Shadow AI: What it is, its risks, and how it can be limited

We’re all aware that artificial intelligence (AI) has become a buzzword dominating conversations and headlines today, and it’s a transformative technology that many perceive in either a positive or negative light. From a business standpoint, organizations must now grapple with an increasingly common method of AI use in workplaces known as “shadow AI,” a practice that’s a variant of “shadow IT” and is being adopted by employees despite the risks that accompany it.  

Shadow AI vs. shadow IT: What’s the difference?  

Shadow AI is a term that refers to the unauthorized use and incorporation of AI tools within organizations without knowledge and approval from companies’ central IT or security functions. Within work environments, this can mean workers accessing generative AI (GenAI) platforms or large language models (LLMs) like ChatGPT to complete day-to-day tasks such as writing code, drafting copy, or creating graphics/images. On a broad level, doing so may seem harmless in the moment, but because IT departments aren’t aware of internal AI use, they’re often unable to monitor it, leaving businesses susceptible to increased risk of exploitation or involvement in legal issues.  

Similarly, shadow IT occurs when organizational employees build, deploy, or use devices, cloud services, or software applications for work-related activities without explicit oversight from IT. With the increasing prominence of different SaaS apps, users are finding it easier to quickly install and gain access to these tools without getting IT involved. In addition to such developments, the Bring Your Own Device (BYOD) trend has proven to be a major cause of shadow IT because even if a formal BYOD program exists, security teams may lack visibility into the services or apps being used, and implementing security protocols on workers’ personal devices can pose challenges.  

Shadow IT and shadow AI differ based on the types of technologies used. Shadow IT primarily involves the unapproved use of IT infrastructure and software, whereas shadow AI pertains to the use of AI without formal regulation by the organization’s security function.  

The dangers of shadow AI

Shadow AI can pose threats and challenges that organizations need to consider to protect themselves from potential ramifications. Some of the risks include:

• Compliance and regulatory issues. Because businesses are subject to governmental regulations surrounding AI (e.g. the European Union’s General Data Protection Regulation (GDPR)), unknown shadow AI deployments could potentially violate government policies, even if it’s done inadvertently, leading to unforeseen fines, legal repercussions, and possible reputational damage. Compliance problems also come into play when addressing the privacy policies of AI tools. Trusting that employees read and keep up to date with evolving privacy policies when using AI platforms complicates matters if an organization ends up involved in a regulatory breach.

• Unintended exposure of confidential information. While using AI chatbots, employees might unknowingly disclose sensitive IP or data to unsafe models, which leaves the door open for the information to land into the wrong hands, increasing the risk of cyberattacks or data leaks. For instance, OpenAI’s ChatGPT leak in early 2024 is a good example of the potential threats and consequences of undisclosed AI usage.  

• Inability of IT teams to properly assess the dangers. As we’ve been discussing, IT and security departments are generally unaware of unpermitted AI use in companies, so they can’t adequately gauge the dangers or even take the necessary steps to mitigate any risks. One of these risks can include personnel unintentionally incorporating inaccurate or false information produced by AI into their work or daily tasks.  

• The heightened risk of a cyberattack occurring. Say for example, a worker or software developer accidentally creates malicious code when using AI technology for coding purposes. One bug within AI-generated code can act as an opening for cybercriminals looking to exploit unnoticed vulnerabilities and execute a cyberattack.

Combating organizational use of shadow AI

1. Establish AI policies and rules. In order to limit shadow AI, organizations can start by creating a centralized governance framework that communicates clear guidelines for AI deployment across the company. Outlining compliance requirements and data usage policies can help ensure compliance with both internal and external regulations. Forming a proper governance structure can also involve requiring IT to review or approve projects involving AI so that regulatory standards can be met.

2. Promote awareness. Using training programs to educate employees about shadow AI-associated risks/consequences and the significance of adhering to company guidelines while using AI technologies can help enhance understanding around the topic. Educated teams will better understand the importance of compliance when working with AI.

3. Implement access controls. Having monitoring tools as well as access controls in place can help IT teams detect instances of shadow AI and place certain restrictions on AI platforms and unauthorized use within workplaces.