A VP of marketing pastes a competitive analysis into ChatGPT to generate talking points for a board meeting. A financial analyst uploads quarterly revenue data to an AI tool to build a projection model. An HR manager uses an AI screening service to filter resumes for a senior hire. A software engineer uses an unapproved coding assistant with access to the company’s proprietary codebase.
None of these tools were vetted by IT. None were reviewed by legal. None comply with the organization’s data handling policies. And in every case, the employee believes they are being more productive.
This is shadow AI — and according to Gartner, it represents more than half of all enterprise AI usage in the United States.
À retenir
- Gartner estimates that over 55% of enterprise AI usage is shadow AI — tools used without organizational approval
- Shadow AI creates data leakage, compliance, IP, and regulatory risks that traditional IT controls do not catch
- The SEC, FTC, and state regulators are creating liability for organizations that fail to manage AI use
- Banning AI does not work — the solution is approved tools, clear policies, and workforce training
The scale of the problem
Shadow IT has been a challenge for decades. But shadow AI is qualitatively different — and the scale is staggering.
Gartner (2025) estimates that 55% of enterprise AI usage in the US is unauthorized, up from 30% in 2023. The acceleration tracks with the explosion of free and freemium AI tools — ChatGPT, Google Gemini, Claude, Perplexity, Midjourney, and hundreds of specialized tools that require nothing more than an email address to access.
Forrester (2025) found that the average Fortune 500 employee uses 3.2 AI tools that have not been approved or reviewed by their employer. Among knowledge workers, that number rises to 5.1.
Microsoft’s Work Trend Index (2024) reported that 78% of AI users bring their own AI tools to work, and 52% are reluctant to disclose their AI usage for fear of being perceived as replaceable.
This means the majority of AI activity in your organization is invisible to IT, unknown to legal, and unmanaged by compliance.
55%
of enterprise AI usage in the US is shadow AI — tools used without IT knowledge or organizational approval
Source : Gartner, 2025
Why shadow AI is more dangerous than shadow IT
Shadow IT — employees using unapproved Dropbox accounts or Slack workspaces — was manageable because the risk was primarily data storage and access control. Shadow AI is different in four critical ways:
1. Instant, irreversible data exposure. When an employee pastes data into an AI tool, that data is transmitted to a third party instantly. Depending on the tool’s terms of service, it may be stored, used for model training, or accessed by the vendor’s staff. You cannot recall it.
2. AI outputs carry organizational risk. When an employee uses an AI-generated analysis in a client presentation, financial model, or regulatory filing, the organization is liable for the output’s accuracy — even though it was never reviewed or approved.
3. Regulatory liability is expanding. The FTC has made clear that organizations are responsible for AI-generated claims and decisions. The SEC expects disclosure of material AI risks. State laws like the Colorado AI Act create specific obligations around AI governance. Shadow AI creates compliance gaps across all of these.
4. The tools are designed to be invisible. Unlike shadow IT (which often required installation), AI tools are browser-based, account-free (in many cases), and leave minimal traces in traditional IT monitoring systems.
The risk taxonomy
Data leakage
The most immediate risk. Employees routinely enter the following into unapproved AI tools:
- Customer personal data (names, emails, financial records)
- Proprietary business data (revenue figures, strategic plans, pricing models)
- Source code and intellectual property
- Legal documents and attorney-client privileged material
- Employee personal data (performance reviews, compensation data)
A single incident can trigger breach notification obligations under state data breach laws (all 50 states have them), HIPAA (for healthcare data), GLBA (for financial data), or CCPA/CPRA (for California consumer data).
Intellectual property exposure
When employees input proprietary information into AI tools, the organization may lose IP protections:
- Trade secret status can be destroyed if information is shared with a third party without adequate protections
- Patentable ideas disclosed through AI tools may affect novelty claims
- Copyright ownership of AI-assisted outputs is uncertain under current US law (Thaler v. Perlmutter, 2023)
Compliance and regulatory risk
Shadow AI creates specific compliance gaps:
- SEC: Public companies that fail to disclose material AI risks — including unmanaged shadow AI — may face securities fraud claims.
- FTC: AI-generated content or decisions that are deceptive or unfair create FTC Act Section 5 liability.
- EEOC: AI tools used in hiring without bias audits violate Title VII disparate impact principles.
- NIST AI RMF: The Govern function requires organizational oversight of all AI use. Shadow AI by definition circumvents this.
- State laws: Colorado AI Act, NYC Local Law 144, and emerging state regulations all require documented AI governance.
3.2
unapproved AI tools used by the average Fortune 500 employee — and 5.1 among knowledge workers
Source : Forrester Research, 2025
Reputational risk
When a shadow AI incident becomes public — a data leak, a hallucinated client deliverable, a biased hiring decision — the organizational damage extends beyond the immediate incident. Customers, partners, regulators, and investors all ask the same question: “How did you not know this was happening?”
Shadow AI is not primarily a technology problem. It is a governance and culture problem. Employees use unapproved tools because they want to be more productive and either do not have approved alternatives or do not know the rules. Punishment-first approaches drive AI use further underground.
How to detect shadow AI
Traditional IT monitoring misses most shadow AI because the tools are browser-based and often do not require installation. A comprehensive detection strategy includes:
1. Network traffic analysis. Monitor DNS requests and HTTPS traffic for known AI service domains (api.openai.com, gemini.google.com, claude.ai, etc.). This catches usage on managed devices.
2. Browser extension audits. Many AI tools operate as browser extensions. Regular audits of installed extensions across managed browsers identify unapproved tools.
3. SaaS management platforms. Tools like Productiv, Zylo, and Torii can detect AI SaaS usage by analyzing OAuth connections, SSO logs, and expense reports.
4. Anonymous surveys. Ask employees what AI tools they use and why. Guarantee anonymity. The goal is visibility, not punishment. You will be surprised by the results.
5. Expense and procurement data. AI subscriptions often appear on corporate cards or expense reports. A $20/month ChatGPT Plus subscription is a signal.
6. Cloud access security brokers (CASBs). Configure CASBs to detect and control data flow to AI services, with policies that block sensitive data transmission.
The management framework
Detecting shadow AI is step one. Managing it requires a structured approach:
Step 1: Acknowledge the reality
Shadow AI exists in your organization. Pretending otherwise, or issuing blanket bans, does not solve the problem. Start from a position of pragmatism.
Step 2: Provide approved alternatives
The number-one driver of shadow AI is unmet need. If employees need AI writing assistance, give them an approved tool with enterprise data protections. If developers need coding assistance, provide GitHub Copilot or an equivalent with appropriate guardrails.
Step 3: Establish clear policies
Develop and publish an AI acceptable use policy that defines what tools are approved, what data can be used, and what oversight is required. Make it practical, not prohibitive.
Step 4: Train your workforce
Most shadow AI occurs because employees do not understand the risks. An AI training program that covers data handling, tool evaluation, hallucination awareness, and your organization’s AI policy eliminates the majority of shadow AI risk.
Step 5: Monitor continuously
Shadow AI is not a one-time audit. New tools launch weekly. Establish ongoing monitoring and regular reassessment.
Start your shadow AI response with the highest-risk teams: those handling customer PII (sales, customer service), financial data (finance, accounting), legal data (legal, compliance), and employee data (HR). These are where shadow AI creates the most severe regulatory and reputational exposure.
Build an AI-literate workforce with Brain
Shadow AI thrives in organizations where employees lack AI training. Brain changes that. Practical, role-specific modules on data handling, AI governance, tool evaluation, hallucination recognition, and your organization’s AI policy. Your employees learn to use AI responsibly — and the shadow AI problem solves itself.
Explore our plans to get started.
Related articles
Shadow AI Policy Template: 8 Sections You Need (2026)
Download a practical shadow AI policy template with 8 essential sections to enforce compliance and protect your organisation from uncontrolled AI.
What Is Shadow AI? 5 Risks + How to Manage It (2026)
Shadow AI is unauthorised AI use by employees. Discover why it's dangerous and get a practical framework to manage it effectively.
AI Risk Assessment: Low / Medium / High Framework + Template (2026)
Score AI risks as low, medium or high with a free template aligned with EU AI Act. Includes 4-category matrix, scoring methodology, and real examples.