Blog Industry Research March 17, 2026 4 min read

79% of Enterprises Are Finding AI Apps IT Never Approved

Nutanix surveyed 1,600 cloud and engineering executives for its 8th Enterprise Cloud Index. Shadow AI is no longer an edge case - it is the norm.

By the AuthorityGate Architect Team

Every year Nutanix commissions Wakefield Research to take the temperature of enterprise infrastructure, and the 8th Enterprise Cloud Index, published March 3, is the biggest one yet on the AI question: 1,600 cloud, IT, and engineering executives, surveyed in November. The container and infrastructure findings got the headline. The number that should get your attention is buried one paragraph down: 79 percent of respondents encounter AI applications implemented by employees outside of IT.

Shadow AI is not an edge case anymore. It is the statistical norm - and the people reporting it know exactly what it means:

Shadow AI is the norm, and everyone knows it is a risk Share of respondents, Nutanix 8th Enterprise Cloud Index (1,600 executives)
Encounter AI apps implemented outside of IT
79%
Believe unauthorized AI use introduces risk
87%
Say silos between business units and IT hinder initiatives
82%

The awareness paradox

Look at the first two bars together. Eighty-seven percent believe unauthorized AI introduces risk to the organization, and 79 percent are encountering it anyway. This is not an awareness problem; the awareness is nearly universal. It is an enforcement problem. The organization has a policy that says "do not deploy unsanctioned AI," the employees have a business problem and a browser, and there is nothing structural standing between the two. The third bar explains why: 82 percent say the silos between business units and IT actively hinder technology initiatives. When the sanctioned path is slow, the unsanctioned path wins.

And this is not the first warning from this same survey series. A year earlier, the 7th Enterprise Cloud Index found 98 percent of organizations facing challenges moving GenAI workloads from development to production, and 95 percent admitting they could do more to secure their GenAI models and applications. The questions change year to year, but the through-line does not: the AI is arriving faster than the controls around it.

Meanwhile, the substrate is multiplying

The rest of the report describes the environment all of this lands in, and it is getting more dynamic, not less:

More moving parts, on a foundation rated not ready Share of respondents, Nutanix 8th Enterprise Cloud Index
Say AI is accelerating container adoption
85%
View current on-prem infrastructure as unprepared for AI
82%
Expect AI agents to enhance customer and employee experiences
61%

87% also expect containerization to keep growing over the next three years.

Put the pieces in one sentence: containerized workloads are multiplying, 82 percent of leaders rate their own on-prem infrastructure unprepared for what is coming, a majority expect AI agents to start acting inside customer and employee experiences - and four out of five organizations already cannot account for all the AI running in their environment today.

A dark server room at night where dozens of small unlabeled devices with glowing lights are plugged haphazardly into racks among the official equipment
The environment you govern versus the environment you actually run. At 79 percent, the difference is the norm.

You cannot inventory your way out

The instinctive response to shadow AI is discovery: scan the environment, find the unsanctioned tools, add them to the inventory, repeat. Discovery is worth doing, but as a governance strategy it has a fatal shape - it is always behind. You find what already shipped. Governance that only covers the AI you know about is, at these numbers, governing a minority of your AI, and the minority share shrinks every quarter the silos persist.

The AuthorityGate take

Nutanix sells infrastructure, and a survey that concludes "your infrastructure is not ready" deserves the usual skepticism about vendor findings. But the shadow AI number does not sell hardware - it indicts process, and it matches what the awareness figures show: policy without enforcement produced 79 percent leakage.

The durable fix inverts the question. Stop asking "how do we find all the unsanctioned AI" and start asking "can any change - sanctioned or not - reach production without passing a gate?" A validation gate at the environment boundary does not care whether a change came from IT, a business unit's side project, or an AI agent: it checks the change against policy, scores its risk, and routes consequential ones to a named human before anything takes effect. Shadow AI thrives on paths around the process. The answer is an architecture with no path around.

The 8th Enterprise Cloud Index reads like a weather report for a storm already overhead: the workloads are multiplying, the foundation is rated unprepared by the people who run it, and unsanctioned AI is the norm rather than the exception. You will not stop employees from reaching for AI - 87 percent of their leaders know the risk and it happens anyway. What you can decide is whether reaching production requires passing a gate. That single architectural choice is the difference between governing your AI and governing the fraction of it you happen to know about.

Share this post: LinkedIn

Go deeper

Every agent action, validated before it takes effect

AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.