How Shadow AI Compromises Security and Raises Risk and What to Do About It

AI is a revolutionary technology transforming virtually every industry and reshaping the work experience. Like all emergent tech, it carries risks. The unauthorized use of AI tools is one of the most significant. Employees using insecure AI platforms can inadvertently reveal sensitive data, run afoul of regulations, or invite legal disputes. Employees are increasingly taking advantage of AI-enabled tools that are not validated as safe for their work environment. This is a common cause for concern and is referred to as Shadow AI.

To safely use generative AI tools like ChatGPT or Co-Pilot, businesses need programs that govern their secure and ethical use. But some AI risks may be baked into various programs that you don’t consider to be AI. On average, mid-sized companies use approximately 150 SaaS tools. In 2025, roughly 35% of those feature AI technology, meaning companies that don’t consider themselves AI-enabled may have as many as 50 AI applications running, that are not being governed. Controlling associated risks means that companies must review their SaaS programs, determine which employ AI components, and manage related risks. This form of Shadow AI is likely to worsen as SaaS applications continue to build out AI-powered features.

Shadow AI Exposure

Cisco revealed that, as of May of 2025, approximately 60% of organizations feel they may be unable to identify the use of Shadow AI. Meanwhile, SecurityWeek published an April report indicating that, by October of 2024, up to 50% of employees used unapproved AI tools. With the rate of AI adoption growing, that figure could be significantly higher in mid-2025.

Shadow AI Risks

According to TechNewsWorld.com more than 73% of work-related ChatGPT queries were processed using accounts that were not approved for corporate use. As a result, even the organizations that implemented risk controls (for example, by managing and configuring a corporate account for employees to use) may be vulnerable to AI-related risks like bias, noncompliance with regulations like GDPR or HIPAA, or the LLM retaining or sharing the employee’s inputs in the future.

Real World Impact of Shadow AI

The data security, reputation damage, and monetary costs associated with Shadow AI regularly make headlines, including:

• Samsung banned ChatGPT after its unauthorized use led to sensitive data leaking.
• An attorney faced $31,000 in fines after submitting “bogus AI-generated research.”
• In a settlement, a tutoring company paid $365,000 to job applicants who were negatively affected by AI bias.

Reduce Shadow AI Risks

To control the use of AI, businesses should take the following steps.

• Take Inventory: To manage the use of Shadow AI, use capable applications that may already be within your environment (e.g., Microsoft Defender, a CASB, etc.) or programs designed to identify the use of Shadow AI (e.g., BetterCloud, Torii).
• Create an Acceptable Use Policy: Communicate with employees, contractors, and third parties and outline how they can safely and responsibly use AI in compliance with organizational policies. Clear communication and thorough policies can help prevent misuse and ensure compliance. Prevent confusion and match the pace of developments in the AI industry by routine updating policies.
• Establish an Intake and Approval Process: Establish a process for assessing and approving AI use cases and tools and let everyone within your organization know how to request access to new tools.
• Expand Third-Party Risk Management Efforts: Reevaluate your Third-Party Risk Management (TPRM) strategy to apply to AI. Ask potential vendors if their tools use AI, and if so, how their AI Governance program minimizes potential risks. Look for ISO 42000 certification, or at the very least, demonstrable compliance with the NIST AI Risk Management Framework.
• Offer Employees a Secure Platform: Employees are likely to find a way to use AI. Give them a safe, secure, and internally sanctioned AI platform to reduce the inclination to turn to Shadow AI.
• Training and Education: Offer the training necessary to recognize and manage AI risks.

Adopt AI Frameworks and Regulations

Leverage established AI best practices and watch evolving laws and regulations related to AI to design policies that meet industry standards. The following frameworks and standards can be used to shape effective policies:

• NIST AI RMF and ISO 42001
• EU AI Act
• NYC Local Law 144 and Colorado AI Act

Conclusion

Shadow AI can undermine security, derail compliance, and challenge operational integrity. Implement the strategies outlined above to apply thoughtful governance in addressing the problem. Understand that it’s futile to block access to innovative tools, but rewarding to guide them so AI is used responsibly. Shine a light on Shadow AI and build a functional framework for the successful implementation of AI tools.