JFrog launches Shadow AI Detection to boost enterprise oversight

JFrog has expanded its Software Supply Chain Platform with the introduction of Shadow AI Detection, aiming to help organisations identify and manage risks associated with unsanctioned use of artificial intelligence models and APIs, known as Shadow AI.

AI visibility

The increasing integration of AI models and services into enterprise development pipelines often occurs without sufficient oversight.

Many developers and data science teams continue to leverage external AI resources such as those offered by Anthropic, OpenAI, and Google, bypassing central IT and security protocols. This has led to gaps in monitoring and governance-so-called blind spots-that can expose enterprises to security breaches, compliance violations, and unauthorised data access.

JFrog's Shadow AI Detection promises automatic discovery and inventory creation for both internal AI assets and external API gateways in use organisation-wide.

This increased transparency enables IT and security teams to establish policies that enforce proper usage, restrict unauthorised access, and monitor interactions with third-party AI services.

Regulatory landscape

Organisations operating at scale must comply with an emerging set of global regulations that address AI governance, including the US Transparency in Frontier AI Act, the EU Cyber Resilience Act, Germany's BSI Guidelines, and NIS2, among others. These require audit trails, technical accountability, and clear ownership for all stages of AI system development and operation.

By aligning with these frameworks, JFrog aims to provide organisations with the tooling needed to meet strict security, compliance, and reporting standards. The expanded detection capability helps document all AI-related activities and map them to enterprise-approved standards, reducing the risk of violations and reinforcing due diligence.

Risk mitigation

Shadow AI presents a significant risk where ad-hoc access to external models or APIs can lead to data leakage or the introduction of unvetted components into critical systems.

The centralised governance promised by the new detection layer supports ongoing monitoring and creates auditable records of who accessed what models and services, when, and how.

Teams can now enforce approved pathways to external services, ensuring only authorised users connect to and interact with third-party models. This oversight is essential for tracking the use of services such as OpenAI's GPT series or Google's Gemini, which are increasingly being consumed directly by software engineering teams.

Industry approach

JFrog advocates for a balanced approach to AI innovation and security, encouraging organisations to integrate controls into developer workflows. The company sees its Shadow AI Detection as a way to help enterprises remain agile while responding to growing risk and compliance requirements in their software supply chains.

"Recognising and mitigating the risks of shadow AI is becoming a critical priority for CIOs and CISOs who must strike a balance between innovating while maintaining security. Organisations should follow proven software development practices by creating developer-friendly workflows with strong security and robust governance," said Yuval Fernbach, Vice President and Chief Technology Officer, JFrog ML.