From shadow IT to shadow AI: the new hidden risk

For many years, organisations have grappled with the unsanctioned use of software, apps and cloud services outside formal IT oversight, known as Shadow IT. 

Now, with the rapid integration of AI into business operations, the unsanctioned use of AI is emerging as the newest and most complex threat yet. Shadow AI occurs when AI tools are used within an organisation without approval, oversight or governance. For example, employees independently using generative AI to draft documents to generate ideas without oversight. Its emergence can largely be attributed to publicly available AI tools easily embedded as a browser extension.

Whilst traditional Shadow IT is primarily concerned with the risks of security gaps, data breaches and system fragmentation, Shadow AI introduces new risks due to AI’s data processing and decision-making capabilities. For example, employees inputting confidential information into a public AI tool. 

Shadow AI risks 

Shadow AI use can expose organisations to a range of legal, compliance and information security risks, including: 

• Data exposure risk - sensitive client or company information is input into public AI tools capable of storing and reusing the data.
• Regulatory risk – contraventions of privacy, intellectual property and other laws is possible through personal information processes and ownership infringements.
• Operational risk – outputs from AI tools impacting business decisions without proper oversight can lead to inconsistent or biased decision making.
• Financial risk – costs can arise from the remediation of AI misuse or data exposure incidents.
• Security risk – as a subset of Shadow IT, cybersecurity and system risks are equally relevant to AI systems.
• Reputational risk – outputs can contain errors or AI hallucinations which, without proper cross-checking, can lead to the spread of misinformation and damage public image.

It is important to recognise that Shadow AI often arises from legitimate business needs, not malicious intent. AI tools create a real opportunity to streamline repetitive tasks, generate ideas and draft documents. Organisations that ban all external AI use without providing alternatives risk stifling innovation and efficiency whilst pushing AI use further underground and out of oversight. 

Managing the Risks 

Mitigating shadow AI requires a proactive and balanced approach that combines transparency, control and support for innovation. Some practical steps organisations should be considering include:

• Use mapping and risk assessment – identify all AI tools being utilised in the organisation and understand its uses. Determine which AI tools should be sanctioned with appropriate guardrails to reduce shadow use.
• Policy frameworks – develop a clear AI policy that sets boundaries for acceptable use and approval processes for AI tools. Ensure procedures for violations, assessing risk and potential breaches are covered or up to date in existing policies.
• Training - educate employees AI risks, sensitive data handling and relevant legal obligations.
• Continuous monitoring - implement technical controls to monitor and manage AI tool usage across the organisation.
• Regulatory alignment - stay informed about emerging AI regulation, including the Australian Government’s evolving approach to responsible AI use. Update policies and procedure accordingly.

Shadow AI is the next evolution of shadow IT. Organisations that ignore it risk data breaches, regulatory penalties and operational failures. Proactive governance through visibility, policy and education can ensure AI use doesn’t become a hidden liability in your organisation. 

This article was written by Ariel Bastian Senior Associate, Anna Kosterich Restricted Practitioner and Tegan Hill, Restricted Practitioner Corporate Commercial.