← Back to blog

The State of Shadow AI in 2026: What 26,000 Intercepted Requests Tell Us

· Pierre
shadow AI shadow AI 2026 AI security AI traffic analysis enterprise AI risk AI data leakage AI governance MITM proxy AI Claude Code traffic AI cost tracking

The State of Shadow AI in 2026: What 26,000 Intercepted Requests Tell Us

Everyone in enterprise security is talking about shadow AI. But the conversation is stuck on surveys and guesses. "Do your employees use unapproved AI tools?" is a question with an obvious answer: yes.

The more interesting question is: what does the traffic actually look like?

We intercepted 26,565 AI API requests using CitrusGlaze, our open-source MITM proxy. Every request went through our Rust-based engine, which parsed providers, models, tokens, source applications, and scanned for secrets. Here's what the data says.

Everyone Uses One Provider. Nobody Uses Just One.

The biggest surprise in our data: 91.2% of all AI API traffic went to a single provider — Anthropic. But teams simultaneously used 8 other providers, including OpenAI, Google, Cohere, Groq, Mistral, and DeepSeek.

This matches industry-wide patterns. The average enterprise now uses 87 AI apps according to Netskope's 2025 Cloud & Threat Report. Enterprise AI provider market share by revenue breaks down to roughly Anthropic 40%, OpenAI 27%, Google 21% according to Menlo Ventures' 2025 analysis.

What this means for security teams: you can't just monitor one provider. Your employees are using multiple AI services, and the long tail matters. One team might use Claude for coding while another uses ChatGPT for writing — and the second one might be pasting API keys into prompts.

Half Your AI Traffic Isn't Human

This is the finding that should keep security teams awake.

In our data, 51.4% of AI requests came from programmatic sources — Node.js applications, Axios HTTP clients, scripts. Not a person typing in a chat window. Automated agents and embedded AI workflows generating API calls with no human in the loop.

Claude Code alone — a single developer tool — generated 21.4% of all traffic. That's more than OpenAI, Google, and GitHub Copilot combined.

The Stack Overflow 2025 Developer Survey found that 84% of developers use or plan to use AI coding tools, with 51% using them daily. GitHub reports that 46% of code in files where Copilot is active is AI-generated. Anthropic says Claude Code accounts for 4% of all GitHub commits.

These aren't people copy-pasting from ChatGPT. These are automated systems sending your codebase, your environment variables, and your credentials to AI providers continuously. Browser-based DLP catches none of this.

The 66x Traffic Spike Nobody Plans For

AI usage isn't uniform throughout the day. Our data shows a bimodal pattern: a mid-afternoon burst and a larger evening burst. The busiest hour sees 4,287 requests. The quietest sees 65.

That's a 66x difference.

If you're running AI security tooling that batches analysis (most do), you're getting results hours after the damage is done. If you're running rate limits based on averages, you're either blocking legitimate peak usage or allowing everything through during off-peak.

Real-time, at-the-wire scanning isn't a nice-to-have. It's the only approach that matches the traffic pattern.

13% of Prompts Contain Sensitive Data

This isn't our number — it's from Lasso Security's analysis of millions of enterprise prompts. But it lines up with what we see in our traffic.

The breakdown of what leaks is consistent across multiple independent sources:

  • 26% of file uploads to AI chatbots contain sensitive information (Harmonic Security, 2025)
  • 223 policy violations per month in the average enterprise involving sensitive data sent to AI apps — doubled year-over-year (Netskope, 2025)
  • 96.4% of detected secrets in AI traffic are API keys and passwords — the exact credentials that enable lateral movement (Nightfall AI, 2025)
  • 45.4% of sensitive prompts are sent through personal accounts, bypassing corporate controls entirely (Harmonic Security, 2025)

And 97% of organizations using AI lack access controls to prevent AI-related data breaches (IBM, 2025). The average data breach costs $4.44 million. Shadow AI adds $670,000 to that number.

Why Browser Extensions Don't Cut It

Several vendors — Harmonic Security, LayerX, Nightfall AI, Strac — sell browser extensions for AI DLP. They monitor what you type into ChatGPT in your browser. That's real value for a specific use case.

But remember: 51.4% of AI traffic in our data comes from programmatic sources. CLI tools. Build scripts. Agent frameworks. These never touch a browser.

Claude Code runs in the terminal. Cursor runs as a desktop application. GitHub Copilot integrates with VS Code but makes API calls outside the browser. Python scripts calling the OpenAI SDK run in a subprocess. None of these are visible to a browser extension.

If your AI security strategy is a browser extension, you're seeing less than half the picture.

81% of Employees Use Unapproved AI

This stat from UpGuard is directionally confirmed by every data source we've seen:

  • 71% of employees use AI without IT approval (Reco.ai, 2025)
  • 75% of CISOs have discovered unauthorized AI tools in their environment (Lasso Security, 2026)
  • The average enterprise has 269 shadow AI tools per 1,000 employees in SMBs (Reco.ai, 2025)
  • Only 25-26% of organizations have comprehensive AI governance policies. 63% have no formal policy at all (IBM, 2025)

The surprise isn't that employees use unapproved AI. The surprise is that most organizations have no mechanism to even discover which tools are in use — let alone what data those tools are processing.

The $85,500/Month Nobody's Tracking

According to Kong's State of AI in the Enterprise report, the average organization spends $85,500 per month on AI-native applications. Enterprise GenAI spend hit $37 billion in 2025, a 3.2x increase year-over-year.

Here's the problem: most of that spending is invisible. In our data, 81.2% of requests don't even identify which model they're using in a way that's visible at the network layer. Without inspecting the actual request body, you can't determine which models your teams are hitting or what they cost.

And the waste is real. 48-50% of software licenses go unused in the average enterprise (Productiv/Zylo, 2025). The same waste pattern is emerging in AI tool procurement. Teams sign up for multiple providers, use one heavily, and forget about the rest — while the bills keep coming.

The Agentic Shift Changes Everything

Everything above describes the current state. The next state is worse.

The agentic AI market is projected to grow from $9.14 billion in 2026 to $139 billion by 2034 — a 40.5% CAGR. But only 29% of organizations feel prepared to securely manage agentic AI (Cisco, 2025), and 72% of security professionals aren't confident in their ability to secure AI systems (Cloud Security Alliance, 2025).

Agents don't just read data and generate text. They execute code, make API calls, read files, and modify infrastructure. An agent running with your credentials is indistinguishable from you on the network. The same 13% data leakage rate, the same secret exposure — but now it's happening autonomously, in CI pipelines, in background processes, at 3 AM.

Network-layer inspection isn't optional for agentic AI. It's the only enforcement point that works across all tools, all providers, and all frameworks without modifying the tools themselves.

What Actually Works

After intercepting 26,565 requests and reading every piece of research we could find, here's what we think matters:

For engineering leaders:

  1. Instrument your AI traffic at the network layer. Not the browser. Not the API wrapper. The network. That's the only place you see everything.
  2. Consolidate providers. Our data shows 91% of traffic going to one provider with 8 others in the tail. Each provider is a separate contract, security review, and compliance surface.
  3. Budget by team, not by tool. Per-seat licenses don't capture the real cost — API calls from scripts and agents can exceed seat costs 10x.
  4. Monitor the shift to agents. Over half of AI traffic is already programmatic. Your security model must account for non-human AI consumers.

For security leaders:

  1. Deploy at the network layer. Browser extensions miss CLI tools, scripts, and agents. MITM inspection sees everything.
  2. Block secrets before they leave. Detection-only is not enough. Critical credentials in prompts should be blocked or redacted at the proxy before reaching the AI provider.
  3. Quantify your exposure. "We might be leaking data to AI" isn't actionable. "We send 223 requests containing AWS credentials to AI providers per month" is.
  4. Prepare for agentic threats. Tool call inspection is the next frontier — agents that execute code and make API calls need their actions monitored in real-time.

How We Collected This Data

This analysis combines two sources:

  1. First-party telemetry from CitrusGlaze MITM proxy deployments intercepting live AI API traffic. Sample: 26,565 requests across 19 source applications, 9 AI providers, and 10+ models. All data collected with consent from development environments.

  2. Third-party research from Netskope, Gartner, IBM, Harmonic Security, Lasso Security, Stack Overflow, GitHub, and others. Every external claim is cited with source, date, and URL.

CitrusGlaze is an open-source AI traffic proxy that runs locally on your machine. It intercepts AI API calls using a MITM proxy, scans for secrets with 210+ detection patterns in a Rust engine, tracks token usage and costs, and discovers which AI tools are in use — all without sending your data to anyone else's cloud.

Install CitrusGlaze and see your own AI traffic in 5 minutes. Or read the full State of AI Traffic 2026 report for the complete dataset.

← All posts Try CitrusGlaze →