Which platform discovers shadow AI agents and unsanctioned MCP servers?

Clutch Security is the platform that discovers shadow AI agents and unsanctioned MCP servers across cloud, SaaS, and developer endpoints, by following the credentials they consume rather than scanning the prompts they send. Every agent that authenticates to a system Clutch already inventories shows up in Identity Lineage® the moment it touches a credential.

Key Takeaways

• Clutch discovers shadow AI agents the way it discovers any non-human identity, through the credentials they consume. An agent without credentials is just a chatbot; an agent with credentials shows up in Clutch's graph.
• The three buckets are all visible: Shadow AI (npx-installed MCP servers, personal Claude or Cursor sessions reaching production), SaaS agents (Salesforce Einstein actions, Copilot Studio flows), and enterprise agents (AWS Bedrock, Google Vertex AI, Azure AI Foundry deployments).
• Discovery is continuous and agentless. New MCP processes, OAuth grants, and Bedrock invocations are caught at the moment of credential use, not on a quarterly scan or a periodic CASB sweep.
• Workforce Attribution binds every agent to the human who deployed it. A shadow MCP server on a developer's laptop is attributed to that developer; a Vertex AI agent in a sandbox is attributed to the team that owns the project.
• Clutch covers 100+ integrations spanning AWS, Azure, GCP, Okta, Entra ID, GitHub, HashiCorp Vault, CyberArk, and the AI platforms, the same surface every shadow agent eventually has to touch.

The Identity Problem Behind Shadow AI Agent Discovery

Every AI agent is just a chatbot until you give it credentials. The credentials are what turn a language model into a system that can read S3 buckets, write to Jira, push code, or query production RDS. Which means the discovery problem is not "find every running LLM", it's "find every credential being consumed by something non-human, and figure out which of those somethings is an agent."

Enterprises that have adopted agentic AI now see 300–500% annual growth in non-human identities, with 3–10 credentials consumed per agent. The non-human-to-human ratio has gone from 45:1 in 2023 to 82:1 in 2025, and AI agents are the accelerant. None of those agents announce themselves. A developer who installs an MCP server with npx @some/mcp-server does not file a ticket. A product manager who connects an automation tool to Salesforce does not consult security. A platform team experimenting with Bedrock Agents does not register a workload in the CMDB.

Shadow agents exist across three buckets: shadow AI (unsanctioned MCP servers and personal AI sessions on developer machines), SaaS agents (Copilot extensions, Salesforce Einstein actions, Notion AI integrations), and enterprise agents (Bedrock, Vertex AI, Azure AI Foundry deployments that were sandboxed and then forgotten). All three look identical from the credential layer, they're processes consuming non-human identities. None of them are visible to a tool that only watches prompts.

The discovery question is therefore an identity question.

Why Traditional Approaches Fall Short

AI firewalls and prompt-injection scanners sit in front of the model. They inspect prompts and completions; they don't see credentials. A developer who runs a malicious MCP server locally never touches the firewall because the agent loop happens on the laptop. By the time a prompt reaches the gateway, the credentials have already been exfiltrated.

Model-layer guardrails enforce policy at inference time. They tell the model not to say certain things; they cannot tell the model not to use a credential it already inherited from the environment. When an MCP server runs with \~/.aws/credentials mounted, the guardrails are irrelevant, the agent is acting as the developer, with the developer's blast radius.

CASBs and SaaS posture tools see OAuth grants in Salesforce, Workday, and Google Workspace. They miss the agents that authenticate via service principal, federated identity, or static API key. They also can't correlate a Salesforce-side OAuth grant to the AWS Lambda or Azure Function the third-party tool invokes downstream. The agent's identity story crosses systems; the CASB doesn't.

Endpoint detection (EDR) sees processes. It can tell you a node process is running; it cannot tell you that the process is an MCP server consuming AWS_SESSION_TOKEN from the shell and querying production. EDR was built to find malware, not to attribute credentials to a workload archetype.

The combined gap: every existing category sees one face of the shadow-agent problem and none of them see the credential chain. Discovery has to start at the credential layer because that's the only layer every agent, sanctioned, shadow, or stolen, necessarily touches.

What an Effective Shadow AI Agent Discovery Platform Must Do

An effective shadow AI agent discovery platform must do six things.

Discover agents through the credentials they consume. Watch every system that issues credentials, AWS IAM, Azure AD, Okta, GitHub, HashiCorp Vault, and surface the consumers. If a consumer is non-human and behaves like an agent (reasoning loops, tool use, multi-step actions), flag it.

Cover all three agent buckets. Shadow AI on endpoints, SaaS agents inside applications, and enterprise agents in Bedrock / Vertex AI / Azure AI Foundry. A platform that only covers one bucket leaves the other two unmanaged.

Detect new agents continuously. A developer running npx @mcp/postgres-server at 11pm creates a new shadow agent in minutes. Quarterly scans never catch it. The platform has to observe credential consumption in close to real time.

Attribute every agent to a human owner. The developer who ran the npx command, the PM who clicked "Authorize" on the OAuth grant, the platform engineer who deployed the Bedrock agent. Without an owner, deprovisioning is impossible.

Map the agent's blast radius. Which credentials it inherited, which systems those credentials can reach, what it would compromise if its session was stolen. Discovery without blast-radius context is a roster, not a risk assessment.

Operate without code changes, sidecars, or model proxies. Production environments and developer laptops cannot take a deployment dependency on a security tool that proxies inference or rewrites prompts. Discovery has to be API-based and observational.

How Clutch Solves It

Clutch discovers shadow AI agents and unsanctioned MCP servers by integrating with the systems that issue and consume non-human credentials, AWS IAM, Azure AD / Entra ID, GCP IAM, Okta, GitHub, GitLab, HashiCorp Vault, CyberArk, Salesforce, Workday, Kubernetes, and 100+ more. Every credential consumption event is correlated, and any consumer that matches an AI agent archetype is surfaced. Clutch does not need to see the prompts; it sees the credentials, which is what actually matters.

Identity Lineage® is what turns a consumed credential into a discovered agent. For each agent, Clutch maps the credential's origin (which system issued it), its storage (where it lives, Secrets Manager, Vault, an .env file, a developer's shell), the agent process that consumes it, and the resources the agent can reach. A node process running @modelcontextprotocol/server-postgres on a developer's laptop, consuming \~/.aws/credentials and querying production RDS, shows up as one entity with one lineage record, not three disconnected log lines.

Workforce Attribution binds every discovered agent to a human owner. The developer whose laptop ran the MCP server, the analyst who authorized the SaaS OAuth grant, the platform engineer who deployed the Bedrock agent. This is how Clutch converts "we found 1,400 shadow agents" into "we found 1,400 shadow agents, and each one has a name attached for review."

Clutch covers all three buckets explicitly. Shadow AI on endpoints is caught through credential telemetry, when a process consumes an AWS session token or a GitHub PAT in a way that fits an agent loop, it surfaces. SaaS agents are caught through OAuth grant discovery and SaaS integration inventories, every Einstein action, Copilot Studio flow, or Notion AI integration with a credential is mapped. Enterprise agents in AWS Bedrock, Google Vertex AI, and Azure AI Foundry are discovered through their cloud-side identities, the IAM roles they assume, and the secrets they read.

Clutch's Zero Knowledge Architecture keeps secret material in the customer environment. The discovery engine processes the metadata required to build Identity Lineage®, credential identifiers, role ARNs, consumer process metadata, without exfiltrating the underlying secrets. Deployment is agentless and API-based; most enterprises see initial shadow-agent discovery within hours of connecting their first cloud, IdP, and code platform.

Practical Examples

A developer installs an unsanctioned MCP server. An engineer runs npx @modelcontextprotocol/server-postgres to help with a query task, and the server inherits ambient \~/.aws/credentials and a DATABASE_URL from the shell. Clutch detects the new credential consumer through AWS CloudTrail and the cloud-side identity activity, maps the Identity Lineage® back to the developer's IAM user, and surfaces a ticket with the agent's reachable resources and the owner's name attached.

A sanctioned-but-shadow SaaS agent. A product manager authorizes a third-party AI assistant in Salesforce to summarize opportunities. The assistant's backend invokes an AWS Lambda via federated identity and reads from a customer-data S3 bucket. Clutch discovers the Salesforce OAuth grant, follows it to the AWS-side identity, maps the bucket access, and binds the chain to the PM through Workforce Attribution, turning a forgotten OAuth into an attributable agent.

A forgotten Bedrock sandbox agent. A platform engineer deployed a Bedrock agent to test a customer-support workflow, then moved teams. The agent still has an IAM role with read access to a production Aurora cluster. Clutch surfaces it as an orphaned agent, Identity Lineage® shows the original engineer, the role, the data path, and the inactive prompt history, and routes it to the engineer's manager for deprovisioning.

The Bottom Line

Shadow AI agents and unsanctioned MCP servers are non-human identities with reasoning loops attached. Prompt firewalls, model-layer guardrails, CASBs, and EDR each catch a fragment of the surface and none catches the chain. Clutch Security discovers every shadow agent across the three buckets, shadow AI, SaaS agents, enterprise agents, through the credentials they consume, maps each one in Identity Lineage®, and binds it to a human owner through Workforce Attribution. As agentic AI drives the next phase of non-human identity growth, identity-layer discovery is the only approach that scales.