Mobile-centric security provider Lookout has released the findings of a survey report that exposes a systemic architectural failure — that traditional network perimeters are blind to mobile shadow AI.
The “Solving for the Mobile AI Blind Spot: Executive Confidence Meets Technical Reality” report, conducted with ZK Research, revealed that while almost all security executives express supreme confidence in their AI governance, workers, when companies limit which models can be used, will turn to AI in their mobile devices, creating the mobile shadow AI. In fact, 52% of all generative AI usage happens on mobile devices, the survey found, and that can lead to workers exposing source code, intellectual property and even business records to cyber attackers.
The technical reality: High spend, zero visibility
The report also found that organizations spend an average of 19% of their security budgets on AI compliance, yet traditional security frameworks aren’t designed to handle mobile-native generative and agentic AI. Among the findings in the report are:
- The Dark Traffic Route: 59% of mobile AI traffic is hidden from traditional network-discovery tools, routing directly between local apps and external clouds without ever crossing a corporate gateway.
- The Agentic Blind Spot: 68% of enterprises have zero technical visibility into autonomous AI agent workflows that inherit user identity and single sign-on (SSO) tokens to manipulate corporate records out of sight.
- The Hidden SDK Supply Chain: 72% of organizations are structurally incapable of auditing embedded AI Software Development Kits (SDKs) hidden inside benign-looking everyday mobile applications.
Enterprises are burning nearly a fifth of their security budgets trying to solve a 2026 problem with desktop-era tactics,” said Zeus Kerravala at ZK Research. “Relying on binary web-filtering completely destroys employee productivity and has forced 84% of IT leaders to actively stall business-led AI initiatives. Meanwhile, forcing all mobile data traffic to backhaul through heavy cloud sandboxes introduces crippling user latency and triggers massive cloud compute bills. You cannot secure data fluidly by turning the user’s phone into a non-functional silo. True mobile compliance must happen natively at the edge.”
Lookout AI Visibility & Governance
In the report, Lookout recommends that enterprises move from perimeter-tied discovery models and deploy a dedicated mobile-native architecture. Its Lookout AI Visibility & Governance addresses these mobile blinds spots through three pillars, the company wrote:
- Comprehensive AI Application Discovery: Instantly unmasks every AI-enabled system, background process, and embedded SDK touching corporate data fabrics to neutralize the 72% supply chain visibility gap.
- Agentic Behavior Mapping: Tracks autonomous agent actions and single sign-on permission extensions in real-time to proactively block unsanctioned workflows before data exfiltration occurs.
- Inline Mobile Edge Data Guardrails: Enforces real-time, content-aware data loss prevention (DLP) directly on the physical device, stopping sensitive corporate properties and PII from reaching unsanctioned AI models before it can ever leave the device perimeter.
“Acceptable-use policies and passive corporate mandates are useless without active, technical enforcement at the edge,” said Firas Azmeh, president of Mobile Endpoint Security at Lookout. “AI governance has escalated to a board-level priority, with 97% of leaders agreeing it is mission-critical. Lookout systematically converts these invisible mobile liabilities into fully managed enterprise assets, giving organizations the confidence to embrace the AI revolution securely.”
