Every company now has access to AI, but many have not deployed it. Employees paste customer records into a chatbot to draft a reply, run spreadsheets through a free analysis tool, and connect AI assistants to email and calendars without asking anyone. The work gets done faster. The data goes somewhere the security team cannot see.
This is shadow AI, and it spread quickly because it needs no installation and no budget. A browser tab is enough. But this is not just the old problem of employees signing up for unapproved apps. AI is now built into tools companies already use, from help desks and CRMs to document platforms. The line between approved software and ungoverned AI now runs straight through products already inside the building.
That is what makes the risk harder to see. The danger is not just one new account nobody tracked. It is a new AI behavior inside software that the company already approved, using the access already granted to that software to read, summarize, or move data in new ways.
Public AI tools still create an obvious leak. What employees paste into them can leave the company's control, and depending on the service and its settings, it may be retained or used to improve the system. Regulated data can end up in places the company never approved, creating compliance problems nobody meant to create.
Most teams cannot answer the first question: which AI tools are employees using, and what company data went into them?
That is the split across this year's winners: some help companies find shadow AI, and others help control it once it is found.
Start with finding it. Nudge Security and Kanopy Security surface the AI and SaaS tools already in use, with Kanopy aimed directly at shadow AI, and Optro turns that visibility into governance and compliance. Two others work the opposite side, giving AI a governed path instead of an unmanaged one.
Airia gives enterprises a controlled place to run AI rather than leaving each team to pick its own, and Arnica brings governance into the software pipeline, where AI enters through code, agents, and developer workflows.
Then comes controlling how it is used. LayerX Security won in AI Usage Control for governing AI inside the browser, where a lot of shadow AI starts, setting limits on what employees can paste and where. Jazz was recognized for AI-native data loss prevention: watching sensitive data move into AI tools, not just files leaving the company by email or download.
Blocklists only go so far. Polygraf, named one of the year's Most Innovative companies, focuses on behavior-based control, governing AI by what it is doing rather than which tool is on a list.
The mistake is treating shadow AI as something to keep out. Vetting a vendor is not the same as governing its AI, and a tool can be approved and still bring new AI risk. The software you already paid for is now the software you have to watch. Find it, then govern it.
The complete list of 2026 Cybersecurity Stars Awards winners is live at awards.thehackernews.com/winners/2026.