Most organisations would tell you they have an AI policy. Somewhere in the handbook, there’s likely a paragraph about acceptable use, data handling, and the tools the IT team has approved. On paper, things look reasonably under control.
What’s happening in practice is something different. Across regulated, mid-market organisations, AI usage is running well ahead of the formal frameworks designed to govern it.
Employees are reaching for the tools that make their jobs easier, whether or not those tools have been signed off. And in most cases, the people responsible for AI governance don’t yet have a clear picture of where, how, or by whom AI is actually being used inside their own business.
What is shadow AI?
Shadow AI refers to the use of artificial intelligence tools, models, or applications without formal approval, oversight, or governance from the organisation.
In practice, this can be as simple as an employee using a public chatbot to summarise a report, generate code, analyse data, draft customer communications, or conduct research. The tools themselves are often legitimate and widely available. The issue is that their use takes place outside the organisation’s approved processes, security controls, and accountability frameworks.
Shadow AI is rarely driven by malicious intent. Most employees adopt AI tools because they help them work faster, automate repetitive tasks, or improve productivity. The governance challenge arises when AI usage grows faster than the policies, controls, and approved alternatives designed to manage it.
As AI tools become more powerful and easier to access, the gap between official AI strategies and everyday employee behaviour is becoming increasingly difficult for organisations to ignore.
How common is shadow AI today?
Our recent research, surveying 205 CTOs and senior IT decision-makers across the UK’s regulated industries, found that 51% have already detected unauthorised AI use by employees inside their organisations. A further 20% suspect it’s happening but haven’t yet been able to prove it. Only 28% are confident that no shadow AI usage exists at all.
In other words, around seven in ten technology leaders are either actively dealing with shadow AI, or worried they might be. And yet, the activity itself is rarely dramatic. It’s the everyday stuff: an employee pasting customer information into a public chatbot to summarise a document, a manager using an AI assistant to draft a sensitive email, a team member relying on AI-generated analysis to inform a decision that ends up influencing how a regulated process is run. Most of it is well-intentioned, productivity-driven, and entirely invisible to the people who would need to know.
That’s what makes it a governance problem rather than a behaviour problem. Shadow AI isn’t about employees doing something “wrong.” It’s about the existence of a parallel layer of AI activity that sits outside every control, log, and accountability structure the organisation has put in place.
If you’re looking to implement AI in a controlled, secure, and scalable way, explore our AI services to see how we help organisations move from experimentation to production.
AI services
Why is shadow AI different to shadow IT?
Shadow IT has been a known challenge for years – employees using unsanctioned tools to get their work done faster than the formal procurement process allows. Most CTOs have a playbook for it. Shadow AI looks similar on the surface, but the risk profile underneath is materially different.
When an employee uses an unapproved project management tool, the data shared with that tool is usually limited and the actions taken inside it are reversible. When an employee uses an unapproved AI model, they may be sharing sensitive customer information, internal financial data, or regulated content directly into a system that retains and potentially trains on that input. The data leaves the organisation’s perimeter without ever being recognised as having done so.
The second difference is in how the outputs are used. Traditional shadow IT produces artefacts that look like artefacts: documents, spreadsheets, project plans. AI outputs increasingly look like analysis, judgement, and recommendation. They get woven into decisions, embedded in customer communications, and used to justify actions that carry regulatory weight, without anyone necessarily flagging that an AI was involved. That makes shadow AI harder to detect after the fact, and far harder to audit if something goes wrong.
In regulated environments, that combination – invisible data exposure and unattributed AI influence on decisions – is difficult to defend against.
Key reasons driving the rise of shadow AI
Three factors are driving the spread of shadow AI, and they’re not factors that policy alone is going to address.
- The first is that public AI tools are extraordinarily good at the kinds of tasks employees most want help with. Summarising long documents, drafting communications, analysing data, generating first drafts of code – the productivity gains are immediate and obvious. When the formal alternative is either nonexistent, slower, or harder to access, employees do what they’ve always done: use whatever works.
- The second is that AI capability has spread faster than AI governance. Most organisations are still designing the policies, accreditation processes, and sanctioned-tool lists they need to provide a credible alternative to public models. While that work is underway, the gap between what employees can do unofficially and what they’re allowed to do officially has widened. That gap is where shadow AI lives.
- The third is more cultural. There’s a strong message coming from boards and senior leaders that organisations need to “do something with AI” – and individual employees are often interpreting that message as permission to experiment. In many cases, they think they’re delivering what leadership has asked for. The disconnect between “we need to be using AI more” at board level and “but only in ways we’ve approved” at operational level is rarely communicated clearly enough to prevent that interpretation.
Read also: Navigating GDPR and Data Privacy When Building AI-Powered Products.
How organisations should respond to shadow AI
The instinct, when shadow AI is uncovered, is to clamp down. Block public tools at the network level, issue stronger policies, escalate enforcement. In our experience, that approach rarely works. The value employees are getting from AI is too obvious, and the workarounds are too easy. Bans tend to push the activity further underground rather than stop it.
A more sustainable approach focuses on visibility first, sanctioned alternatives second, and policy enforcement third.
Identify where shadow AI is most likely to exist
Start by understanding where shadow AI is most likely to be happening. Some functions – marketing, communications, research, software engineering, financial analysis – are far more exposed than others, simply because the work lends itself to AI assistance. Mapping that exposure honestly, rather than assuming the policy is being followed, is the first step. In most organisations, the picture is more widespread than expected.
Provide viable alternatives before enforcing policy
The fastest way to reduce shadow AI is to make the official route genuinely useful – approved tools, clear guidance on what can and can’t be shared with them, and minimal friction to access. Employees default to public tools because public tools work. If the sanctioned alternative is slower, less capable, or harder to get hold of, no amount of policy will close the gap.
If you’re evaluating AI tools and unsure which models are appropriate for different use cases, our blog How to Choose the Right AI Model for Your Project explores the key considerations.
Embed guidance into everyday workflows
Make expectations explicit at the point of use, not just in the handbook. Most employees don’t read AI policies. They read the warning on the screen when they’re about to paste something sensitive into a tool. Building those checkpoints into the workflow – through internal tooling, browser controls, or clear labelling of approved versus unapproved systems – does more to shape behaviour than a thousand-word policy document.
Use shadow AI signals to improve governance
Finally, treat shadow AI discovery as intelligence, not just a compliance issue. The fact that employees are reaching for AI tools in specific contexts tells you where the demand is, what problems they’re trying to solve, and where your sanctioned offering needs to improve. The organisations handling this well aren’t just shutting things down – they’re using the patterns they uncover to invest in better, safer alternatives.
None of this means shadow AI becomes acceptable. It just means the response has to recognise the reality: employees are already using AI to do their jobs, and the organisations that get this right are the ones that bring that activity into the open, rather than trying to legislate it out of existence. Outright prohibition doesn’t work; visibility, sanctioned alternatives, and clear expectations do.
Read the full report
This is one of five areas explored in our research report, AI under live load: How CTOs are deploying AI in regulated environments. The full report includes the data behind these findings and practical guidance for technology leaders navigating each one.
AI under live load: How CTOs are deploying AI in regulated environments.
