Shadow AI, explained

Are you completely confident that nobody in your organization is using AI in an unapproved way? Utterly certain that someone is not using ChatGPT, Claude, or Grok to complete a task where they really shouldn’t?

If you answered "No" or "Probably not," then don't worry, you're certainly not alone. According to Gartner, 69% of cybersecurity leaders suspect or have evidence that employees are using prohibited Generative AI.

This phenomenon is so common, it's got a name: shadow AI. And it's certainly something you don't want going on in your business, even as you might be pushing for widespread AI use by teams.

Why shadow AI is a bad thing

Let's be honest: cybersecurity teams are constantly flagging new, emerging threats to a business. And since resources are often limited, asking for more to preemptively deal with some yet-to-happen disaster is certainly met with some resignation.

("Oh great, what was it last week, quantum computing and data poisoning? What risk do you want to spend our limited time on first?")

In short, it can be like asking someone to wet the vegetation around your house before some unforeseen bushfire arrives. And yet, this isn't a hypothetical threat. According to IBM's Cost of a Data Breach Report:

• One in five global cyber incidents are now linked to unauthorized AI use.
• Incidents involving shadow AI cost an average of US $670,000 more than other breaches.
• Security incidents involving shadow AI led to more personally identifiable information (65%) and intellectual property (40%) being compromised compared to the global average.

And just recently, a US bank made headlines after shadow AI use resulted in their sensitive customer data being exposed. In 2026, shadow AI is becoming a costly norm.

Shadow AI use typically leads to visibile and invisible impacts, like::

• Loss of IP.

• Loss of compliance

• Data exposure.

• Increased security risks, and

• AI-induced skills atrophy

How to prevent shadow AI use

1. Start with good, measured governance

Banning of all AI is counterproductive, since it traditionally results in more shadow IT use. People want to use it, so they get better at hiding it, so it just happens anyway. Shadow AI happens when sanctioned tools feel too slow, limited, and unavailable. Meanwhile, you don't want no governance at all, allowing staff to use AI tools in all sorts of wild, unpredictable, and damaging ways.

According to IBM research, 63% of breached organizations either don't have an AI governance policy or are still developing a policy. Figure out what's out there in terms of tools, what people are allowed to use and how, and what's off limits.

At the same time you're thinking about AI governance, you should also look into proper data governance, because data and AI are very linked. 

2. Monitor for unsanctioned AI use

Governance is the first step, but it needs to be followed up by active monitoring. Of the organizations that have AI governance policies in place, only 34% perform regular audits for unsanctioned AI. Get visibility into your current sactioned AI tool use as well.

3. Set up role and function-based permissions

Make it difficult for someone to use unsanctioned AI tools by restricting their abilities to actually do so. Also, not everyone needs the same level of access. Decide who can use what, and for what purpose.

4. Continuously keep on top of the latest AI news

There are new AI tools and features coming out every day that people want to use, so there’s never a shortage of AI governance to be done.

Conclusion

Dealing with shadow AI and reducing risk is all about achieving that golden ratio of governance. So make sure you have key functions and talent to do that on an ongoing basis.

Want to learn more about proper AI governance? Read Julie Heming's "AI readiness: How to mitigate risk with AI governance."