The Pragmatic CIO logo The Pragmatic CIO

2026-02-03

Shadow IT never left — it just upgraded to Shadow AI

Shadow AI is becoming the next major governance challenge as employees and executives adopt unsanctioned AI tools faster than organisations can control them.

AIShadow AICIOCybersecurityEnterprise ITGovernanceTISAXISO27001ITARTechnology Leadership
Download PDFDownload EPUBMarkdown
Verification files
Markdown SHA256Markdown signaturePDF SHA256PDF signatureEPUB SHA256EPUB signaturePublic signing key
Shadow IT never left — it just upgraded to Shadow AI

If you thought procurement workflows and SaaS whitelists had Shadow IT under control, think again.

It’s back in a bigger form:

Shadow AI

Unsanctioned generative-AI tools are now woven into day-to-day work without approval, logging, or guardrails.

And the numbers are not comforting.

Research cited by BlackFog suggests:

  • 49% of employees admit adopting AI tools without approval
  • many paste sensitive context into free-tier services
  • 69% of presidents/C-suite leaders tolerate it
  • 66% of directors and senior VPs tolerate it

…because speed is increasingly being prioritised over privacy.

That is not a rogue edge case.

That is leadership signalling.

By the Numbers

  • Data breaches involving Shadow AI cost, on average, approximately €570,000 more than other incidents according to IBM.
  • 1 in 5 breaches now stems from unauthorised AI usage.
  • Over 40% of SaaS applications operate without formal IT approval according to IDC.
  • 41% of employees already acquire or build technology outside IT visibility.
  • IEEE Computer Society projections suggest that figure could reach 75% by 2027.

Why This Is Worse Than Classic Shadow IT

Free Tiers Train on Inputs

Many low-tier or free AI platforms learn from what users paste into them.

Once sensitive material enters the model ecosystem:

  • you often cannot retrieve it
  • cannot fully audit it
  • and cannot guarantee deletion

Ambiguous Leadership Signals

When executives quietly use unapproved tools themselves, policies collapse by example.

Culture always follows behaviour faster than documentation.

Compliance Blind Spots

Uncontrolled AI usage increasingly collides with:

  • GDPR
  • HIPAA
  • SOX
  • TISAX
  • ISO27001
  • CCPA

…long before a formal breach occurs.

Where It Shows Up — And Why It Bites

Prototypes & Confidentiality (TISAX)

Early-access designs, customer co-development artefacts, trial-run photographs and restricted engineering material pushed into public LLMs for:

  • redlining
  • summarisation
  • marketing drafts

This directly conflicts with:

  • restricted/secret handling
  • controlled exchange requirements
  • prototype protection obligations

Supply Chain & Sourcing (ITAR)

Buyers using consumer AI translators or public LLMs for:

  • supplier contracts
  • export-controlled specifications
  • pricing models
  • sourcing comparisons

Shadow AI scrapers tracking competitors using reused corporate credentials are also appearing.

This creates:

  • third-party exposure
  • residency ambiguity
  • lawful processing concerns

Engineering & Design (PLM/CAD/CAM)

Uploading:

  • CAD models
  • BOMs
  • CNC programmes
  • digital twin exports
  • tolerance stacks

…into free AI systems for “quick reviews” or translation assistance.

Also increasingly common:

  • unapproved plug-ins inside PLM/ECAD environments
  • vendor AI assistants analysing proprietary drawings without DPAs

This creates:

  • IP exposure
  • export-control concerns
  • supplier governance gaps
  • asset inventory failures

A Pragmatic Path Forward

The solution is not pretending Shadow AI can be banned out of existence.

The solution is replacing shadow usage with safer defaults.

1. Publish a Short, Human Policy

Two to three pages maximum.

Define:

  • what is encouraged
  • what is prohibited
  • what requires disclosure

Examples help far more than legal prose.

2. Offer Approved Enterprise AI — Fast

Choose platforms that support:

  • training opt-out
  • residency controls
  • low retention windows
  • SSO integration
  • logging
  • DLP integration

People use what is fastest.

Make the safe path the easiest path.

3. Create a Two-Week Intake Process

If teams demonstrate measurable value:

  • give them a sandbox
  • define guardrails
  • avoid forcing workarounds

Slow governance creates Shadow AI.

4. Instrument First, Then Iterate

Use:

  • DNS telemetry
  • HTTP telemetry
  • CASB visibility

…to establish:

  • sanctioned flows
  • unsanctioned flows
  • data leakage patterns
  • adoption trends

Report:

  • value delivered
  • blocked events
  • hours saved
  • cycle-time reductions

5. Train by Role, Not by Fear

Short role-specific playbooks outperform generic awareness sessions.

Show:

  • green examples
  • amber examples
  • red examples

Most importantly:

show how the approved route is faster than the unsafe one.

Bottom Line

Shadow AI is not happening because employees are reckless.

It is happening because organisations have not met people where the work already is.

If leadership signals that speed matters more than privacy, staff will optimise for speed.

Replace ambiguity with:

  • clear rules
  • safe defaults
  • measurable outcomes
  • usable approved tooling

…and you can convert shadow usage into sanctioned advantage without pretending the risk does not exist.

Sharing is caring

Related reading