May 7, 2026

When the exposure is already credentialed

AI vs AI
| Part
3

Reading time:

5 minutes

76% of organizations have shadow AI. The threat isn't at the gate. It has a badge you issued. On vendor-embedded models, compromised plugins, and the tools your team invited in.

Read the full AI Security Series

1. The gap nobody's watching
93% confident. 29% prepared. One person jailbroke a chatbot and emptied ten government agencies. The distance between the story the boardroom hears and the one the incident report tells.

2. 27 seconds to breakout
27-second breakout times. AI-generated phishing that knows your team by name. The dark hoodie hacker lost their job to AI too. What replaced them doesn't sleep.

3. The threat wearing your own badge
76% of organizations have shadow AI. The threat isn't at the gate. It has a badge you issued. Vendor-embedded models, compromised plugins, and the tools your team invited in.

4. Sovereignty is an architecture decision
Everyone's saying sovereign. This article is about what happens when your customer asks and your answer needs caveats. Interchangeability, vendor independence, and what the CLOUD Act means for Canadian data.

5. The people gap
The AI security job posting asks for four careers in one person. That person doesn't exist. The work does. Hour banks, returnable context, and a PMO that holds it all together.

6. What to ask your vendor
Seven questions. Print them out. Bring them to the meeting. Look for straight answers, not carefully worded topic changes. Use them on everyone. Including us.

7. What it looks like when AI security works
Tuesday morning. The phone didn't ring. The customer didn't leave. The Reddit thread didn't get written. That's what good looks like.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

The approved process for analyzing customer churn data takes three days. Gary knows this because Gary has submitted the request four times this quarter and waited each time while the data team queued it behind six other departments with a more senior sponsor. The AI tool Gary saw at a conference does it in three minutes. He signs up with his work email. Uploads the dataset. Gets his answer. Shows his team lead. His team lead sees a result and doesn't ask questions.

Within a month, two other departments are on it. Nobody tells security. Nobody tells compliance. Nobody reads the terms of service, which explain in language designed to be skipped that uploaded data may be used to improve the provider’s models. Nobody asked who owns that provider, and how far the raw data can go. Gary just donated two years of customer transaction data to a training set his organization will never see, never audit, and never get back. He did it because the approved process moved at the speed of Toronto traffic and nobody gave him a better option.

Gary isn’t the problem. Gary is the symptom.

The threat that already has a staff badge

HiddenLayer’s 2026 AI Threat Landscape Report puts shadow AI adoption at 76% of organizations, up from 61% the year before. Fifteen points in twelve months. But that number undersells what’s actually happening, because most of that shadow AI didn’t sneak in through the back door. It arrived in a software update.

Your CRM got an AI assistant last quarter. Your service desk added a chatbot that triages tickets. Your HR platform now screens resumes with a model nobody in IT was asked to evaluate. Each of these tools touches your data, holds permissions inherited from the platform it lives inside, and makes decisions about what to surface, filter, or forward. None of them went through a security review, because nobody classified a software update as a new AI deployment. The vendor didn’t call it that. They called it “enhanced features” in a font size that doesn’t invite questions. Nobody checked if those tools inherit the users own permissions. Gary's login can access a lot of sensitive materials.

One in eight companies surveyed by HiddenLayer have already experienced a breach linked to agentic AI systems. And 53% admitted they’ve withheld breach reporting because they’re afraid of the backlash. The incident count in the news is a floor. The ceiling is somewhere nobody’s willing to talk about publicly.

The AI that forgot what it was supposed to protect

Your resume screener has been filtering out qualified candidates for three months. Not obviously. Not in a way that triggers a complaint. It just quietly stopped surfacing people that didn't fit the training model it learned in another geography and industry, because something in its training data taught it those patterns were noise. Your hiring manager thinks the talent pool is weak. Your HR director is planning a recruiting spend increase. The model thinks it’s doing exactly what you asked. Your dashboard agrees. They’re both wrong.

Lakera AI published research showing how poisoned data, injected through an AI agent’s own data feed, can corrupt its long-term memory. Not its outputs. Its understanding. The agent develops a persistent, incorrect belief about its own security policies and defends that belief as correct when humans question it. An AI that’s been compromised this way doesn’t throw errors. It throws confidence. It looks fine on every dashboard you have because the dashboards measure what the agent reports about itself.

Then there’s the cascade. Galileo AI ran simulations of multi-agent systems and found that a single compromised agent poisoned 87% of downstream decision-making within four hours. Your SIEM shows fifty failed transactions. It can’t tell you which agent started the chain, because the agents communicate in ways your monitoring tools weren’t built to parse. This isn’t a spectacular breach. It’s a slow drift that looks like normal operations until the damage is structural. Like carbon monoxide. Odourless, colourless, and the detector you bought was designed for smoke.

And if you think the approved tools are the only exposure: earlier this year, a supply chain attack hit the OpenAI plugin ecosystem. Compromised agent credentials harvested from 47 enterprise deployments. Customer data, financial records, proprietary code, accessed for six months before anyone noticed. Not because security teams were negligent. Because the compromised plugin was approved. The credentials it used were the ones it was supposed to have. The data it accessed was data it had permission to touch. The only wrong thing was where that data went afterward, through a channel nobody thought to monitor, because why would you monitor a tool that’s doing exactly what it’s allowed to do?

Gary’s door is still open

Gary’s tool is still running. His team uses it daily. It’s not on the asset inventory. It’s not in the incident response playbook. If something goes wrong with it tomorrow, nobody knows who to call or what to shut down. And Gary’s tool is one of dozens scattered across the org, adopted by people who needed something faster than the process they were given.

The answer isn’t banning Gary’s tools. Banning them is how you guarantee shadow AI doubles by next quarter. People find workarounds when you take away the thing that made them productive, and the workarounds don’t come with terms of service at all.

The answer is building the architecture that lets Gary use AI safely with guardrails he never has to think about. Policy-as-code that constrains what the tool can access, what data it can reach, where it can send outputs. Governance that catches new tools when they connect, assesses them before the first dataset is uploaded, and either brings them into the fold or explains to Gary why this one doesn’t meet the bar. An inventory that knows what’s running before the security team has to find out the hard way.

That’s the foundation work we keep coming back to. The cataloguing, the mapping, the governance architecture. We’ve written about it in the Data Series and we’ve been doing it for fifty years under different names. The organizations furthest ahead on AI security right now aren’t the ones with the best models. They’re the ones who did the boring inventory work and built architecture that lets them say yes to new tools without wondering what they’re exposing.

Gary is still clicking. The question is what catches what comes next.

Read next

Every vendor in Canada is saying “sovereign” right now. Telus, Bell, CGI, your toonie’s worth of LinkedIn ads before lunch. Article 4 takes the word out of the press release cycle and into the architecture conversation where it belongs. What does sovereignty actually mean when someone tests it? Less than you’d think. More than you’d hope. Sovereignty is an architecture decision.

Cites

HiddenLayer 2026 AI Threat Landscape Report: 76% shadow AI adoption, 1 in 8 breached via agentic AI, 53% withheld breach reporting

Lakera AI: Research on long-term memory corruption in AI agents via poisoned data feeds

Galileo AI: Multi-agent cascade simulations, single compromised agent poisoning 87% of downstream decisions in four hours

OpenAI plugin ecosystem supply chain attack: 47 enterprise deployments compromised, six months undetected

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA