“Shadow IT”—people within companies using tech products without any explicit directive or authorization from the top—is nothing new. The phenomenon dates at least to the era when certain daring professionals purchased newfangled gadgets called “PCs” and brought them to the office, well before having a computer on your desk was the norm.
But the AI boom has made shadow IT more chaotic than ever. Many employers are pressuring staffers to embrace the technology without being terribly specific about best practices to use it productively and safely. Excited by the possibilities, workers may feed sensitive data into AI tools that are powerful but unpredictable. Even if everyone involved has the best of intentions, an infinite number of things could go awry.
According to Christina Cacioppo, cofounder and CEO of the trust management platform Vanta, about 70% of its 16,000-plus customers have some kind of shadow AI happening inside their organizations. “It’s basically what you’re talking about when someone within the company is charging ahead a new AI tool, and that tool, which might provide a lot of promise and value, hasn’t gone through a formal security review,” she says.
Enter a new Vanta tool called the Vanta Agent for Risk. It maps out an organization’s vendors and tools, data and other assets; compliance responsibilities; and controls such as AI policies, aiming to provide a cohesive picture of their relationships and danger zones. The agent “understands all the different things that are happening in your company,” says Jeremy Epling, Vanta’s chief product officer. “Whether they’re third-party vendor risk that’s coming in from the outside, or it’s internal risk [involving] who has access inside the platform to different pieces of data.”
More than 4,000 integrations inform the agent’s reports. “We have over 1,400 tests that are continuously assessing the different security controls in your organization,” says Epling. “Are my [Amazon Web Services] S3 buckets encrypted? Are people doing background checks? Are they doing it on time? Who has access to what? Is it the right level of access? We pull all that data together and then really infuse it with intelligence from the Vanta agent.” The company is also introducing several complementary features, including an agent for third-party risk management, an AI risk library knowledge base, and a scoring system that quantifies risk across financial, brand, and operational impact.
More AI, more risks
Vanta’s data puts some numbers to the general feeling in the air of an emergent “builder culture.” Organizations are dispersing product engineering across their teams in a way that’s new, leading to 311% year-over-year growth in builder roles. “GTM engineer” positions are up 1,329%; “legal engineer” ones are up 850%. Many other workers are motivated to try their hands at vibe coding lest they lose their jobs to someone who uses the technology better than they do.
As a result of all that building, Epling says, “We’ll have more probably software written in the next year than we will in the last 10 years combined.” More software means more tools from more providers: According to Vanta, AI vendor adoption is 73% higher in companies with builder roles than in those without. Companies are reviewing only 7% of such vendors, however, even though Vanta deems 30% of them as critical or high risk. Ultimately, 88% of risks go unremediated.
The agent for risk tool won’t eliminate AI problems on its own. But by offering a continuously updated overview of what’s actually happening within an organization, it provides a starting point that might not otherwise be available. “We still believe in human-in-the-loop and human approval for all those pieces, but it will suggest edits to your policies or to your controls or to other things like that,” says Epling.
Both Cacioppo and Epling stress that Vanta’s agent is not intended to stomp out uses of AI that emerge from bottom-up experimentation, which Epling says are “helping companies get more efficient than ever before.” Instead, the goal is to make such ad hoc AI less fraught. Without a way to manage it, Cacioppo says, companies “may not even officially know that [tools] are being used and have had a chance to think about how they’re set up or what sorts of data is going in.”
‘Trust is a defining problem of the AI era’
Vanta’s origin story began at Dropbox, where Cacioppo was once a product manager overseeing a collaborative document-editing tool called Paper. Her responsibilities included dealing with compliance paperwork, a slog—involving rules and regulations with names such as SOC 2 and GDPR—that left her wondering if the process could be improved. Extensive interviews with security professionals convinced her it could. Working with a Dropbox colleague, Erik Goldman, she founded Vanta, which became part of the startup accelerator Y Combinator‘s Winter 2018 batch.
Andrew Reed, a Sequoia Capital partner, led the firm’s investment in Vanta and now serves on its board. He first took notice of the startup when it reached $10 million in revenue without having taken on any venture funding, a rare accomplishment. (As of April, Vanta has grown to $300 million in annual recurring revenue, up from $200 million nine months earlier.) According to Reed, the company’s vision was always bigger than the mundane but useful job of helping organizations wrangle compliance requirements. And as AI spreads, the discipline it helps companies impose on their operations becomes only more essential.
“The founding mission statement of Vanta was to help secure the internet,” he explains. “And it turns out that getting people to be compliant with standards and certain certifications is a very compelling way to get their security houses in order. And in this era of agents, the risk profile attached with how you’re interacting with customers, and how you’re doing business on the internet, has fundamentally changed.”
AI’s mind-bending capacity to solve old problems but also create new ones goes way beyond the business challenge Cacioppo identified when she grappled with compliance issues at Dropbox. Yet the fact that so many companies agree on the urgency of getting the technology right feels like an opportunity that was made for Vanta to seize.
“Trust is a defining problem of the AI era, and these new AI companies are getting more scrutiny, more questions, more security review, more questionnaires, just more, more, more,” she says. “Because we are all excited about their promise, but also a little scared about their capabilities. It’s not 2016 or 2006, when we were more blithely like, ‘Oh, cool new thing—I will just sign up and give it access to my bank account, because it might do something useful.’ That’s very much not the vibe of 2026.”