The Shadow AI Problem
When employees configure MCP servers or install AI skills directly in their coding tools (Cursor, VS Code, Claude Desktop, etc.), these integrations operate outside centralized observability and control. This creates a shadow IT problem for AI tooling that security teams must address. Runlayer provides two complementary approaches to address shadow AI:Detect
Discover and inventory shadow MCP servers and skills via scheduled scans
Enforce
Intercept MCP tool calls in real-time to enforce security policies
Security Risks
Shadow MCP Servers
Shadow MCP servers pose significant security risks:- Data exfiltration — Risky MCP servers can steal source code, credentials, API keys, and customer data
- Supply chain attacks — Compromised or trojanized MCP packages can inject risky behavior into otherwise legitimate tools
- Prompt injection — Shadow MCPs may contain tool poisoning attacks that manipulate AI behavior
- Lateral movement — MCPs with broad permissions can be exploited to access internal systems
- Compliance violations — Uncontrolled access to PII, PHI, or regulated data without audit trails
Shadow Skills
Skills are instruction files that extend AI coding assistants with specialized knowledge, workflows, and tool integrations — such as SKILL.md, AGENTS.md, and cursor rules. When these are installed outside organizational control, they become shadow skills. Shadow skills introduce distinct risks:- Prompt injection — Skill instructions can manipulate AI behavior, override safety guidelines, or inject malicious prompts
- Unauthorized automation — Skills can define workflows that automate actions beyond what an organization has approved
- Supply chain risk — Unvetted community skills may contain instructions that exfiltrate data or introduce vulnerabilities
Why This Matters for Security Teams
Unlike traditional shadow IT, shadow AI is particularly dangerous because:- AI amplifies access — A single MCP or skill can give AI assistants broad access to databases, APIs, and file systems
- Actions are automated — MCPs enable AI to take actions autonomously, not just read data
- No audit trail — Shadow MCPs and skills operate outside your logging and monitoring infrastructure
- Difficult to detect — MCP configurations and skill files are stored in user-space config files, not installed as traditional software
Choosing an Approach
| Feature | Detect | Enforce |
|---|---|---|
| Purpose | Discovery and inventory | Real-time control |
| When it runs | Scheduled scans via MDM | Continuous interception |
| What it does | Finds shadow servers and skills, classifies them | Blocks/allows MCP tool calls |
| Scope | MCP servers and skills | MCP server tool calls only |
| Best for | Visibility, compliance audits | Active security enforcement |
- Deploy Detect to discover existing shadow servers and skills
- Deploy Enforce to control what shadow MCP servers can do
Related Resources
Re-analyzing Classifications
Refresh server and skill classifications after changes
Responding to Discoveries
Security team response framework
Troubleshooting
Common issues and solutions