A wave of employee-built, AI-generated applications is quietly expanding the enterprise attack surface, with one recent “Shadow Builders” report claiming more than 2,000 exposed AI-built apps discovered on the public internet across customer environments. Framed as a new era of “shadow AI,” the findings highlight how workers are now using coding copilots and agents to assemble full production applications without Security or IT involved, leaving traditional stacks blind to critical new entry points.
Shadow AI originally described staff pasting sensitive data into public chatbots, but the practice has evolved as AI coding tools have gone mainstream. A growing share of software is now “vibe-coded” – created by developers who describe an outcome to an AI assistant and accept its generated code with minimal manual editing. One recent industry analysis estimated that GitHub Copilot serves around 20 million users, that more than 90 percent of US developers use AI coding tools daily, and that roughly half of all new code is now AI-generated, underscoring how quickly this shift is happening.
According to the Shadow Builders findings, that shift is turning prompts into products at high speed: employees are wiring AI-generated apps into production data stores and APIs, standing them up on cloud platforms or SaaS builders, and then publishing them on the open internet—often using personal or team-owned accounts. In many cases, these apps never pass through formal intake processes, change management, or architecture review, which means they do not show up in asset inventories, do not have security agents deployed, and are not covered by existing vulnerability management or API security programs.
The result is an attack surface made up of small, task-specific applications that may lack even basic controls such as authentication, access logging, or input validation. Security teams report finding hard-coded API keys, direct connections to production databases, verbose error messages that leak implementation details, and AI agents with privileged service tokens but no guardrails. Because these apps are typically created to “just get something done,” they frequently bypass single sign-on and existing authorization models, making it difficult to enforce least privilege or revoke access when an employee leaves.
The discovery of thousands of these vibe-coded apps across enterprises exposes a structural limitation in many security stacks: they are optimized to protect known, sanctioned systems, not to continuously rediscover whatever new software employees can now assemble in an afternoon. Defenders are responding by investing in external attack surface management, automated web and API discovery, and stricter guardrails around AI development tools, while also pushing for policies that require registration of new internal apps and service accounts. But as AI coding compresses the time from idea to internet-facing product, organizations will have to assume that shadow AI is already part of their environment and adapt their monitoring, governance, and culture to make these invisible applications visible.
