AI Glossary
Shadow AI
hidden AI, AI outside IT control, shadow AI, shadow IT
Shadow AI is the use of AI tools in a company outside the knowledge and control of IT and security teams. It creates risks of data leakage, compliance breaches, and a lack of oversight over what reaches external models.
- Shadow AI is employees' use of AI tools without the knowledge and approval of IT and security.
- The main risks are leakage of company data to external models, compliance breaches, and no audit trail of usage.
- The answer isn't a ban, but governance: a tool registry, clear rules, and approved, secure alternatives.
Shadow AI is the phenomenon where employees use artificial-intelligence tools — chatbots, text generators, plugins — without the knowledge and consent of IT and security teams. The name echoes the broader concept of shadow IT, that is, unauthorized software in an organization. It usually doesn't stem from bad intentions: someone wants to get a task done faster and pastes company data into a public tool without knowing how it is processed or stored afterward.
The problem is primarily about data and compliance. Content fed into an external model can leave the controlled environment, which undermines data privacy and may breach the GDPR or contractual obligations to clients. The absence of a registry of such tools also means the organization can't carry out a sound AI audit or answer the question of where and for what purpose AI is actually being used.
An effective response is rarely an outright ban, since that usually drives usage even deeper into the shadows. In practice, organizations roll out AI governance: an inventory of the tools in use, clear rules on what data may be shared, and approved, secure alternatives that meet the employees' real need without putting the company at risk.
Related terms