Most teams trying to get a handle on their AI agent footprint start the same way: connect to the platforms, pull the logs, build a list. It feels like progress. It's not complete.
API-based inventory is the default approach because it's the path of least resistance. Connect to your sanctioned AI platforms and get back a list of configured agents. The problem is that "configured" and "active" aren't the same thing. And agents that weren't built through official channels don't show up at all.
The gap between what APIs report and what's actually running in your environment is where your real exposure lives. And right now, that gap is enormous.
Across Obsidian's customer base, over 50 enterprise deployments governing more than 1.2 million users, agent counts grew from under 500 in late 2024 to nearly 95,000 by February 2026. That's not gradual adoption. That's proliferation at a pace most security teams haven't internalized yet.
Of those agents, 38% carry medium, high, or critical risk factors from the moment they deploy. Most have no documented owner. Several were built by accounts that no longer exist. All of them have live connectors to production systems.
And the data exposure isn't theoretical. We observed a single Glean agent download 8.1 million files. Every other user and application in that environment combined downloaded 500,000. One agent. More than 16 times the data movement of the entire rest of the environment.
That's what's visible. The agents your API-sourced inventory can't see are running alongside these.
Shadow AI isn’t one thing. It enters your environment through several distinct channels, and each one creates a different kind of blind spot.
SaaS connection logs show some of it. When a user connects a third-party agent to a platform like Salesforce or Google Workspace, that connection event usually leaves a trace. These are the agents most likely to surface in a standard inventory pull. They’re the tip of the iceberg.
Proxy logs and network scanning catch a second layer — egress to known AI provider endpoints. This works for traffic that passes through a managed network. It misses agents running on personal devices, home networks, or through personal accounts that never touch corporate infrastructure.
Then there’s what none of those methods reach. The first is local AI use: employees running ChatGPT on a personal device, connecting a personal account to work data, or using AI tools that never touch your corporate network. These generate no connection event, no OAuth grant, no trace in any system you control.
The second is harder to see because it hides inside platforms your organization already trusts. AI capabilities don’t always arrive as new integrations — they ship as features inside software you already use. A Salesforce admin enables Einstein agents. A Microsoft 365 tenant activates Copilot. A Notion workspace turns on built-in AI automations. None of these create new OAuth grants. None appear in connection logs. They’re just on, with access permissions already in place, inside platforms your team has open in their browser every day.
Each of these modes requires a different detection strategy. API inventory covers the first. Network scanning covers the second, partially. Neither covers the third at all. That’s where browser visibility becomes essential.
Enterprise APIs surface what's been formally provisioned. They report on agents created through the right channels, connected to the right systems, registered in the right places. What they can't surface is what's operating outside those guardrails.
Agents authenticate through OAuth tokens and service accounts, not through your SSO layer. No MFA challenge. No session context. No user identity to evaluate. The IdP reports clean because it never saw the activity. Every app your IdP has never federated is a blind spot. Agents operate freely inside all of them.
That's before accounting for agents built outside IT's purview entirely. No-code and low-code platforms let anyone spin up autonomous agents, often with no security review baked in. Those agents don't register with the APIs you're querying. From an API perspective, they don't exist. From a risk perspective, they're fully operational.
APIs report what agents are configured to do. They don’t report what agents are actually doing. For agents, behavior is where the risk is.
Incomplete inventory doesn't just mean a shorter list. It means every downstream governance workflow is built on a foundation with known gaps. Entitlement mapping, risk scoring, runtime enforcement: all of it starts with knowing what agents actually exist. Get that wrong and everything downstream is wrong too.
The agents you can see through API feeds are likely the ones operating within sanctioned platforms, running under managed service accounts, with documented owners. The ones you can't see are operating outside those guardrails, which puts them outside every governance workflow designed to catch them.
That 38% of agents carrying medium, high, or critical risk — the figure cited above — is a floor, not a ceiling. It reflects only the agents visible through sanctioned platform APIs. The agents that don't show up in API-sourced inventory carry no baseline at all. They're not in the risk model. They're not in the owner record. They're not in the audit trail. They're just running.
Browser-level visibility operates where the other methods stop. Obsidian's browser extension captures real-time AI activity across sessions — including AI features built directly into SaaS platforms that never generate a new connection event, shadow AI running under personal accounts, and agents that activate silently inside tools your organization already trusts.
What that looks like in practice: across Obsidian's customer base, the browser extension recorded nearly 70,000 AI-in-SaaS events in a single 30-day window — across tools like Jira's Rovo AI, LucidChart, Airtable, Miro, Notion, and Slack. None of those events would appear in an API-sourced inventory. None created a new OAuth grant. None were new integrations. They were AI capabilities that shipped as features inside software your teams already had open in their browser.
This isn't about catching what slipped through your existing controls. It's about seeing a category of AI activity that no other method surfaces at all. When Copilot starts summarizing emails, when Glean starts indexing files, when Jira's AI assistant activates inside a ticket your team is already working — that's what gets discovered here first.
Complete inventory doesn’t just satisfy a security requirement. It unlocks every conversation that has to happen next. Once you know what’s running, you can start having productive conversations with app owners — not to block them, but to build policy with them. The difference between AI security that accelerates your business and AI security that creates friction is whether you’re working from real data or guesswork.
Security leaders who move past inventory quickly hit the same next questions: which agents carry enough risk to act on now, which teams own them, and what guardrails can be applied without derailing adoption. Each of those steps depends on the one before it. Visibility creates the foundation. Policy becomes possible. Governance becomes scalable.
Obsidian is built to take you through all of it. Start with what you can't see yet. Find out what's there.
In the wake of the Salesloft breach, we’re offering a free risk assessment of your Salesforce environment to help identify potential exposure. Click here to request yours.
Take a breather! In under 6 minutes, our demo breaks down the risks AI agents bring to your SaaS environment and how you can get ahead of them.
We're offering a free AI agent risk assessment—check it out.
The biggest SaaS breach of 2025 started with a compromised third-party app. Attackers then exploited Salesloft-Drift OAuth tokens, which granted them access to hundreds of downstream environments. Obsidian researchers found the blast radius of this supply chain attack was 10x greater than previous incidents, where attackers infiltrated Salesforce directly.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.
