Shadow AI
Are you already behind the curve?
Whether you know it or not, your employees are already using AI. In all likelihood, the vast majority of them are. For most orgnizations, it is a risky problem quickly spinning out of control.
Shadow AI is the use of AI tools with company data outside approved, governed, and secured systems.
Why is Shadow AI a problem?
- Shadow AI exposes your data.
- Security risk: At least 1 in 5 breaches are related to Shadow AI.
- Prohibition does not work — governance does.
- Establishing best practice workflows early raises the bar across your entire organization.
WHat is Shadow AI?
Shadow AI is the unsanctioned use of AI in an organization..
Typically by employees or teams using public AI apps (or AI features inside other software) without security review, IT approval, or governance. If you don’t have a “governed” AI solution, it’s no longer a question of if Shadow AI exists in your organization — it’s more likely a question of whether it’s 50% of your employees or 95%.
What it usually includes:
- Staff using tools like ChatGPT/Claude/Gemini or “AI assistants” in SaaS products with company data
- Uploading documents, code, client info, or internal notes to AI tools outside approved systems
- Building quick AI automations/bots using personal accounts or unvetted vendors
- Enabling AI features by default in apps where data handling/retention isn’t understood
Why it matters:
- Data leakage (sensitive info copied into prompts or uploaded files)
- Compliance issues (PII/PHI/PCI, client confidentiality, retention requirements)
- IP exposure (source code, proprietary docs)
- Unknown vendor handling (training/retention, third-party subprocessors, cross-border data)
- No audit trail (hard to prove what data went where)
WHat are the risks?
It can be hard to wrap one’s head around.
There reasons for concern.
In a recent article by DigitalApplied, “76% of organizations report unauthorized AI tool usage by employees.” Here’s their conclusions, and they are spot on.
- “Shadow AI is not a fringe problem — it is the default state: With 76% of organizations reporting unauthorized AI tool usage, shadow AI is not an edge case to address later. Employees adopt AI tools faster than IT governance cycles can keep up, making proactive detection and policy frameworks essential rather than aspirational.
- “Data exfiltration is the primary risk, not AI accuracy: The most consequential shadow AI risk is not that employees get bad outputs — it is that sensitive business data, customer PII, and proprietary code are being fed into third-party LLM providers without data processing agreements or security vetting. This creates direct compliance exposure under GDPR, HIPAA, and SOC 2.
- “Prohibition does not work — governance does: Organizations that ban all unauthorized AI tools see shadow AI usage go underground, not disappear. The more effective approach combines a permissive approved tool program with network-level detection to bring AI usage into the open and ensure it flows through vetted channels.
- “Governance policies must be role-differentiated: A blanket AI acceptable use policy that treats a software engineer the same as an HR manager will either be too restrictive for engineers or too permissive for HR. Effective shadow AI governance differentiates by data sensitivity, role function, and the types of AI tools involved.”
The article has additional detail, or talk to us — we’ll be happy to discuss how it applies to your organization.
But wait, there’s more
You’re not the only one thinking about it.
There reasons for concern.
These quotes from industry experts and notables.
AI adoption correlates with incident frequency, underscoring need for governance
“The biggest and best-known risk is shadow AI, which refers to employees’ use of unapproved and ungoverned AI tools. When “IT is left in the dark about what AI systems are used,” that “lack of visibility makes security and governance difficult, if not impossible,”
CyberSecurity Dive News
Senior execs worry about AI system lock-in
“More than 7 in 10 leaders said switching from their primary AI provider would be challenging,”
IBM’s Institute for Business Value study
20% of Breached Organizations Were Compromised through Shadow AI
“Shadow AI has moved from a governance footnote to the single fastest-growing entry on the corporate breach ledger. IBM’s Cost of a Data Breach Report 2025 found that 20% of breached organizations were compromised through shadow AI, the unsanctioned generative AI tools employees adopt without security sign-off. Those incidents added roughly $670,000 to the average breach. As of June 2026, security leaders are treating that figure as the opening bid, not the ceiling.”
IBM’s Cost of a Data Breach Report 2025
AI adoption correlates with incident frequency, underscoring need for governance
“The biggest and best-known risk is shadow AI, which refers to employees’ use of unapproved and ungoverned AI tools. When “IT is left in the dark about what AI systems are used,” that “lack of visibility makes security and governance difficult, if not impossible,”
CyberSecurity Dive News
Jamf Survey finds AI incident rates rise
“AI governance is quickly becoming an operational requirement rather than a future planning exercise.”
Jamf Software
What the experts say
AI Policy: There’s a lot to think about.
Don’t take our word for it: See what the experts think.
Employers of all sizes should have a written AI policy. Even small businesses are using AI, even if they do not know they are, through chat tools, scheduling software, applicant screening platforms, productivity tools, customer service systems, and vendor products. Without a clear policy, employers increase the risk of inconsistent practices, confidentiality problems, discrimination issues, and avoidable liability.
At a minimum, an employer’s AI policy should address:
-
- What AI tools are approved;
- What business uses are allowed;
- What data cannot be entered, including personally identifiable information and trade secrets;
- When human review is required;
- When AI is prohibited for employment decisions, to help prevent discrimination;
- How accommodations are handled when use of AI creates disadvantages due to disability, such as when AI monitoring software flags an employee as low performing when the real issue is a disability, or when an applicant is screened out based on an answer tied to a disability that could be reasonably accommodated;
- What records are kept, along with a statement that employees have no reasonable expectation of privacy in connection with company AI use;
- How vendors are vetted for their own use of AI, which may create downstream liability for the company; and
- Who is responsible for compliance.
A practical AI policy does not need to be overly technical or overly long. It just needs to set clear rules so the company can use AI thoughtfully, protect confidential information, reduce employment risk, and create accountability before problems arise.
Making it easy for you
No Risk.
No Obligation.
Finding out more is simple, and at no cost. As your advocate, we only want you to secure the services that make sense — whether it's for something new, or replacing an existing solution.
You're in control. Let's talk!
