The Rise of ‘Shadow AI’: Employees Embrace Unapproved Tools, Posing New Workplace Risks

A growing trend known as ‘Shadow AI’ is emerging in workplaces globally, as employees increasingly adopt unapproved artificial intelligence tools to boost productivity. This phenomenon, driven by the widespread availability and user-friendliness of AI, bypasses official IT governance and security protocols, creating significant risks for organisations.

• A substantial majority of employees, including cybersecurity professionals, are using unapproved AI tools at work.
• This ‘Shadow AI’ poses risks such as data exposure, misinformation, and AI-powered malware.
• Organisations need clear policies, employee education, and robust governance to manage these risks effectively.

Shadow AI refers to the unauthorised use of AI tools within organisations without IT approval or security oversight. Employees are independently adopting these tools to enhance productivity, often circumventing established governance processes. This trend is fueled by the accessibility of open-source AI platforms and user-friendly interfaces, creating a gap between what employees can access and what organisations can control.

While similar to ‘shadow IT’ (the unauthorised use of general technology), Shadow AI specifically targets AI programs and services. Unlike shadow IT, which might be used by tech-savvy individuals, shadow AI sees adoption across all employee roles, widening the potential attack surface. This necessitates a focused approach beyond traditional shadow IT solutions, including user education and tailored governance.

Several factors contribute to the rise of shadow AI:

• Widespread Availability: Modern AI tools require minimal technical expertise and can be accessed instantly.
• Insufficient Governance: Many organisations lack comprehensive AI policies, with leadership often having limited AI knowledge.
• Unmet Business Needs: Employees turn to AI tools to fill productivity gaps or automate tasks when approved solutions are inadequate.

The risks associated with shadow AI are significant and can compromise data security, operational integrity, and regulatory compliance. These include:

• Data Exposure: Sensitive company data, code, or customer information can be leaked into public training sets or exposed through misconfigured platforms. A real-world example involved a breach exposing millions of API keys due to a "vibe-coded" platform lacking essential security protocols.
• Misinformation and Agentic Manipulation: Autonomous AI agents, if fed misinformation or manipulated via prompt injection, can execute harmful actions without human oversight. Agentic browsers have shown vulnerabilities to indirect prompt injection, potentially leading to data leaks.
• AI-Powered Malware and Supply Chain Risks: Malware is evolving to weaponise AI tools, automating the theft of credentials and spreading through software supply chains. Attacks like s1ngularity and Shai-Hulud have demonstrated AI-powered malware hijacking developer tools to exfiltrate tokens and infect code packages.

Addressing shadow AI is crucial for reducing risk and enabling safer, more scalable AI adoption. Benefits of managing shadow AI include:

• Clear Visibility and Control: Gaining an accurate inventory of AI tools, data flows, and use cases.
• Reduced Security and Compliance Exposure: Limiting sensitive data exposure and lowering the likelihood of violations.
• Faster, Safer AI Enablement: Allowing teams to move quickly with approved tools and secure frameworks.
• Stronger Governance and Audit Readiness: Demonstrating compliance to regulators and auditors.
• Higher Employee Trust and Adoption: Signalling leadership’s support for responsible AI use.

Organisations can mitigate shadow AI risks by implementing best practices such as defining risk appetite, adopting an incremental governance approach, establishing a responsible AI policy, engaging employees in AI adoption strategies, and fostering cross-departmental collaboration.

Providing comprehensive training on AI risks and best practices, prioritising AI solutions by risk and business impact, and regularly auditing tool usage are also vital. Establishing clear accountability for AI governance and continuously updating these processes to adapt to the rapidly evolving AI landscape are essential for long-term success.

• What is Shadow AI? Why It’s a Threat and How to Embrace and Manage It, wiz.io.
• Mitigating the risks of employee AI use in the workplace, People Management.
• How to Handle Unsanctioned AI Tool Use at Your Company, Inc.com.