Did you know that there’s a silent security risk lurking about your organisation?
It often starts small: an employee drafting a report might paste sensitive data into ChatGPT or a sales rep auto-generates e-mails using AI (artificial intelligence). Then, it escalates: a software engineer might use a personal Gemini account to write test cases and generate boilerplate code, or a marketing designer generates campaign visuals from brand copy using Canva’s AI image tools. This is Shadow AI, which is using AI tools and systems without the involvement, monitoring, or approval of an organisation’s security or IT teams, leading to compliance issues, data leaks, and potential security risks.
However, Shadow AI is much more complex than just the unauthorised use of ChatGPT. Not only are there personal accounts to consider, but also Google Translate, Grammarly, Canva’s assistants, MCP servers, AI browsers – the list is endless. These tools are blurring the boundaries between sanctioned and what’s unsanctioned while using AI, and between work and experimenting. Does this mean that “blocking AI” is entirely impossible? Let’s review.
Where Does Shadow AI Begin?
As we mentioned earlier, Shadow AI often starts with small decisions, with the commonest being employees pasting sensitive data into chatbots while drafting reports. Developers might embed GenAI (Generative AI) features into apps using OpenRouter or Hugging Face. Teams might use open-source LLM APIs to design internal tools.
In fact, everything from Canva and Reddit to LinkedIn and even Grammarly now have embedded AI capabilities, and newer platforms like Replit, Gamma, and Lovable are all AI-native right from inception. You want more? Using personal accounts to log into SaaS (Software-as-a-service) apps that include embedded AI features. There’s a common thread linking all these behaviours – they don’t go through compliance, procurement, or security review.
This is where the Shadow AI problem stems from. These AI tools have become extremely accessible as they’re built into existing platforms, browser-based, or entirely free. What’s more, they often touch sensitive data. Since most enterprises are still designing their AI governance approach and centralised IT teams stretched thin, employees end up using them before formal guidance is in place. So, when these tools are employed informally, they introduce a whole boatload of risks, including exposure to malicious models, regulatory violations, and data breaches. And since they’re unsanctioned, security and IT teams don’t know what’s hit them, let alone have a way to restrict or monitor them.
As is evident, the intent isn’t malicious in most of the cases, but it’s rather about getting work done faster. However, since all these tools fall outside the purview of sanctioned channels, they aren’t covered by enterprise compliance, governance, or security controls.
According to the 2025 AI in Identity Security report by Delinea, nearly 44% of enterprises with at least some amount of AI usage struggle with the threat of Shadow AI, with business units deploying AI apps without involving security and IT and security teams. If that wasn’t enough, an equal percentage of organisations grapple with unauthorised usage of GenAI by employees.
Tackling The Threat Of Shadow AI
For a brief moment in time, it looked like the use of AI would consolidate around a few major vendors, such as ChatGPT, Microsoft Copilot, and the like – but that didn’t happen. For example, Anthropic’s Claude leads in enterprise API usage today. In fact, 11% of sensitive data exposures come from personal accounts using organisation data to inadvertently train external models.
That’s where Shadow AI becomes hard to control. Once a specific tool is allowed, security and IT teams can’t easily restrict which plans or accounts employees choose. So, rather than block the use of personal AI entirely, a smarter move is to bring it into a visibility and governance framework that makes using them responsibly as the default mode.
Enterprises should establish strict policies for using GenAI tools across all departments to prevent these risks. This includes not only ensuring that employees use only approved platforms, but also integrating AI risk assessments into SaaS (Software as a Service) evaluations and auditing existing tools. Additionally, organisations need to control and monitor technical debt created by AI-generated outputs, such as designs, content, and code. They also need to track technical debt through IT dashboards to avoid maintenance issues and costly delays that reduce ROI (return on investment), review it regularly, and implement documentation standards.
A far-reaching thought would also be to prepare for evolving data sovereignty laws by selecting vendors that comply with local regulations by collaborating with legal teams. The idea is to protect human expertise by designing AI systems that augment critical thinking and judgement rather than replace it.
Final Thoughts
The surge in Shadow AI highlights the tension between AI adoption and control, with most enterprises treat Shadow AI as a security failure. However, its presence is a testament to the fact that traditional governance models cannot adapt to the fast pace that employees are moving at.
While that might be uncomfortable for security and IT teams, it’s also the best catalyst for stronger and appropriate AI governance and control, and the best signal we’ve had in years that we have some catching up to do in that matter.
In case you missed:
- Can AI Modernise Legacy Systems?
- The Era of Oversharing Online: Data Privacy Concerns
- Has Private Cloud Made Its Comeback?
- AI And The Supply Chain: Reshaping The Logistical Network
- Agentic AI and its Future in the Fintech Revolution
- Keeping Your Tech Tidy: Tips For Data Backup And Safety
- All About Data Poisoning Cyberattacks
- Chatting with ChatGPT? Be Warned – It Could Be A Downward Spiral
- All About AI Prompt Injection Attacks
- The Good Samaritan: A Complete Guide To Ethical Hacking
