Is Shadow AI the New Shadow IT?

For decades, organizations struggled with Shadow IT as employees adopted unauthorized applications to solve business problems. Today, a new challenge is emerging. Employees are using ChatGPT, Copilot, custom GPTs, and AI agents to create business capabilities and embed AI into operational processes. While the technology has changed, the governance challenge remains.

As an IT consultant in the mid-1990s and early 2000s, I lived through the height of Shadow IT. PCs, departmental servers, Microsoft Access databases, and eventually SaaS applications allowed business units to bypass what were often slow and overly controlling IT processes. The business could move faster, build solutions more cheaply, and respond to opportunities without waiting for IT. It created tremendous innovation, but it also introduced governance, security, compliance, and operational risks that many organizations struggled to control.

Mission-critical systems were often found in closets, under desks, and in other inappropriate locations throughout the organization. In many cases, they were poorly secured, not backed up, and managed by a single individual. More than once, a critical business application was brought to its knees by something as simple as a power outage, a failed hard drive, or the accidental swipe of a janitor’s mop. The business gained speed and flexibility, but often at the expense of governance, security, resilience, and operational control.

Many of these systems eventually became operational resilience concerns. Organizations discovered that critical business services were dependent on technology assets that were undocumented, unsupported, and largely invisible to the rest of the enterprise. When they failed, business operations were disrupted, sometimes significantly.

I fear something similar is happening today. AI is everywhere. It’s in your browser, Microsoft Teams, most SaaS applications, your phone, and your PC. You can hardly escape it. The difference is that employees no longer need to buy a server, install software, or build an Access database. With a few prompts, they can create solutions that would have required a development team just a few years ago. That’s incredibly powerful, but it also raises some of the same governance, security, and resilience concerns that Shadow IT created decades ago.

What is Shadow IT? 

Shadow IT is the deployment of mission-critical IT systems and digital processes without the knowledge, oversight, or governance of the IT organization.

Business units are often unaware of internal controls, security standards, backup and recovery requirements, operational resilience practices, and regulatory obligation and their actions can expose the organization to significant operational, financial, regulatory, and reputational risk.

What Goes Around Comes Around

Shadow IT still happens today, but it is far less of a problem than it once was. The concern is that we may be witnessing the next wave: Shadow AI.

We are seeing rapid adoption of AI across organizations. Much of that adoption is occurring through sanctioned projects and approved tools, but I suspect there is even more unsanctioned use taking place behind the scenes, much of it without effective AI governance policies, oversight, or controls.

For all you know, employees may be uploading company information, some of it confidential or intended for internal use only, into various AI systems. While many users are acting with the best of intentions, they may not fully understand the privacy, security, regulatory, or intellectual property implications of what they are sharing.

Just as importantly, they may be using AI to make decisions, generate recommendations, create customer communications, or automate business activities without any formal review, testing, or governance. Sound familiar?

What is Shadow AI?

Shadow AI is the use of artificial intelligence technologies without the knowledge, oversight, or governance of the organization. Employees may use AI to create content, analyze data, generate insights, support decisions, build workflows, create AI agents, or automate business activities. Without appropriate governance and controls, these activities can expose the organization to financial, regulatory, operational, security, and reputational risk.

Is Shadow AI a Real Concern?

If this sounds theoretical, think again. There have already been cases where employees inadvertently exposed proprietary source code and confidential internal information by submitting it to generative AI platforms while attempting to debug software, summarize meetings, or improve productivity. The employees were not acting maliciously. They were simply trying to work more efficiently. The result was the disclosure of sensitive corporate information to a third-party AI platform and a subsequent tightening of AI policies and controls.

What makes these incidents noteworthy is that they were not cyberattacks, malicious insiders, or sophisticated threat actors. They were well-intentioned employees attempting to solve business problems and improve productivity. That is precisely what made Shadow IT so difficult to manage, and why Shadow AI may prove even more challenging.

What Risks Does Shadow AI Create? 

The risks of Shadow AI fall into six broad categories: 

1. Financial Risk – AI-generated recommendations, inaccurate outputs, and unauthorized AI expenditures can lead to increased costs, poor decisions, and lost revenue.
2. Regulatory and Compliance Risk – Employees may inadvertently expose regulated information, violate internal policies, or create decisions that cannot be adequately explained or audited.
3. Security and Privacy Risk – Proprietary information, customer data, intellectual property, and other sensitive information may be shared with external AI platforms without appropriate controls.
4. Operational Risk – Critical business processes can become dependent on AI services that are inaccurate, unavailable, or outside organizational oversight.
5. Reputational Risk – AI-generated communications, recommendations, or public-facing content may damage customer trust and organizational credibility.
6. Governance Risk – AI agents, workflows, and decision-support tools may operate without clear ownership, accountability, monitoring, or oversight.

Given these risks, organizations should make the identification, understanding, and governance of Shadow AI a priority. The objective is not to eliminate AI usage, but to ensure it is adopted responsibly and within an appropriate governance framework.

How Can Organizations Govern Shadow AI? 

Governance begins with Awareness and communication.  Employees are not intentionally looking to harm the organization, but if they are unaware of the risks, they are far more likely to make mistakes. Organizations should establish clear AI governance policies and ensure they are effectively communicated to staff. Incorporating AI into onboarding programs and ongoing security awareness training is a great place to start.

Assign ownership for AI Governance.  If nobody owns the risk, then everyone shares it. Ensure there is a designated process owner for AI governance with the organizational authority, accountability, and resources to make governance a reality.

Organizations need visibility into how AI is being used. This includes understanding what AI tools are in use, what information is being shared, where AI is influencing decisions, and which business processes have become dependent on AI. You cannot govern what you cannot see.

Operationalize the governance of Shadow AI. You cannot rely solely on policies, standards, and documentation. AI governance must be embedded into existing risk management, information security management, privacy, compliance, and operational resilience processes. Clear ownership, effective execution, oversight, measurement, and continual improvement are essential as AI technologies evolve and new risks emerge. Governance should not be a one-time exercise. It must become an ongoing organizational capability.

Governance is not a document. It is a capability.

Can Architecture Protect Against AI Risks?

Architecture can help organizations govern approved AI solutions by providing visibility, logging, access controls, monitoring, data protection, and human oversight. Just as security became more effective when controls were embedded into systems, AI governance will increasingly rely on architectural controls rather than policies alone.

However, architecture is less effective against Shadow AI. Employees can access AI capabilities through browsers, mobile devices, SaaS applications, and embedded AI features that may exist outside approved platforms and governance processes. Before organizations can govern AI, they must first know where it is being used.

In many ways, Shadow AI presents the same challenge that Shadow IT did decades ago. The greatest risk is often not the systems that are known and governed, but the ones operating outside visibility and control.

Final Thoughts

I have seen this movie before.

Twenty-five years ago, business units were deploying servers under desks, building Access databases, and purchasing software without IT involvement. They were not trying to create risk. They were trying to get work done.

Today, employees are creating AI-powered capabilities, building AI agents, automating workflows, and embedding AI into business processes. Once again, they are not trying to create risk. They are trying to improve productivity and solve business problems.

From an operational resilience perspective, organizations should understand where AI is supporting critical business services, what dependencies exist, and how those services would continue to operate if an AI platform became unavailable or produced incorrect results. The goal is not to avoid AI, but to ensure that its use does not create hidden points of failure.

The technology has changed, but the governance challenges remain remarkably similar.

Organizations that succeed will not be the ones that attempt to stop AI. They will be the ones that provide clear governance, effective oversight, appropriate controls, and approved paths for responsible adoption.  What goes around comes around. The question is whether we have learned anything from the last time.