Vanta tackles shadow AI amid soaring builder risks

Vanta tackles – As “shadow AI” spreads inside companies, Vanta says about 70% of its 16,000-plus customers have some version of it—and it is launching an agent meant to map tools, vendors, data, controls, and compliance responsibilities to help identify security and policy ga

For the third time this AI boom, a company’s experiment has outpaced its guardrails.

“Shadow IT”—people using software tools without explicit authorization from the top—has long existed. But with AI, the speed feels different. Employers are pushing staff to adopt the technology, often without getting specific about safe, productive ways to use it. The result can be a familiar corporate disconnect: workers try to move fast. while sensitive data ends up in AI tools that are powerful but not always predictable.

Christina Cacioppo, cofounder and CEO of the trust management platform Vanta, puts a number to how widespread the problem has become. About 70% of Vanta’s 16,000-plus customers have some kind of shadow AI inside their organizations.

“It’s basically what you’re talking about when someone within the company is charging ahead a new AI tool,” Cacioppo says, “and that tool… hasn’t gone through a formal security review.”

Vanta is now betting it can turn that uneasy, bottom-up reality into something companies can at least see—and manage. The company introduced a new tool called the Vanta Agent for Risk.

The agent is designed to map out an organization’s vendors and tools, the data and other assets tied to them, compliance responsibilities, and controls such as AI policies. Vanta positions the tool as a cohesive view of how these pieces relate—and where the danger zones are.

Jeremy Epling. Vanta’s chief product officer. describes it as software that “understands all the different things that are happening in your company. ” whether the risk is third-party vendor risk coming in from outside or internal risk tied to who has access inside the platform to different pieces of data.

To power those reports, the agent draws on more than 400 integrations. Epling says Vanta also runs “over 1,400 tests” that continuously assess security controls across an organization. In plain terms. that can include questions such as whether Amazon Web Services S3 buckets are encrypted. whether background checks are being performed and on time. who has access to what. and whether people have the right level of access.

Vanta then pulls that data together and “infuse[s] it with intelligence from the Vanta agent.” The company is also rolling out complementary features: an agent for third-party risk management. an AI risk library knowledge base. and a scoring system intended to quantify risk across financial. brand. and operational impact.

The point is not to stop experimentation. Epling says human oversight is still central, with “human-in-the-loop and human approval for all those pieces.” The agent’s job is to suggest edits to policies, controls, or related practices—so ad hoc AI use is less fraught.

If companies don’t have that visibility, Cacioppo warns they may not even realize AI tools are being used—or have had a chance to think through how they’re set up and what kinds of data are going into them.

Behind the product launch sits a broader shift inside tech companies: builder culture.

Vanta’s data ties that culture to measurable growth in roles that build and wire systems. The company points to 311% year-over-year growth in builder roles. “GTM engineer” positions are up 1,329%, and “legal engineer” roles are up 850%. Epling says that kind of momentum is part of why more software is being written at pace. “We’ll have more probably software written in the next year than we will in the last 10 years combined. ” he says.

More building brings more providers and more tools. Vanta says AI vendor adoption is 73% higher in companies with builder roles than in those without. Yet even as adoption climbs, review behavior does not match it. Companies are reviewing only 7% of such vendors, despite Vanta saying 30% of them are critical or high risk. The outcome, Cacioppo says through Vanta’s numbers, is stark: 88% of risks go unremediated.

That tension—faster adoption, slower review—is the backdrop for Vanta’s central promise: a continuously updated overview of what’s happening inside an organization that can help teams start from something real rather than guesswork.

Vanta’s origin story reaches back to compliance work, before AI made the stakes feel immediate. Cacioppo previously worked at Dropbox, where she oversaw a collaborative document-editing tool called Paper. Her responsibilities included dealing with compliance paperwork—rules and regulations such as SOC 2 and GDPR—which she found to be a slog. Extensive interviews with security professionals convinced her the process could be improved.

Working with a Dropbox colleague, Erik Goldman, Cacioppo founded Vanta. The company later became part of startup accelerator Y Combinator’s Winter 2018 batch.

The company’s investment story also carries its own credibility markers. Andrew Reed, a Sequoia Capital partner, led Vanta’s investment and now serves on its board. Reed says he noticed the firm when it reached $10 million in revenue without having taken on any venture funding. a rare accomplishment.

He also points to where he thinks Vanta’s mission has always been headed. The vision, Reed says, was bigger than a routine compliance task. As AI spreads and more companies rely on software agents and internet-based interactions. he argues. the risk profile attached to how businesses operate has “fundamentally changed.”.

“The founding mission statement of Vanta was to help secure the internet,” Reed explains. “And it turns out that getting people to be compliant with standards and certain certifications is a very compelling way to get their security houses in order.”

As of April, Reed notes, Vanta has grown to $300 million in annual recurring revenue, up from $200 million nine months earlier.

For Cacioppo, the central issue is trust, not just compliance paperwork. “Trust is a defining problem of the AI era,” she says, adding that new AI companies face “more scrutiny, more questions, more security review, more questionnaires, just more, more, more.”

Her warning cuts against the earlier wave of casual sign-ups. She points back to a less cautious moment—when people were “more blithely” encouraged to sign up for new tools and grant access because they “might do something useful.” In her view. the mood is different now. and it is not “2016 or 2006.”.

“We are all excited about their promise, but also a little scared about their capabilities,” she says. And after that shift, the corporate reality she describes—shadow adoption happening without formal security review—has become harder to ignore.

Vanta’s Agent for Risk is aimed at closing that gap: mapping where AI tools and data flow through organizations, quantifying risk, and pushing decisions back into a structured process—before the next experiment turns into a security incident.

Vanta shadow AI shadow IT trust management security reviews AI risk builder culture third-party vendor risk SOC 2 GDPR Amazon S3 encryption AI policies risk scoring