In 2024, an employee at a Fortune 50 media company downloaded a free AI art tool from a public code repository. Inside the installer was an infostealer. The attacker spent five months inside the environment, then walked out with 1.1 terabytes of data: 44 million internal chat messages, 18,800 spreadsheets, 13,000 PDFs.

The employee wasn't trying to cause a breach. They were trying to move faster.

There will be more of these. Gartner projects more than 150,000 AI agents inside the average Fortune 500 by 2028, up from fewer than 15 today.

The standard response to shadow AI is discovery: find the tools, classify them, decide which ones belong. But discovery is a snapshot. It tells you what's installed, not what those identities are doing.

In 2025, public code repositories absorbed 1.27 million hardcoded AI-service credentials — one every 25 seconds, all year. That's not a breach statistic. That's a workforce expanding the attack surface one credential paste at a time, policy or no policy.

Risk lives in behavior. A sanctioned account pulling the full customer revenue file at 3 a.m. is a higher-risk event than an unsanctioned tool sitting idle. An AI agent that starts touching systems it has never accessed before is functionally indistinguishable from an account takeover.

Most detection logic wasn't written to flag that pattern. It was built for a world where the actor was human.

Behavioral AI works on email because it builds an individualized baseline for every identity: timing, access patterns, what belongs. Abnormal Attune builds those baselines across every account it covers. The same logic applies to identities that never appear in your HR system.

See the latest from Abnormal's product and engineering teams.