Microsoft rolled out a new Shadow AI dashboard in Defender and Intune in May 2026. It detects AI agents that employees install themselves on their Windows devices and offers direct management control. What is shadow AI, why is it a serious risk, and how do you activate the new controls?
Since 2024, more and more employees have been installing AI tools on their work laptops themselves. A local chat assistant for summarising documents, an AI agent that processes emails, an open-source model that handles sensitive business data outside the company environment. For the IT department this has become invisible, until something goes wrong. Microsoft calls this phenomenon shadow AI and rolled out a targeted solution in May 2026 in the combination of Microsoft Defender and Microsoft Intune.
Shadow AI is the IT variant of shadow IT, the use of software, services and in this case AI tools without the IT department knowing or having approved them. Where shadow IT used to mean an employee installing Dropbox alongside OneDrive, shadow AI goes a step further. AI agents can autonomously open files, send emails, call external APIs and export data.
Microsoft has added a dedicated Shadow AI page to the Microsoft Defender portal. The page is fed by Defender for Endpoint telemetry and controlled via Intune policies. Initial detection focuses on OpenClaw, a popular open-source agent that runs locally on Windows devices, with support for other widely used agents to be expanded this year.
The page shows per device which AI agents have been detected, when they were last active, which processes and domains they communicate with, and which user installed them. For IT administrators this is the first central overview of agent activity within the organisation.
From the Shadow AI dashboard, administrators can directly navigate to Intune to apply policies. Three types of actions are possible. First, blocking, where the agent is prevented from starting or communicating with external APIs at the device level. Second, conditional allow, for example only in a specific user group or on devices that meet compliance requirements. Third, alerting, where detection is logged without immediate action, useful in an initial inventory phase.
Three prerequisites apply before you can use the Shadow AI page. First, your devices must be enrolled in Microsoft Intune and run Windows 11 version 22H2 or higher. Second, Microsoft Defender for Endpoint Plan 2 must be active on those devices. Third, your tenant must have Microsoft Defender XDR enabled.
If all three are present, you find the Shadow AI page at security.microsoft.com under Endpoints, then AI Security. Detection is set to log-only by default, allowing you to first collect what is running in your environment for a week before applying policy.
Three concrete steps for IT administrators. First, verify in the Microsoft Defender portal that Shadow AI is visible for your tenant and that the licence requirements are met. Second, enable detection in log-only mode and let it run for one to two weeks to establish a baseline of what is running in your environment. Third, with the results, draft an initial agent policy, distinguishing between accepted tools and those you want to block.
Want help setting up a policy for AI agents in your organisation or configuring Defender and Intune for these new capabilities? Contact Zarioh.
