Shadow AI: The New Shadow IT

Sarah from Marketing uses an AI chatbot to summarize a confidential client proposal. In doing so, she unknowingly uploads proprietary information to a third-party server. She’s not acting maliciously; she’s doing her best to be efficient.

If this sounds familiar, it should. The rise of Shadow AI echoes a longstanding pattern in enterprise tech: Shadow IT.

Shadow IT: A Pattern Revisited

According to Wikipedia [1], “Shadow IT refers to information technology systems deployed by departments other than the central IT department, often to circumvent limitations or delays imposed by centralized processes.”

Employees don’t go rogue out of rebellion, they just want to get things done. The drivers of Shadow IT have been remarkably consistent:

• Speed & Agility: IT approvals can be slow; business needs aren’t.
• Perceived Efficiency: Consumer tools often outperform enterprise solutions for specific tasks.
• Ease of Access: Tools easily available using just a credit card are hard to resist.
• Lack of Awareness: Most users underestimate the security or compliance implications.
• Frustration with Official Tools: Corporate platforms may feel outdated, clunky, or overly restrictive.

1983: From Bankers to Smugglers

In March 1983, PC Magazine ran a headline: “BankAmerica Plugs In To PC Power.” [2] The article described employees “smuggling” personal computers into offices, not to play games, but to run VisiCalc, the world’s first electronic spreadsheet. They weren’t sneaking in data, but physical machines, lugging in desktop computers to run VisiCalc, because IT simply couldn’t move fast enough.

Why? Because VisiCalc enabled fast, flexible financial modeling that mainframes simply couldn’t. Employees bypassed IT not to break rules, but to do better work. VisiCalc fundamentally changed business analysis and marked the rise of end-user empowerment, and of course, Shadow IT.

2012: The Rise of Cloud-Driven Shadow Tech

A 2012 French study of 129 IT managers (Chefjec) [3] showed how Shadow IT had evolved:

• Excel Macros – 19%
• Software – 17%
• Cloud Solutions – 16%
• ERP – 12%
• Business Intelligence Tools – 9%

This marked the growing wave of internet-based services entering the enterprise via non-traditional methods. What began as rogue spreadsheets was now SaaS applications living outside IT’s line of sight.

2025: Shadow AI Has Entered the Chat

Fast forward to today. Shadow IT has a new face: Shadow AI, the use of unsanctioned AI tools in the workplace.

Common examples include:

• Pasting sensitive content into public generative AI models like ChatGPT or Gemini.
• Using AI-powered grammar tools, meeting note apps, or copilots not approved by IT.
• Leveraging AI for image generation, code assistance, or data analysis in unmonitored apps.

As with early cloud adoption, employees are turning to AI not to circumvent policy, but to meet deadlines, enhance output, and solve real problems. However, the risks run deeper this time.

The Risks of Shadow AI

• Data Leakage: Sensitive info can be absorbed into public training datasets (e.g., Samsung’s 2023 code leak via ChatGPT).
• Compliance Violations: GDPR, HIPAA, and other regulations are easily breached when data use is invisible.
• Intellectual Property Loss: Proprietary knowledge may unknowingly become public domain.
• Misinformation Risks: AI hallucinations can lead to false insights and reputational damage.
• Security Exposure: Malicious prompts, prompt injection attacks, or rogue plugins pose new threats.
• Lack of Auditability & Governance: Unsanctioned AI use creates blind spots for IT, making it impossible to track data flow, manage licenses, ensure consistent output, or conduct proper investigations in case of a breach or error.
• Operational Chaos: Without governance, duplicated efforts, inconsistent outputs, and cleanup costs spiral quickly.

Lessons from the Past

The same lesson we learned with Shadow IT applies here: banning tools doesn’t work. Innovation will happen, sanctioned or not.

The right approach? Empower teams with guardrails, not roadblocks. That means:

• Providing secure, approved AI tools.
• Educating employees on safe AI practices.
• Building clear usage policies and governance frameworks.
• Creating internal “AI sandboxes” for experimentation without risk.
• Encouraging cross-functional input (Legal, Security, Product, HR) into AI deployment strategies.

AI Is a Signal, Not Just a Risk

Shadow AI isn’t just a problem—it’s a signal. Just like the cloud era forced IT to evolve from gatekeepers to enablers, AI is now challenging enterprises to shift from restriction to responsibility.

The companies that embrace this shift—by enabling secure experimentation, upskilling their workforce, and embedding AI responsibly, will win the productivity and innovation race.

References

1. Shadow IT. (n.d.). In Wikipedia. Retrieved June 25, 2025, from https://en.wikipedia.org/wiki/Shadow_IT
2. Covert, Colin (March 1983). “BankAmerica Plugs In To PC Power”. PC. pp. 208–211. Retrieved 2025-04-17
3. Chefjec (2012). “Shadow IT Survey of 129 French IT Managers.” rc3a9sultats-enquete.pdf

Shout out to Brian Madden – I’ve been reading his blog articles about AI and the workplace, and they inspired me to write this article.