Shadow AI is a preference problem
Unsanctioned AI spreads through an enterprise the way good tools always have: quietly, by recommendation, one solved problem at a time. Treating it as a discipline problem misreads it. It is a preference, and preferences are won.
How it takes hold
The pattern is consistent across companies. Someone under deadline tries an AI tool; it works; they tell two colleagues. A private experiment becomes a team habit. A desktop app or an IDE assistant settles into a workflow, and within a quarter the workflow depends on it. New hires arrive already fluent in tools the security team has never reviewed. None of this is sabotage. It is people doing their jobs with the best instrument in reach.
Approval pipelines are not built for that speed. Unsanctioned AI spreads faster than security teams can find it, let alone approve it, and much of the use never crosses controls built for the browser: desktop applications and IDE assistants often do not pass through a proxy at all. The AI you govern ends up a subset of the AI in use.
Why blocking loses
The instinctive response is a block list, and it fails on three fronts. It lags, because new tools and new endpoints appear weekly and yesterday's inventory misses today's habit. It leaks, pushing work onto unmanaged devices and unsanctioned tools, exactly where visibility ends. And it costs the security team its standing: when the sanctioned answer is no and the unsanctioned tool is visibly better, people stop asking.
Governed adoption starts with discovery, not denial.
See it before you decide
The first move is an inventory built from observation: AI destinations seen in live traffic on managed macOS and Windows devices, including tools the enterprise does not own or host, rather than collected from surveys. With the estate visible, each destination takes a governed route: approved with policy attached, constrained with rules, or replaced. Blocking keeps a place in that verdict set. What changes is that it stops being the whole strategy.
A workspace people prefer
Replacement only works if the destination beats the habit. That sets a concrete bar: every major model, so nobody trades away capability; agents, so real work can be delegated; company knowledge, so answers carry your context. The First Recon app is built to that bar, chat, agents, and company knowledge in the browser or as a desktop application, with the runtime judging every interaction in real time. Redaction happens in place and verdicts land inline, so the work keeps moving.
That is what makes it the governed alternative to unsanctioned AI tools, without losing capabilities. People come for the tool. Security gets every interaction observed, enforced, and on the record.
Together or on their own
The App gives people the governed route. The Endpoint Agent covers the AI you do not host and did not sanction, enforcing policy on the device before the prompt reaches the model's API. Run them together or on their own; policy and evidence stay consistent either way, one policy surface and one trail. Start where your exposure is, discovery across the fleet or a better workspace for your teams, and add the other when you are ready.