Shadow AI: spotting and stopping unsanctioned tool use

Many small and medium businesses (SMBs) are exploring the potential of artificial intelligence. While the focus is often on planned deployments like Microsoft Copilot, a more subtle and less controlled form of AI adoption is likely already present in your organisation: Shadow AI. This isn't about employees intentionally trying to circumvent rules; it often stems from individuals genuinely seeking to improve their productivity or solve problems using readily available tools. However, unmanaged AI use can introduce significant risks, from data breaches to compliance failures.

This article will help you understand what "shadow AI" is, how to identify it within your business, and practical steps to mitigate the associated risks, all while fostering a secure and innovative environment.

What Exactly is Shadow AI?

Shadow AI refers to the use of AI tools and services within an organisation without the explicit knowledge, approval, or oversight of IT or leadership. Think of it as the AI equivalent of employees using personal cloud storage accounts or unsanctioned software for work tasks.

Common examples of shadow AI include:

• **Public Large Language Models (LLMs):** Employees using consumer-grade ChatGPT, Google Bard (now Gemini), or similar services to draft emails, summarise documents, generate ideas, or even write code.
• **Image Generators:** Tools like Midjourney or DALL-E being used for marketing materials or internal presentations without official approval.
• **AI-Powered Translation Tools:** Using online services to translate sensitive company documents.
• **Unsanctioned AI Browser Extensions:** Plug-ins that promise to summarise web pages, enhance writing, or automate tasks.
• **Embedded AI in Other Software:** Even within sanctioned software, users might enable experimental AI features that haven't been vetted.

The driving force behind shadow AI is often a desire for efficiency. Employees see a tool that promises to save them time or make their job easier, and they use it. The problem arises when these tools interact with or process company data, creating potential vulnerabilities.

Why is Shadow AI a Concern for SMBs?

While the initial impulse to use AI might be benign, the risks associated with shadow AI are significant and can impact an SMB profoundly.

• **Data Security and Privacy Risks:** The most prominent concern. When employees input company data (customer lists, financial figures, proprietary designs, HR information) into public AI tools, that data is often used by the AI provider to train its models. This effectively means your sensitive information could become part of the public domain or appear in responses to other users' queries. This is a direct violation of data protection regulations like GDPR.
• **Compliance and Regulatory Breaches:** Beyond data privacy, many industries have specific compliance requirements (e.g., financial services, healthcare). Unsanctioned AI use can easily lead to non-compliance, resulting in hefty fines and reputational damage.
• **Intellectual Property (IP) Loss:** If employees input confidential product designs, marketing strategies, or unique code into a public AI, your company's valuable IP could be compromised.
• **Bias and Accuracy Issues:** Public AI models can sometimes generate biased, inaccurate, or even outright fabricated information. Relying on such outputs without verification can lead to poor business decisions, legal repercussions, or damage to your company's reputation.
• **Licensing and Cost Implications:** While many consumer AI tools have free tiers, their use for commercial purposes might violate terms of service. Furthermore, widespread adoption of paid tiers without central oversight can lead to unexpected costs.
• **Loss of Control and Visibility:** Without knowing which tools are being used, where your data is going, or how AI is influencing workflows, you lose crucial oversight of your operations.

How to Spot Shadow AI in Your Organisation

Identifying shadow AI isn't always straightforward, as it often operates beneath the radar. However, several indicators can help you uncover its presence:

• **Sudden Increase in Productivity with Unclear Source:** If a team or individual suddenly becomes significantly more efficient in certain tasks without a clear explanation or new tools being officially rolled out, it might warrant investigation.
• **Unusual Network Traffic Patterns:** Your IT team or managed service provider (MSP) might notice traffic to previously unvisited AI service domains. Tools providing visibility into network egress points can be particularly useful here.
• **Anecdotal Evidence and Employee Discussions:** Pay attention to casual conversations. Employees might mention "checking with ChatGPT" or using an "AI helper" in passing. This is often the simplest and most direct way to discover unsanctioned use.
• **Review Expense Reports:** Look for subscriptions to AI tools that haven't been approved or provisioned centrally.
• **Internal Surveys (Anonymous):** A well-crafted, anonymous survey can gauge current AI tool usage and identify popular services, helping you understand what employees are using and why.
• **Data Leakage Prevention (DLP) Warnings:** If you have DLP solutions in place, they might flag attempts to copy sensitive data into web forms or external applications associated with AI services.

Strategies for Stopping and Managing Shadow AI

Completely eliminating shadow AI is probably unrealistic. A more pragmatic approach involves controlling and channelling its use safely.

1. **Educate Your Workforce:** - **Awareness Campaigns:** Clearly communicate the risks of using unsanctioned AI tools, focusing on data privacy, security, and IP protection. Use real-world examples relevant to your business. - **Policy Rollout:** Establish a clear, concise AI usage policy. Specify which tools are approved, which are prohibited, and the guidelines for data handling. - **Training:** Provide regular training sessions for all employees on the compliant and secure use of AI.

2. **Provide Sanctioned Alternatives:** - **Approved AI Tools:** If employees are using public LLMs for summarisation, consider providing access to a secure, approved alternative. For Microsoft 365 users, Microsoft Copilot is a prime example of an enterprise-grade AI assistant designed with data privacy and security in mind. It operates within your tenant's security boundaries and doesn't use your data to train public models. - **Internal Guidelines for Public Tools:** For tools deemed low risk (e.g., basic search functions), provide clear guidelines on what information can and cannot be input. Emphasise that no sensitive, confidential, or proprietary data should ever be shared.

3. **Implement Technical Controls:** - **Network Filtering:** Block access to known unapproved AI websites and domains at the firewall level. - **Data Loss Prevention (DLP):** Configure DLP policies to prevent sensitive data from being copied or uploaded to unapproved AI platforms. - **Cloud Access Security Brokers (CASB):** These tools can monitor and control cloud application usage, identifying shadow IT and imposing policies. - **Endpoint Detection and Response (EDR):** EDR solutions can help detect unusual software installations or data transfers to unapproved services on individual devices.

4. **Regular Review and Adaptation:** - **Update Policies:** The AI landscape changes rapidly. Your policies need to be reviewed and updated regularly to reflect new tools, risks, and best practices. - **Monitor and Audit:** Periodically review logs, network traffic, and expense reports to identify new instances of shadow AI. - **Open Communication:** Maintain an open dialogue with employees. Encourage them to propose new AI tools they believe could be beneficial, establishing a formal review process for new applications.

Your Next Steps

Ignoring shadow AI is no longer an option. It's a growing reality that requires proactive management.

Start by having a conversation with your leadership team and IT support (or MSP). Discuss the potential risks and decide on a strategy. Consider conducting an internal audit to gauge the current level of AI tool usage within your organisation. From there, you can begin to educate your team, implement controls, and explore secure, enterprise-grade AI solutions like Microsoft Copilot that can provide the productivity benefits your employees seek without compromising your data or compliance.

Being strategic about AI governance now will protect your business and lay a solid foundation for future innovation.