Guest blog from Lead App Analyst at TrustLayer
The modern workplace runs on the cloud. Thousands of cloud applications drive collaboration and drive innovation; the benefits are undeniable.
But this explosion of cloud services has unleashed a serious security challenge: ‘Shadow IT’ and its fast-rising little brother ‘Shadow AI’. While Shadow AI might be the buzzword of the moment, it’s really just a subset of a much larger problem. Sensitive data slipping through unsanctioned apps, critical actions happening off the radar… it’s the flip side of cloud adoption, and it’s getting harder to ignore.
With new apps appearing daily – and employees gravitating towards their own favourites – the threat is very real. In response, companies take a seemingly logical step: lock everything down and restricts employees to a short list of “approved” applications.
Nothing is in the shadow anymore. But is it really that simple?
What happens when your approved apps falls short of employee needs, or the approval process is slow and cumbersome? You create a new problem: the very productivity cloud apps are meant to deliver is stifled.
Why should you limit your teams to a single Al tool when another might be perfect for the job? Why force an engineer to abandon their favourite notetaking app, where their best ideas are born? Restricting choice doesn’t just frustrate employees; it caps their potential and forces them to find workarounds, often creating new, invisible security gaps. This restrictive “approved-list” approach isn’t a solution; it’s a productivity bottleneck.
The true solution lies in finding an easy way to enable all the applications your employees require, securely. With more than 2,000 cloud apps already classified, it’s easy to do with TrustLayer.
But not all security approaches are built for this flexibility. One of the most common — domain-based blocking — sounds effective on paper but quickly falls apart in practice.
Blocking apps by domain sounds straightforward, but it’s a blunt instrument. Just know an app is in use isn’t enough. Mapping applications by domain alone, as traditional security solutions often do, will never provide the flexibility employees require.
For example, you may want your team to read and download corporate documents from a partner’s cloud storage, but still block them from uploading your own sensitive files. If both actions use the same domain, a domain-based policy forces an impossible all-or-nothing choice.
Moving beyond a domain-blocking approach requires real understanding of the application itself. Traditional security tools approach this by analysing the ‘officially documented functions’ provided by the Public API.
Problem solved, right? Unfortunately, not. Public APIs represent only a fraction of the actions an employee can actually perform. Relying on them alone creates a false choice: either allow an application with control over only a few basic functions or block it entirely. Employees are restricted by limited set of ‘safely mapped-out actions’, and productivity suffers.
The more critical layer of control lies in the Private API. This is what powers most user-facing actions — the actual server calls triggered when someone clicks a button in the interface, such as Share, Export, Download, Delete, or Create Public Link. These calls are undocumented, yet they represent the core of user activity and the highest risk. Without visibility into the Private API, you are blind to the most important user activities.
Many vendors present AI as the answer, but it has significant blind spots. AI tools that scan for file signatures or use image analysis to read text work only up to a point — once a file is encrypted or placed in a password-protected archive, that visibility disappears.
Vendors often suggest using AI to bridge the gap left by relying only on Public APIs, but the problem is that Private APIs don’t follow common standards. Each application has its own hidden commands, which can change at any time without notice. A generic AI model cannot reliably interpret them. At best, it may detect that an action occurred, but without context it can’t judge intent or risk. The result is an illusion of control rather than true visibility.
The key to true, context-aware security is understanding the Private API. With visibility of the actual calls being made, it’s then possible to see the context surrounding them – things like file names, user details, and destinations. Now you can move beyond simple blocking and create precise, intelligent policies.
But here’s the challenge: the average mid-market organisation doesn’t have the time or resources to continuously analyse and monitor thousands of evolving APIs. Even large security teams struggle to keep up with the pace of change.
At TrustLayer, our team performs continuous, deep analysis and testing of both the public and private APls for thousands of cloud applications. This brings you unprecedented granular control without limiting your employees. Imagine being able to enforce rules like:
With Trustlayer, you skip the tedious work and move straight to control. Instead of manually mapping hundreds of apps, you simply choose the apps you want to manage, select the actions you want to control, and gain unprecedented command over your cloud environment.
Shadow IT and Shadow AI don’t have to run your cloud — but stopping them takes more than just policy. The real challenge is putting controls in place that protect without slowing your people down.
That’s exactly what Tom Beresford will be unpacking in our upcoming webinar: “Can you control AI risk without killing productivity?”. He’ll break down how action-level policies make the difference between disruption and control, and how to start blocking risky behaviours without creating bottlenecks.
Register here to join Tom live on 18 September and walk away with a practical plan for keeping Shadow IT and Shadow AI in check.
