Shadow AI

​

The Shadow AI Problem

When employees configure MCP servers or install AI skills directly in their coding tools — Cursor, Claude Code, Claude Desktop, VS Code, Codex, and others — these integrations run outside centralized observability and control. The result is a shadow IT problem for AI tooling: ungoverned access to your code, data, and systems, with no audit trail. Runlayer addresses shadow AI through the AI Watch agent: one signed package, three features. Deploy the package once through your MDM, then use configuration to decide which optional features run.

---

​

Security Risks

​

Shadow MCP Servers

Shadow MCP servers pose significant security risks:

• Data exfiltration — Risky MCP servers can steal source code, credentials, API keys, and customer data
• Supply chain attacks — Compromised or trojanized MCP packages can inject risky behavior into otherwise legitimate tools
• Prompt injection — Shadow MCPs may contain tool poisoning attacks that manipulate AI behavior
• Lateral movement — MCPs with broad permissions can be exploited to access internal systems
• Compliance violations — Uncontrolled access to PII, PHI, or regulated data without audit trails

​

Shadow Skills

Skills are instruction files that extend AI coding assistants with specialized knowledge, workflows, and tool integrations — such as SKILL.md files. When these are installed outside organizational control, they become shadow skills. Shadow skills introduce distinct risks:

• Prompt injection — Skill instructions can manipulate AI behavior, override safety guidelines, or inject malicious prompts
• Unauthorized automation — Skills can define workflows that automate actions beyond what an organization has approved
• Supply chain risk — Unvetted community skills may contain instructions that exfiltrate data or introduce vulnerabilities

​

Why This Matters for Security Teams

Unlike traditional shadow IT, shadow AI is particularly dangerous because:

1. AI amplifies access — A single MCP or skill can give AI assistants broad access to databases, APIs, and file systems
2. Actions are automated — MCPs enable AI to take actions autonomously, not just read data
3. No audit trail — Shadow MCPs and skills operate outside your logging and monitoring infrastructure
4. Difficult to detect — MCP configurations and skill files are stored in user-space config files, not installed as traditional software

---

​

One Package, Three Features

Detect is always enabled after AI Watch is installed. Enforce and Sessions are controlled by package configuration, and one organization API key authenticates scanning, enforcement, and sessions; no enrollment keys are required.

• Enforce is disabled by default. Set Enforcement=true (macOS) or AIWATCH_ENFORCEMENT=1 (Windows) to block unmanaged MCP sources and policy-check local tool activity.
• Sessions is enabled by default. Set Sessions=false (macOS) or AIWATCH_SESSIONS=0 (Windows) to skip the full event/session hook set.

Hook installation follows the combined capability state: AI Watch installs hook configs when either Enforce or Sessions is enabled. Detect-only requires explicitly setting Sessions=false or AIWATCH_SESSIONS=0; omitting Sessions uses the default enabled state and installs hooks for monitoring-only telemetry. Start with Deploy AI Watch to install the package and choose Enforce / Sessions configuration. Detect scans run by default after deployment.

---

​

The Shadow Dashboard

The Shadow page in the sidebar brings every discovery into one view:

• Overview — scanned devices, managed vs. shadow breakdown, and a Shadow vs Managed trend over time
• Connectors — most common shadow servers, users running them, top servers to migrate, and which MCP clients are in use
• Skills — shadow skill discoveries over time, most common skills, users with shadow skills, and a per-client breakdown

---

​

Related Resources