What is Shadow AI & What Can You do About It?

Artificial intelligence (AI) is now embedded in everyday professional workflows — so much so that 46% of employees say they would continue using AI tools even if their organization banned them. The productivity gains are undeniable, but this widespread, unmonitored use of AI also introduces growing risks around data security, compliance, and governance.

As AI tools become more accessible and easier to use, employees are increasingly adopting them without IT approval. This creates a major blind spot for organizations — one that the Cloud Security Alliance (CSA) has called “your IT team’s worst nightmare.”

In this article, we’ll break down what shadow AI is, the business risks it introduces, and what you can do to mitigate them.

What is shadow AI?

Shadow AI, a subset of shadow IT, refers to the unauthorized use of AI tools within an organization. Anytime employees access or integrate AI applications that haven’t been approved, secured, or monitored by IT, it creates an instance of shadow AI.

Like shadow IT, shadow AI introduces risks around data leakage, compliance violations, and operational disruptions — but on a larger scale. These tools often have access to sensitive company data and operate with little to no oversight. According to the CSA, shadow AI has earned its reputation as a top concern, and for good reason: the average cost of a breach involving shadow AI is more than half a million dollars higher than breaches with minimal or no AI involvement.

Shadow IT vs shadow AI: What’s the difference? 

Shadow AI creates a unique set of challenges because modern AI tools introduce new risks that traditional shadow IT didn’t have. For example, sensitive data leakage is a common shadow IT risk. But, data leakage into a generative AI tool comes with the additional risk of third-party AI models being trained on sensitive corporate information. The table below breaks down some of the similarities and differences between shadow AI and shadow IT. 

	Shadow IT	Shadow AI
Definition	Use of information technology, including both hardware and software, that is not authorized or managed by IT.	A subset of shadow IT that involves the use of unauthorized AI tools (LLMs, generative AI, natural language processing, etc.).
Example sources	Users adopting software without IT approvalUnauthorized devices used in a BYOD programUnauthorized file share programs	Personal ChatGPT usage for business purposes Unauthorized use of vibe coding tools to create code for production useUpload of sensitive data to an unauthorized AI analysis tool
Risks	Compliance violations Security breachesSensitive data leaksWasted spend on unneeded licenses	The compliance and security of traditional shadow IT softwareInaccurate or low quality content from generative AIAI agents performing costly actions (e.g., deleting production data)
Controls and mitigations	Shadow IT governance Data classification and data loss preventionSaaS management tools Communication and collaboration with users	Acceptable AI usage policies SaaS management toolsCommunication and collaboration with users

What causes shadow AI in the workplace? 

Like with shadow IT, end users trying to solve a business problem is the most common source of shadow AI.  Regardless of their job description, chances are that your end users now operate in a world where AI tools are one of the fastest ways to get results. Frankly, those results are often good enough for many use cases and can save your users drastic amounts of time. Fundamentally, that’s a good thing for the business. The challenge is that end users won’t account for the security, compliance, and IT policy risk that comes with AI tools.   

This leads to a wicked combination of easy access to AI tools and a motivated user base with a business problem that can leave IT playing catch-up when it comes to detecting shadow AI and mitigating business risk. 

Common examples of where these factors can lead to shadow AI in practice include:

• Engineering teams using unauthorized AI-powered code generation to speed up development cycles 
• Support agents copy/pasting user questions (with user data) into an unapproved chatbot like ChatGPT to get a quick answer for a support ticket
• Administrators using personal AI tools to analyze corporate data and create visualizations for presentations and reports

Shadow AI examples 

To understand just how easily shadow AI can become a problem and how it pops up in the workplace, let’s look at three concrete examples of shadow AI. 

1. Unauthorized use of personal ChatGPT accounts

Just as using personal Google Drive accounts for business use is a classic example of shadow IT, using personal ChatGPT accounts for business purposes is one of the most common examples of shadow AI. 

This is particularly common when an organization doesn’t offer an authorized LLM tool as an alternative. Typically, what happens in practice is something like this: 

1. An end user knows they have a problem ChatGPT can solve, such as generating copy or proofreading an email
2. They know the organization doesn’t offer a tool that can perform the task as quickly and easily as ChatGPT could
3. They use their personal ChatGPT account to get the job done and move on to the next task

Unfortunately, that personal ChatGPT account won’t typically have the hardening, data sharing, and model training policies that meet organizational requirements. Just how big of a problem is this? Recent research suggests 74% of work-related ChatGPT use is done using noncorporate accounts.

2. Vibe coding and using AI for prototyping 

Generative AI makes it easier than ever for developers and non-technical staff to generate code fast. As with ChatGPT, it’s relatively easy for users to get their hands on AI coding assistants like GitHub Copilot, Qodo, and Amazon CodeWhisperer. When employees use these tools without IT approval, shadow AI emerges. 

The risk of this type of shadow AI is particularly dangerous because, without the proper checks in place, poorly written AI code can produce unexpected results and security vulnerabilities. Case in point: Veracode found that almost half of all AI-generated code was found to contain security flaws even though it appeared “production ready”. 

3. Data analysis with unapproved AI tools

Many professionals will turn to unapproved AI tools when they need to analyze data (e.g., compare candidates for a job, visualize sales trends, or extract insights from a large .csv file) for reports and presentations. In fact, HelpNetSecurity reports that 93% of employees admit to inputting data into AI tools without approval. 

In some cases, the result is a more polished report in less time. But, it leaves the business exposed to potential sensitive data leakage, compliance violations, and, in the case of hallucinations, the spread of misinformation.  

What are the risks of shadow AI? 

Shadow AI comes with data security, privacy, and compliance risks. Unlike other forms of shadow IT, AI tools also generate outputs that can introduce unique business risks when those outputs are used improperly. Let’s break down five common shadow AI risks. 

Risk #1 – Data leaks caused by AI tools

LLMs and generative AI tools need training data. Often, part of that training data comes from users. That creates a risky feedback loop where the data you feed into a cloud-based AI tool could be exposed to other users. For example, Samsung engineers accidentally leaked trade secrets by using ChatGPT. 

Risk #2 – Shadow AI leads to compliance violations  

Regulated industries face significant compliance risk from shadow AI. For example, in the legal field, lawyers and associates who embrace “BYOLLM” (Bring Your Own LLM) without the proper oversight risk data leaks, breaching attorney-client privilege, and violating data privacy laws like GDPR, CCPA, or PIPEDA. 

Risk #3 – Liability risk from AI-generated content 

Generative AI can be subject to hallucinations, bias, and misinformation. If you use the content from generative AI in a commercial context, you may be taking on liability risk or the risk of a lawsuit if something the AI created is incorrect, infringes on intellectual property rights, or otherwise causes harm. 

There are also cases where the creators of AI tools face similar risks. For example, Anthropic (a company that makes AI tools) has been sued by multiple music companies over copyright claims. Similarly, Disney and Universal have sued AI image generator Midjourney over the data its models were trained on.

Risk #4 – Low-quality AI output can negatively impact your business  

While rapid prototyping and ideation using AI-generated code — often referred to as “vibe coding” — can accelerate experimentation, it is not suitable for production-grade applications. Deploying AI-generated code without rigorous review and professional oversight can result in severe consequences. For example, an AI coding agent from Replit recently caused a “catastrophic failure” by deleting a production database, highlighting the serious risks of relying on unvetted AI outputs in critical systems.

Risk #5 – Wasted spend on unnecessary AI tools 

Like shadow IT, sometimes shadow AI is useful but duplicative and wasteful. If the organization is already paying for enterprise licenses for AI-powered tools for a given use case (e.g., project management or code generation) and individual employees or business units go out and source their own AI tools, that’s wasted spend. 

How to manage shadow AI risks 

Fortunately, there are practical ways to mitigate shadow AI risk. Like the broader category of shadow IT, managing shadow AI risk requires a mix of organizational alignment, strategy, tools, and process. Below, we’ll explain 7 best practices that can help you get it right. 

1. Secure executive buy-in to address shadow AI

Effectively addressing shadow AI requires more than just IT involvement — it demands alignment at the highest levels of the organization. Without support from the C-suite, efforts to manage unauthorized AI usage are unlikely to succeed.

Given the pervasive adoption of AI across business functions, IT teams cannot tackle the risks of shadow AI in isolation. Leadership backing not only reinforces the importance of the initiative but also helps overcome potential roadblocks such as budget limitations, cross-departmental resistance, and competing priorities. 

Here are 4 tips to help you win C-suite buy-in for a shadow IT governance initiative:

• Make the business risk clear: Use examples and data (e.g., over 60% of organizations in a recent survey having an AI-related data leak) to help execs understand why shadow AI is an important problem to solve. Bonus points for including compliance and regulatory risk. 
• Align with existing initiatives if you can: Many of the steps required to solve the shadow AI problem overlap with initiatives your organization may already have in place for shadow IT, compliance, and data security. To identify quick wins, you can highlight areas of overlap where a shadow AI initiative can leverage existing programs and tools to reduce overhead and cost. 
• Recommend a framework: Frameworks like NIST’s AI Risk Management Framework (AI RMF) can give your organization a starting point and jumpstart a shadow AI initiative. Instead of starting from scratch, you can build executive confidence that your efforts will have a foundation in current best practices. 
• Engage stakeholders and consider their input: There are plenty of competing initiatives the C-suite has to prioritize. To give your shadow AI proposal the best chances for success, engage with key stakeholders before you engage the C-suite with a plan. Consider stakeholder inputs, objections, and priorities, and make sure you have a plan to address them so you have support throughout the organization.
  

2. Be collaborative with and educate your users on shadow AI 

It can be easy for IT and end users to fall into an “us vs. them” trap when dealing with shadow IT and shadow AI. After all, by definition, shadow AI and shadow IT mean that users are doing something unsanctioned by IT. However, rather than getting lost in what should be, IT should recognize that ultimately, users are trying to solve problems, and they’ll be more likely to help you get things right if you foster an environment where open collaboration and communication are welcome. 

More simply, don’t make users scared of engaging with you on the topic. Instead, educate them on the risks of shadow IT just like you would for standard security awareness training. 

3. Provide viable AI solutions to reduce the need for shadow AI

Outright banning AI isn’t likely to work in your favor. For one, users will probably find a way to get their hands on AI anyway. And, if they don’t, becoming a business that doesn’t use AI at all will likely place you at a competitive disadvantage. 

Talk to your users and understand the problems they are trying to solve with AI. If there is a valid business case, bring the shadow AI tools under IT management or find a viable replacement that can meet security and privacy requirements. 

4. Implement an AI governance framework 

As with other security and privacy risks, a governance framework can help you strategically define controls and mitigations to manage shadow AI risk. In fact, there are already a few standards you can borrow from as you build out your AI governance framework. For example, the NIST AI RIsk Management Framework (AI RMF) provides a detailed framework as well as playbooks to help you “Govern”, “Manage”, “Map”, and “Measure” AI  risk. 

5. Implement technical controls to detect shadow AI use 

In many ways, IT security and monitoring solutions like data loss prevention (DLP), security web gateways (SWGs), and endpoint monitoring can help reduce shadow AI risk. After all, whether it’s a human, traditional program, or AI bot, you want to detect and contain threats as they emerge. 

SaaS discovery and SaaS management platforms are another excellent tool to have in your toolbox for the fight against shadow IT. By discovering and monitoring exactly what apps users are accessing in the browser or on a device, you can gain direct insights into shadow AI usage. As you discover unmanaged AI usage, you can either root it out or bring the apps under management to ensure they meet security and privacy requirements. 

6. Iterate and improve your AI policies and controls over time

We’re early in the game when it comes to AI security. You can and should expect the tools and strategies teams use to mitigate shadow AI risk to evolve over time. Therefore, it’s essential that you bake continuous improvement into your AI policies and controls. As the way AI works changes and you get real-world feedback on how your controls are (or aren’t) addressing business risk in practice, you ensure you’re agile enough to change based on the ground truth. 

Reveal shadow AI with Auvik SaaS Management 

Auvik SaaS Management has robust SaaS discovery capabilities that allow IT to uncover unauthorized AI use in near real time. With our SaaS management software, you can:

• Build a robust SaaS inventory, including AI apps like ChatGPT
• Manage application, employee, and account lifecycle insights for all business apps
• Discover exactly which apps users are accessing and detect risky behaviors like password sharing and using personal accounts from business devices

If you’d like to see how ASM can help you mitigate shadow AI risk and improve your SaaS visibility, schedule a demo today!

Shadow AI FAQ