The increase of 'Shadow AI' during the enterprise AI diffusion process... governance gaps become a variable

The introduction of enterprise artificial intelligence is rapidly increasing, but in real-world scenarios, “control” is becoming a bigger challenge than “scaling.” Diagnostics indicate that even when results are achieved in limited pilot operations, the “production gap” is widening during the process of expanding to full-scale business deployment due to security and policy management failures.

Rees Oxenham, Vice President and General Manager of SUSE’s AI division, recently stated at SUSECON 2026 that companies now face not just simple AI pilots, but how to safely migrate to large-scale operational environments. He explained, “Pilots are relatively easy to demonstrate value, but applying them to actual operations alongside core data requires security measures and governance.” “This is precisely the ‘production gap’ that customers need to overcome.”

Such issues are also reflected in data. Reports show that one in five companies has experienced security incidents related to “shadow AI,” but only 37% have policies to manage or detect such activities. Shadow AI refers to employees using external generative AI tools without company approval, which, while convenient, poses risks of data leaks and violations. Ultimately, the lack of governance systems comparable in scale to AI investments has become a direct factor affecting corporate competitiveness.

SUSE proposes “Private AI” as a solution

SUSE has introduced “Private AI” as a solution to this problem. It is an enterprise-level AI model based on open standards, hybrid deployment, and complete organizational control. Its design allows companies to deploy AI workloads as needed in their own data centers, public clouds, or edge environments, avoiding vendor lock-in.

Oxenham particularly emphasized the importance of “digital sovereignty.” He stated, “Digital sovereignty is no longer just a regulatory list belonging to Europe.” “All organizations worldwide must consider independence, autonomy, and resilience in their infrastructure operations.” This means that beyond simple compliance, AI infrastructure and data control are becoming core competitive advantages for enterprises.

On-site, management often demands rapid AI results, but the supporting governance mechanisms are often insufficient. Members may bypass approved systems and use external tools, causing companies to lose control over data flow and usage history. SUSE explains that to reduce such risks, observability, security, and automation are provided through SUSE Rancher Prime and SUSE Linux Enterprise Server.

In the era of proxy AI, security and observability become increasingly important

Especially as AI evolves from simple recommendations to “proxy AI” capable of executing actual tasks on behalf of users, governance becomes even more critical. This is because the more AI proxies act on behalf of users and participate in decision-making, the more real-time confirmation of whether their judgments comply with company policies is needed.

Oxenham said, “If proxies perform actual actions on behalf of users, it must be confirmed whether those actions comply with company policies.” “At this stage, governance, security, and observability become extremely important.” This indicates that the competitiveness of enterprise AI is no longer solely determined by model performance but is shifting toward operational stability and policy enforcement capabilities.

Ultimately, some analyses suggest that by 2026, the core issue in the enterprise AI market will not be “introducing more AI,” but “building a foundation capable of secure scaling.” It is increasingly clear that to move AI pilots out of labs and successfully integrate into actual business systems, governance, digital sovereignty, and security systems must be established as equally important as performance.