Shadow AI now involves employees building complete AI-driven applications, integrating them with production systems, and publishing them on the open internet without Security or IT involvement. The risk surface expands because the artifact changes from a prompt to a product. A category-level investigation found more than 380,000 publicly accessible web assets across leading vibe-coding platforms, with thousands appearing corporate. Over 2,000 corporate assets contained sensitive corporate, operational, or personal data and were deployed without basic access controls, sometimes granting admin access by default to anyone who accessed the URL. Exposures existed across multiple continents and industries, without requiring exploitation. Vibe coding enables non-developers to ship working applications quickly, connecting them to CRMs, ERPs, ticketing tools, and BI platforms, often with whatever access controls the builder configured, frequently none.
"Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it."
"In The Shadow Builders report ( get it here), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms. Roughly 5,000 looked corporate. More than 2,000 of those held sensitive corporate, operational, or personal data - sitting on the open web, deployed without basic access controls, often granting admin access by default to anyone who reached the URL."
"Vibe coding - the broader space of AI-driven development platforms where anyone can build a working application by describing what they want - has compressed what used to take engineering teams months into something a non-developer can ship before lunch. A marketing manager builds a campaign tracker and connects it to the BI tool where the real numbers live. An operations manager builds a vendor-intake form and connects it to the ticketing system."
"Those applications get connected to sanctioned production systems - CRMs, ERPs, ticketing tools, BI platforms - and frequently published to the open internet, with whatever access controls the builder happened to configure. Often, none. The people doing this aren't malicious. They are competent employees solving real problems faster than their organization could, doing exactly what the platforms invited the"
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]