Rinki Sethi on 'Shadow AI' and the new frontier of enterprise risk and opportunity

In the relentless pursuit of AI-driven productivity, the C-Suite is tempted to scale with models, not people. The top-down pressure has led to unsanctioned AI agent sprawl deep within the enterprise. Employees, armed with powerful tools just a browser tab away, are creating unprecedented value, while also exposing their companies to a new category of risk that legacy security was never designed to handle.

New Tab spoke with Upwind's Chief Security & Strategy Officer, Rinki Sethi, who is a veteran security leader with a career spanning CISO roles at giants like Rubrik, Twitter, and BILL, and a track record of advising startups like Oort and Neosec. Sethi has a unique vantage point on the collision of innovation and security. She argued that while the impulse to use AI is understandable, its execution has created a threat that is spreading faster and cutting deeper than anything that came before.

• Viral, not gradual: "With AI, we are moving faster than we ever did with Shadow IT," Sethi said. "Anyone can start using AI with zero technical setup. Zero infrastructure, no licenses, no approvals. Tools like ChatGPT are just a browser tab away, meaning the adoption is viral, not gradual."

This explosive, frictionless adoption is fueled by immense pressure from the top. When leaders ask for more resources, Sethi explained, the response is often swift and uncompromising.

• The C-Suite mandate: "If you go to the board and say, 'Hey, I need more people on my team,' the first answer is going to be, 'Why can't we scale with AI? What are you doing differently than you were doing last year?'" That mandate forces employees to find their own solutions, often without realizing the danger. The problem, Sethi warned, is that these new tools don't just expose data: they make decisions.

• Beyond data leaks: "Unlike Shadow IT, which often involved project management or file sharing, Shadow AI puts sensitive data directly into third-party models," she explained. "It can generate actions to approve a loan, rewrite a contract, and respond to a customer, all based on logic that isn't fully transparent and may not include an audit trail."

This new reality, where unaudited AI can execute business functions, has created a rare moment of alignment between business and security leaders. For the first time, the push for innovation is matched by a shared fear of the unknown.

• A new alliance: "It's the first time I've seen where business leaders are pushing you to use AI, but are also saying, 'I don't know what risks we're opening up,'" Sethi noted. "It's the first time the business is concerned about it, and that's actually enabling security to be thoughtful about how we do this."

• The enabler thesis: This shared anxiety is repositioning security from a gatekeeper to a strategic partner, a role Sethi argued the function is uniquely qualified to play. "The biggest misconception is that security teams are slowing things down," she said. "In reality, we are the biggest enabler right now because we're thinking about the controls that allow the company to move faster."

To do that, Sethi proposes a pragmatic, two-step playbook designed to replace chaos with control. It begins not with technology, but with agreement.

• First, principles: "You have to start with principles," she urged. "Without them, you can ask two leaders if something is allowed, and one will say, 'Of course,' while the other says, 'Absolutely not.' You must align on the principles first."

Once a foundation of principles is set, leaders can then deploy technology to gain visibility and make informed decisions about which tools to sanction and which to block. But while that long-term strategy develops, Sethi insists there are actions companies can and must take immediately.

• The immediate solution: "There are tools you can implement in your environment right now that can in-line block or prevent messages from going out," she said. "You can say, 'Look, I'm going to enable this, but we're going to control what's going out because we can see what's happening.' That's the solution right now while you figure out the longer-term strategy."

For Sethi, this proactive approach is not just about managing risk, but about defining the future of the high-performing workforce. "We understand that the people who adopt this technology are going to be the 10X-ers, and the people who don't are sadly the ones who ultimately won't have roles."