Shadow AI: finding the tools your people already use

Why shadow AI is different from shadow IT

Shadow IT is at least two decades old: the marketing team's Dropbox, the engineer's personal AWS account, the unsanctioned project-management tool. Shadow AI rhymes with it but differs in three important ways.

The barrier to entry is lower than any previous category of shadow tool — many generative-AI services are free, require no installation, and produce immediate value. The data exposure per interaction is higher, because a single prompt can contain more confidential context than a year of unsanctioned cloud storage. And the discovery is harder, because the traffic is often indistinguishable from ordinary web browsing.

Where shadow AI actually lives

A useful inventory considers four habitats.

1. Consumer chat interfaces. The browser-based services the user opens in a personal tab. Visible to network telemetry, invisible to most procurement systems.

2. Browser extensions and desktop add-ons. Quietly installed summarisers, transcribers and writing aids. Often have broad read access to the screen or page content.

3. Embedded features in approved SaaS. The supplier turned on an AI feature that nobody asked about. Not technically shadow because the supplier is approved, but functionally shadow because the feature was not assessed.

4. Personal-account access on corporate devices. Employees signing into AI services with personal accounts to bypass corporate controls. The hardest category to detect and the most legally awkward to remediate.

A discovery method that produces real numbers

A credible shadow-AI baseline combines several sources.

• Network telemetry: DNS, proxy or CASB data filtered for known AI service domains. Yields a list of services and a rough volume.
• Expense data: credit card and reimbursement queries for AI subscription names. Yields the procured-but-unmanaged tail.
• Endpoint inventory: browser extension and installed-application inventories. Yields the long tail of small tools.
• Structured conversation: short, non-punitive interviews with team leads about what they use and why. Yields motivation, which is the most actionable input.

The combination, repeated quarterly, produces a baseline that improves with each iteration. Most organisations are surprised by the answer the first time.

What to do with the results

The instinct to block, ban and police is understandable and ineffective. Three actions produce durable results.

Provision a sanctioned alternative. If users have a corporate AI tool that is fast, broadly capable and tied to corporate identity, most shadow use migrates to it within months. Friction sends users elsewhere; absence drives them there.

Onboard the persistent shadow tools. Some shadow tools serve real, specialised needs. Bring them through a lightweight assessment, sign a contract, retire the personal accounts. The user keeps the capability; the organisation keeps the governance.

Block only the genuinely unsafe. A small list of services that are known to retain or train on prompts in incompatible ways. Block these at the network layer and explain why. A short, accurate list earns credibility; a long, arbitrary one loses it.

References

• European Union Agency for Cybersecurity (2023) Multilayer Framework for Good Cybersecurity Practices for AI. Athens: ENISA.
• Information Commissioner's Office (2024) Generative AI and data protection. Wilmslow: ICO.
• ISO/IEC (2023) ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. Geneva: ISO/IEC.
• National Cyber Security Centre (2024) Guidelines for secure AI system development. London: NCSC.