Dr. Jason Nairn 
Table of Contents
Every few months, a cyberattack in higher education generates a news cycle. The recent disruption to Canvas during finals week is the latest example. These incidents are wake-up calls. They make abstract risk concrete, accelerate budget conversations, and give CIOs leverage to move stalled security investments forward. They are not, on their own, the most important signal.
The more important signals are in the data. A recent LayerX Security report found that nearly half of enterprise employees are using generative AI tools at work, with 22% pasting personally identifiable information into them. A January 2026 study from Educause, conducted in partnership with AIR, NACUBO, and CUPA-HR, found that 94% of higher education professionals have used AI tools for work in the past six months — but only 54% are aware of their institution’s AI policies. More than 70% are using AI tools daily or weekly.
Those numbers describe shadow AI. The pattern is broader. The number of platforms, tools, vendors, and integrations a typical college or university depends on to operate has grown faster than the governance, security, and continuity infrastructure designed to oversee them. Shadow AI is a prime example. It is not the only one.
What tech sprawl actually looks like inside an institution
Higher education environments are structurally exposed to sprawl in ways most other sectors are not. Institutions operate fragmented IT environments with inconsistent security controls across colleges, departments, and research operations, layered atop legacy infrastructure that resists patching and modernization. Attack surfaces have expanded with remote and hybrid work, as well as AI. Internal cybersecurity staffing remains thin relative to the risk surface. And the data institutions hold — subject to FERPA, HIPAA, GLBA, PCI, and an expanding patchwork of state privacy laws — is exactly the data attackers want.
Add a campus culture that has historically prized openness and academic autonomy, and new tools, platforms, and integrations spread laterally across departments faster than any governance function can keep up with. A single academic unit can stand up a research data pipeline, a faculty productivity tool, and an AI-assisted grading workflow in a semester. Multiply that across colleges, schools, and administrative units, and most CIOs and CISOs cannot fully describe where their institutional data is flowing, through whom, or under what contractual terms.
Why “we have a policy” is no longer an answer
The institutional response to the expanding threat surface has often been a policy memo. When nearly all higher ed professionals use AI tools at work but only half know the rules, the policy is not the problem to solve. It’s evidence that the underlying governance work has not been established.
The Canvas incident illustrates why continuity planning specifically matters. When a core platform goes offline — for any reason, through any vector — the institution’s ability to continue operating is set in advance, not in the moment. Most colleges and universities have continuity plans for their own infrastructure. Far fewer have continuity plans for the SaaS platforms that now run admissions, financial aid, learning management, research data, and student services. That gap is what makes visible incidents so disruptive. The disruption is not the attack. It is the absence of a credible alternative.
What modernization actually requires
A modern security and governance posture has to assume that sprawl is the baseline, not the exception. The work spans visibility, third-party risk, governance, and continuity simultaneously — and the institutions ahead of the curve are treating these as connected disciplines rather than separate projects.
First, nothing can be governed that cannot be seen. That means network-level monitoring tuned to detect SaaS and generative AI traffic, endpoint visibility into browser-based tools, and a current inventory of which platforms hold which categories of institutional data. Most institutions have inventories that describe what they procured. Far fewer have inventories that describe what their people are actually using.
Third-party risk management has to become a discipline, not a procurement checkbox. Every core vendor relationship needs documented answers to five questions: what data the vendor holds and under what classification, what breach-notification timeline applies, what evidence-of-deletion standards apply, and what continuity looks like if the vendor is offline for a week.
Detection has to operate continuously, with managed detection and response paired with 24/7 monitoring as the floor, not the ceiling. Incident response playbooks built before 2024 need a refresh — most do not account for AI-mediated exfiltration, deepfake-driven social engineering, or third-party platform compromise. And governance has to be cross-functional: sprawl worsens when each function decides in isolation, and improves when decisions are made together and revisited as tooling changes.
For institutions without the internal capacity to stand up this kind of program, the gap is increasingly being closed through specialized IT partners that can layer third-party risk management, monitoring, and incident response onto existing campus infrastructure. The model matters less than the outcome.
The institutional case for moving now
Cybersecurity has historically been framed as a cost center. When the institutional inventory of platforms and tools is genuinely difficult to describe, that framing undermines resilience. A cyber incident does not stay in IT — it stalls admissions cycles, slows financial aid processing, locks faculty out of course materials, and erodes the trust prospective students and families place in the institution.
Higher education has spent the last decade hardening its perimeters, only for modern attackers, AI tools, and third-party integrations to walk around them. The discipline of preventing remote control is now the discipline of governing it — authorizing vetted agents, for specific tasks, under documented terms.
Modernizing the institutional foundation means accepting that the perimeter is no longer the right unit of analysis. The data flow is. The vendor relationship is. The platform inventory is. The question facing higher ed IT leaders now is not whether to respond to the next headline, but whether the institution is structurally ready for the much larger, less visible exposure that occurs between headlines.
Subscribe to edCircuit to stay up to date on all of our shows, podcasts, news, and thought leadership articles.
