Skip to content
← Joining The Dots
Insights6 min read

Shadow AI: what your team is already using

About half your team is using AI you never approved, and the heaviest users are often your executives. Banning it backfires. Here's the grown-up response, and the 2025 numbers behind it.

Ask a business owner which of their people is most likely to be using AI tools nobody approved, and they'll usually picture a junior staffer cutting a corner. The research says otherwise. When the security firm UpGuard surveyed organisations in 2025, the heaviest users of unsanctioned AI weren't the interns. They were the executives.

That is shadow AI: the AI tools your people use to get their work done that the business never approved, can't see, and isn't managing. It is already happening in almost every organisation, yours included, from the front line to the corner office. About half of all employees admit to it (Software AG, 2025), and the only real question is whether you know about it.

Why it happens, and why that matters

It is tempting to read shadow AI as a discipline problem. It almost never is. Your people reach for these tools for the same reason anyone reaches for a shortcut that works: the tools are genuinely good, and the official alternative is slow, missing, or doesn't exist.

That framing matters, because it points to the fix. People aren't being reckless; they're being resourceful in a vacuum you left them. And the fact that the habit runs all the way up to the executive team tells you this isn't a problem with junior discipline, it's a structural gap in the business. Punish the behaviour and you don't stop it, you just push it out of sight. The goal isn't to stop the instinct to use AI. It's to give that instinct somewhere safe to go.

The risks you're actually carrying

The exposure from shadow AI is quiet, which is exactly what makes it dangerous. A few of the bigger ones:

  • Data leaving the building. Customer records, contracts, source code and financials pasted into consumer tools that may store and train on whatever they receive. Once it's in, you can't get it back.
  • Confidentiality and IP. Work covered by an NDA, or your own trade secrets, handed to a third party you never vetted, often without anyone realising a line was crossed.
  • Compliance and privacy. Under the Australian Privacy Act, you are accountable for the personal information your business handles. "An employee pasted it into a chatbot" is not a defence a regulator will accept.
  • Output nobody checked. AI gets things confidently wrong. Work built on an unverified answer can reach a client, or feed a decision, before anyone spots the flaw.
  • No record. When you can't see which tools are in use, you can't audit them, cost them, or react when something goes wrong.

This is not theoretical. Shadow AI is now behind roughly one in five data breaches, and those breaches cost more than the average, around US$4.6 million each (IBM, 2025 Cost of a Data Breach Report). The bill is already arriving, mostly at businesses that never knew they were exposed.

Banning it is the one response that definitely fails

The instinct is often to lock it down: block the tools, send a stern email, add a line to the handbook. It feels like control. It isn't.

A ban doesn't remove the pressure that created shadow AI, it removes your visibility into it. The people using these tools have already weighed it up: three in five say they would take the risk to hit a deadline anyway (BlackFog, 2025). Tell them no and the work doesn't stop, it moves to personal phones and home laptops where you have no oversight at all. You keep every bit of the risk and lose the rest of the picture. Businesses that handle this well do close to the opposite: they bring it into the light.

What to do instead

A workable response has four parts, and none of them is heavy:

  1. See it first. Before writing a single rule, find out what's actually being used, and for what. A short, no-blame conversation surfaces more than any audit, because people will tell you once they're sure they aren't in trouble.
  2. Give them a sanctioned path. Approve a small set of tools that are safe for real work, set up properly, with the data protections consumer accounts lack. Most shadow AI disappears the moment a better-supported option exists.
  3. Write a policy that's a seatbelt, not a straitjacket. Short, plain, and built around enabling people safely: what's fine, what's off-limits, what never gets pasted into a public tool, and who to ask when in doubt. A policy nobody can remember is a policy nobody follows.
  4. Make it normal to talk about. Shadow AI thrives in silence. The fix is a culture where someone can ask "I've been using this, is that okay?" without it feeling like a confession.

Do those four things and the problem largely solves itself, because you have removed the reason it existed.

How we handle it

When we work with a business on this, the AI use policy is usually one of the first things we put in place, and it is deliberately not a legal document nobody reads. We start by finding out what's already in use, agree a set of tools that are safe for the work your team actually does, and write the rules in language a busy person can follow on a Tuesday. Then we treat it as something living, revisited as the tools and the risks change, rather than a one-off sign-off.

The aim isn't to slow your team down. It's the opposite: people get to use AI for real work, with confidence, because someone has made it safe to. That is the difference between shadow AI as a liability and AI as something your business actually runs on.

Not sure what your team is already using? That's worth knowing before it becomes a problem. The free AI Maturity Assessment is a quick way to get a read on where you stand, shadow AI included.

Want to know where your team actually stands?

Start Your Assessment