Shadow AI is the AI-era evolution of ‘Shadow IT’, only more virulent. We consider how widespread it is, the difficulties of tracking it, the risks, and what you can do about it.
With just a browser and a personal account, employees can introduce powerful technology into the workplace: no need for procurement approval, no infrastructure needs, no formal development cycle.
What is Shadow AI?
Shadow AI is the unauthorised use of AI tools and services by employees without IT approval, oversight, or knowledge. It’s much more than just using ChatGPT in place of search, and includes employee-built automations, AI-assisted coding, and summarisation tools
The term ‘Shadow AI’ suggests something akin to ‘Shadow IT’, but there are fundamental differences:
- it’s often instantly accessible with no installation or set-up
- it can be rapidly adopted
- it almost always involves use of your data
- it carries much higher operational risk, including output inaccuracies and irreversible data exposure, and
- with very low employee awareness of the issues it brings.
In many organisations, employees are already using unsanctioned AI to summarise documents, draft content, analyse data, automate workflows, and even build simple AI agents.
How widespread is Shadow AI?
Shadow AI appears to be a widespread problem. In October last year, Microsoft released research stating that 71% of UK employees have used unapproved AI tools at work, with 51% doing so every week. These are staggering numbers. While these figures may have included a lot of entry level AI use, that was last year. In the world of AI things are developing quickly. By now, reality is likely to be way ahead of anything a point in time survey can tell us.
So, how widespread is it in your organisation?
You probably know that employees are already using unsanctioned AI at work and it’s easy to see why:
- AI tools are incredibly accessible
An employee can start using AI in minutes rather than months. The tools are often free, or low cost, and instantly accessible via a browser.
- Employees can see immediate productivity gains
People are quick to realise that AI can make their life easier – there’s a big incentive to experiment with drafting, summarisation, analysis, automation, coding and research.
- There are no restrictions in place
In most organisations, Governance is still catching up. They are still assessing risk, and don’t have mature AI policies, and don’t have approved tools.
But if you don’t know what sort of AI is being used, where, and for what purposes that’s not unusual.
Can we see what’s happening?
Traditional IT visibility was not designed to deal with the world we now find ourselves in.
While Microsoft is building a comprehensive shadow AI visibility and governance stack, its capability is distributed across several products.
For example, Microsoft Defender for Cloud Apps can show which AI apps are being used on managed devices, identifying ChatGPT, Claude, Gemini, Perplexity and many other services. As well as usage levels, traffic volumes, and risk scores. Tie this with Purview Data Security Posture Management for AI and you can have real insight into what sensitive information is being put into AI services and how they are being used.
These tools do come with limitations though such as:
- unmanaged devices
- reliance on Microsoft Defender for Endpoint
- reliance on the use of supported browsers such as Microsoft Edge
Regardless of what sellers might want you to believe, right now there isn’t a tool that can give you a comprehensive view of Shadow AI.
Which raises the question, ‘what are the business risks if you ignore this?’
The real risks of Shadow AI
Shadow AI is no longer hypothetical. You’re probably already aware of some of the risks – it’s partly why you’re reading this blog – but they’re worth stating.
1 Data leakage
Probably the biggest concern is sensitive data being pasted into public AI tools. Examples include customer data, employee records, financial information, and intellectual property.
2 Compliance and regulatory exposure
Data leaks go hand in hand with compliance issues potentially around GDPR, retention policies, auditability, and regulatory breaches.
3 Uncontrolled agents and automation
Employee created workflows, automations, and decision-making agents are unlikely to be accompanied by the correct level of testing, governance, resilience, and oversight.
4 AI-generated inaccuracies
While you’re aware of the dangers of AI hallucinating, misinterpreting, and producing incorrect outputs, are employees? Without governance, and education, bad outputs may enter operational processes.
5 Fragmentation and duplication
Without oversight there’s a real risk of different individuals and teams adopting different tools, creating overlapping agents, and duplicating effort. Causing inconsistency, inefficiency, and IT management and support problems.
So, should you restrict AI or enable it?
Can we block Shadow AI use?
Blocking AI is unrealistic. Increasingly, AI adoption is coming from employees themselves who value the productivity gains offered. Bans will simply drive usage underground.
It’s important therefore to recognise that Shadow AI is often a symptom, rather than the problem. Employees want to work faster, but in the absence of adequate, sanctioned tools they are finding their own. Use of Shadow AI is evidence of unmet demand.
So, if you can’t block use of AI and you recognise the dangers of uncontrolled adoption what should you do?
What should you do?
Perhaps the easiest part of enablement is the technology. Much of what you need is already available through Microsoft 365 Copilot, Microsoft Copilot Studio, and Microsoft Power Automate.
The bigger questions relate to process, security and governance:
- How do you prevent sensitive data leakage?
- What policies should we implement?
- How do we avoid stifling innovation?
- What sort of employee enablement is effective?
- How do we govern employee-built agents?
Our recent blogs From AI Anxiety to AI Action: Your Route to Agent Readiness and How to Enable DIY AI Agents: Governance, Tools, and Education offer lots of practical tips.
While a good partner can save you reinventing the wheel by providing guidance on what works and how to implement it.
This is also where a Microsoft 365 Copilot Readiness Assessment will, crucially, help fast-track adoption with:
- An objective, documented view of readiness
- Identification of data exposure, access controls and governance gaps
- Prioritised, actionable recommendations.
Discover how Cloud Direct can help you combat Shadow AI with appealing, approved, and well governed AI by requesting a call using the form below.
