Here’s something most leadership teams don’t want to hear: your employees are almost certainly using AI tools you haven’t approved. They’re doing it because those tools work, they’re free, and they’re right there in a browser tab.
This is Shadow AI. And based on everything I’m seeing across clients and conversations right now, it’s one of the most underestimated operational risks in business today.
A 2025 WalkMe survey found that 78% of employees admit to using AI tools not approved by their employer. That’s the majority of your workforce, quietly building their own AI stack, outside your visibility, outside your contracts, and outside your control. Understanding what that means, and what to do about it, is where most organisations need to start.
What Shadow AI actually is
Shadow AI is the use of AI tools by employees without approval, visibility, or guardrails from the organisation.
It looks like this: an HR manager drafting dismissal letters in ChatGPT. A recruiter uploading CVs to an AI screening tool they found online. A sales rep pasting a client’s CRM export into a copilot to summarise it faster. A marketer generating campaign copy with a customer brief attached.
None of these people are trying to cause harm. They’re trying to do their jobs better and faster. That intent is good. The side effects can be serious.
The moment sensitive data leaves your systems and enters a public AI tool, you lose control over where it goes, how it’s stored, and whether it ever comes back. GDPR doesn’t care that the intention was innocent.
Shadow AI is, in short, productivity running ahead of governance. And right now, it’s running very fast.
How to spot it fast
The honest challenge with Shadow AI is that it’s invisible by design, not by malice. It lives in browser tabs, not procurement logs. But there are reliable signals if you know where to look.
Signals HR and managers should watch:
- Work output speeds up sharply, but process documentation stays vague
- Employees say “I used a tool” without naming which one
- Copy, code, or analysis looks consistent across people who usually write very differently
- Browser and IT logs show frequent access to public AI tools
- Sensitive data appears summarised or rewritten outside official systems
Simple detection actions you can take this week:
- Run a short anonymous pulse survey: “Which AI tools do you use at work today?”
- Ask teams to map one recent task and identify where data left your systems
- Review browser and network access for known AI tools, not as a witch hunt, just for visibility
- Add one question to performance reviews: “Which tools help you work faster?”
The critical point here: if you don’t ask, you won’t see it. Most Shadow AI isn’t hidden deliberately. It exists in a space where nobody thought to look.
How to assess the risk in under two minutes
Not all Shadow AI carries the same exposure. The risk depends on three things, and you can assess any use case in about 90 seconds using this filter.
| Question | Lower risk | Higher risk |
| Data sensitivity | Public or internal-only data | Personal, HR, client, financial, or strategic data |
| Decision impact | Drafting, ideation, formatting | Hiring, firing, pricing, scoring, legal decisions |
| Tool control | Enterprise AI with contracts and logging | Free public tools with unknown data retention |
If two or more of your answers fall in the higher-risk column, you have a real exposure, not a theoretical one.
IBM research from late 2025 found that while 80% of office workers use AI in their roles, only 22% rely exclusively on employer-provided tools. The gap between those two numbers is where Shadow AI lives, and where your risk accumulates.
The cost of getting this wrong isn’t abstract either. Reco’s State of Shadow AI Report identified organisations averaging 269 unsanctioned AI tools per 1,000 employees in smaller businesses, often with no security resource in place to manage them.
Which organisations are most exposed
Shadow AI doesn’t affect every business equally. Some are sitting on significant exposure and may not realise it yet.
| Higher risk | Lower risk |
| HR-heavy organisations handling CVs, reviews, health data, or payroll | Small teams using AI only for ideation on non-sensitive topics |
| Sales and marketing teams working with client lists and CRM exports | Organisations with documented AI policies and approved tools already in place |
| Regulated sectors: finance, healthcare, education, public sector | Teams where data classification is clear and well-understood |
| Fast-growing companies with lean IT governance |
A 2026 BlackFog study found that 60% of employees believe using unsanctioned AI tools is worth the security risk if it helps them work faster or meet deadlines, with senior leaders even more likely than junior staff to hold this view.
That last finding matters. Shadow AI grows fastest where pressure is high and guidance is low, and that often includes the people at the top of the org chart.
Want to get ahead of Shadow AI in your organisation?
We’ve put together a practical workbook for managers and decision- makers who want to build a real AI framework.
AI in practice: understand, decide, structure walks you through how to define the right problem, assess your data, identify risk, and decide where AI actually makes sense for your team.
What to do next: a practical three-week plan
The instinct when you discover Shadow AI is to ban everything. That instinct tends to backfire. Bans without alternatives don’t stop behaviour, they push it further underground.
Here’s a more effective sequence.
Week 1: create clarity
- Publish a one-page rule. What data is never allowed in public AI tools. Keep it simple enough that anyone can apply it without asking a manager.
- Name two to three approved AI tools people may use today. Give people a sanctioned path forward, not just a closed door.
Week 2: build visibility
- Train managers to ask the right question: “What tool helped you do this?” Normalise the conversation without attaching penalties to honesty.
- Create a safe channel for employees to declare AI use without fear of consequence. You want transparency, not compliance theatre.
Week 3: replace bans with better options
- If people are consistently working around a rule, your approved toolset is the problem. Identify the gaps and fill them.
- Log and review AI tool usage quarterly, the same way you’d review any other operational risk. This doesn’t need to be complex. It just needs to happen.
UpGuard research found that more than 80% of workers use unapproved AI tools at work, with security professionals among the most likely to do so. The pattern is consistent: the more capable someone is, the more likely they are to find their own solution when the official one falls short. Build an AI environment your best people actually want to use.
Shadow AI isn’t going away. Governance is the answer.
The organisations that manage Shadow AI well are the ones that got honest about what was already happening, built practical frameworks to assess it, and gave employees better options.
Shadow AI is a signal. It tells you where your people need tools, where your governance has gaps, and where your data is more exposed than you think. Used well, it’s a diagnostic. Ignored, it becomes a liability.
Three things to take away from this:
- Most organisations already have Shadow AI in use. Getting visibility over it is the first practical step.
- Risk assessment doesn’t have to be complicated. Three questions, applied consistently, will cover most use cases.
- The goal is to make the sanctioned path more attractive than the unsanctioned one.
If you’re thinking through your organisation’s AI governance posture and want a second perspective, get in touch with our team. We’ve been navigating these questions with clients across sectors, and there’s usually more low-hanging fruit than people expect.
