
What Reasonable Governance Looks Like
Demonstrating that AI governance was taken seriously doesn't require solving every problem. It requires building the right habits. Here's what that looks like in practice.
Maintain your own AI inventory. Don't rely on what the client tells you they're running. Build it yourself by reviewing their SaaS stack, browser extensions, and the features that get auto-enabled at every vendor update. Refresh it quarterly.
Scope AI permissions the same way you'd scope a human engineer's. If the AI can read, it shouldn't be able to delete. If it can write to one client record, it shouldn't be able to write to all of them. Elevated access is elevated access, regardless of who or what holds it.
Require a human in the loop for any action that changes state. Configuration changes, file deletions, account modifications, code merges; the model can recommend, but a human approves before anything happens. One bad automated decision at the wrong moment is all it takes to turn a useful tool into a massive problem.
Log AI actions separately from human ones. When a forensic team shows up, being able to reconstruct what the AI did, when, and why is the difference between a contained incident and a prolonged investigation.
Document the conversation about hallucination risk and shadow AI. Frame it like any other risk acceptance: here's what's running, here's what could go wrong, here's what we recommend. If the client declines, get the signature.
Make sure your IR plan accounts for AI. If a breach was assisted by an AI recommendation or an AI-generated artifact, your plan should already know how to capture that evidence.
None of this is exotic. It's what you already do for human users, applied to a faster and less self-aware one.
The Conversation Worth Having
Most clients haven't thought carefully about any of this. Their finance team is using Copilot. Their marketing team's feeding prospect data into ChatGPT. Their developers are accepting AI-generated pull requests. Internal IT didn't design that usage. It just accumulated.
That's your opening.
You don't walk in selling AI governance. You walk in with a clear picture of what's running in their environment and what their current cyber policy requires them to demonstrate. Most policies signed in the last 18 months include affirmations about monitoring, incident response, and acceptable use that clients can't currently prove if they're audited.
Think of it less as delivering bad news and more as showing them the gap before someone else finds it.
If they engage, you've got a defensible and valuable service on your books. If they decline, you document the conversation and the risk acceptance. Either way, you've done the work that holds up to scrutiny.
One Last Thing
Pull up your top ten clients. Ask one question.
If an incident traced back to an AI-generated recommendation or a shadow AI tool nobody knew was there, what would you produce as evidence that you raised the issue and addressed it?
If the answer isn't clear, that's your starting point.
AI governance is a practice, and like any security practice, the organizations that build it incrementally and document it consistently are the ones that hold up when something goes wrong. Your clients are already using these tools. Getting ahead of how they're used is exactly the kind of work that justifies the trust they've placed in you.
