Skip to content
How to Secure AI
← Resources

Explainer

Shadow AI: what your team is already doing

Nobody asked permission, and that's not a discipline problem. Here's how AI actually enters a business, why you can't see it, and the cheapest way to find out.

By Mark Jones, IT Consulting SpecialistPublished July 16, 2026Sources last verified July 16, 2026
A cutaway office building. At every desk on the lower floors, a thin thread carries fragments of paper down through the foundation and out of the frame. On the top floor, one figure sits facing the other way.

There’s a specific conversation I have with owners over and over. It goes like this: I ask whether their team uses AI. They say no, or a little, or “we haven’t really gone down that road yet.” Then we ask the team.

The team has gone down that road. They went down it eighteen months ago.

This is not a story about bad employees. It’s the most predictable thing in the world, and understanding why it happens tells you what to do about it.

Nobody asks permission for a website

Think about how AI actually arrives in a business. It isn’t procured. There’s no vendor call, no contract, no security review, no line item. Somebody has a deadline, opens a browser tab, pastes something in, and gets a useful answer in nine seconds.

That’s it. That’s the whole adoption process.

Every previous category of business software had a gate somewhere — a purchase, an install, an admin who had to provision it. AI has none. It’s a website. Your team already has browsers, and the good version costs about the same as lunch, on a personal card, expensed as “software” if at all.

So when an owner tells me their company doesn’t use AI, what they’re really telling me is that their company has never discussed AI. Those are extremely different statements, and the gap between them is where the risk lives.

What actually goes in

When I get a look at real usage, the pattern is consistent. It’s not people asking for poems. It’s people doing their jobs:

  • The proposal. Somebody pastes a client’s brief and last year’s pricing into a chat box and asks for a first draft.
  • The awkward email. A manager pastes a thread about a struggling employee and asks how to phrase the response.
  • The spreadsheet. Someone can’t get a formula right, so they paste the sheet in. The sheet has every customer name in it.
  • The bug. A developer pastes a stack trace that includes a live credential, because the stack trace includes a live credential.
  • The contract. Someone pastes an agreement they don’t understand and asks what clause 14 means. The agreement is under NDA. Clause 14 is probably the NDA.

Notice what these have in common. Every one is a person trying to do good work. Nobody in this list is being careless — they’re being effective, using the best tool in front of them. That’s why “just tell people to stop” fails. You’d be asking your best people to be slower at their jobs for a reason you haven’t explained.

Why you can’t see any of it

Here’s the part that catches people off guard.

There is no log. Not a bad log — none. If you wanted to answer “what left this company through an AI tool last quarter,” you couldn’t. Your IT provider couldn’t either. Nothing was recording it, because from the network’s point of view, nothing happened: an employee visited a website and typed in a text box. That is indistinguishable from a thousand ordinary things.

This is different from every data-loss channel you already worry about. Email leaves a trail. USB drives can be blocked. File shares have permissions. A chat box has none of that, and the interaction happens on a personal account you have no administrative relationship with.

So the honest position for most businesses right now is: something has gone out, you don’t know what, and you have no way to reconstruct it after the fact.

The part that turns into a real problem

Data going to a vendor is a risk. Fine. Lots of things are risks. Here’s the specific thing that turns it from abstract to expensive:

You’ve probably already promised you wouldn’t.

Go read your client agreements. Not skim — read. Most professional services contracts, most enterprise MSAs, most data processing agreements, and nearly every NDA contain some version of a clause restricting disclosure of confidential information to third parties without notice or consent.

An AI vendor is a third party.

So a paralegal pasting a client matter into a chat box isn’t only a data question. It’s potentially a breach of an agreement your company signed, made by someone who has never read that agreement and had no reason to think a website counted. Multiply by however many people work for you.

Nobody notices this for a long time. It surfaces when a client sends a security questionnaire, when you’re bidding for a contract with a real compliance review, when an insurer asks, or during diligence — someone asks a direct question in writing, and you have to answer it in writing.

That’s the moment “we’ve never really discussed AI” becomes an extremely bad sentence to have to say.

The cheapest thing you can do this week

Do not start with a policy. A policy written before you know what’s happening is a document that describes an imaginary company.

Start with a question, asked in a way that gets a true answer:

“I’m not trying to catch anyone out and nobody’s in trouble. I want to know what’s genuinely useful. What AI tools are you using, and what do you use them for?”

Say it exactly like that, and mean it. The word “amnesty” is not too strong. If your team thinks there’s any chance of consequences, you’ll get a clean, useless answer and you’ll be worse off than before — you’ll now have documented that nothing is happening, which is the one thing you can’t afford to be wrong about.

What comes back is usually three things at once:

  1. Exposure you didn’t know about — the specific data, in the specific tools.
  2. A list of your worst processes, ranked. People reach for AI exactly where the work is most painful. That map is genuinely valuable and you cannot buy it.
  3. Your early adopters, self-identified. The people already figuring this out are the ones who should help lead whatever you do next.

That third one matters more than it sounds. The instinct is to treat shadow AI as a discipline problem. It’s better read as free R&D that your team ran on its own time. They found the pain points and they found the tools. You just weren’t in the loop.

What good looks like

The goal isn’t zero AI. Zero AI is not achievable and wouldn’t be desirable if it were — you’d just be pushing it further underground, onto personal phones, where you’ll never see it again.

The goal is that AI use in your business is visible, deliberate, and on tools you control. Roughly:

  • You know what’s being used and for what.
  • The tools are business accounts your company administers, not personal logins.
  • There’s a short, readable rule about what never goes in — one page, in plain language, that a person can actually follow.
  • Somebody owns it, so it doesn’t drift straight back to where it started.

None of that requires a big program. It requires knowing what’s true first.

That’s the entire reason the first conversation I have with any business is about how the work actually gets done, not about AI at all. You can’t secure a process you haven’t seen.