Shadow AI: Why unapproved AI use is becoming a leadership risk

In most organisations today, AI is already being used across day‑to‑day work. Not because it has been formally approved, but because people needed to get work done fast.

Shadow AI is the use of artificial intelligence tools that are not approved, governed, or visible to the organisation. As Lee Doughty, our Director of Security, Resilience and AI Practice at Intercity, explains:

“Shadow AI is essentially AI that’s completely ungoverned, unknown. The absence of governance doesn’t mean the absence of technology. It means people will go and find it for themselves.”

That includes tools such as ChatGPT, Claude, browser extensions, and free AI platforms used with work data. It exists in almost every organisation. The risk comes from not seeing it.

The problem: AI use has moved faster than control

AI adoption has not followed the usual enterprise pattern. People did not wait for strategy, policy, or procurement. They experimented first. As a result, many organisations now face the same reality:
•    AI is being used daily
•    Leadership does not know where, how, or with what data
•    Security and compliance controls are bypassed by default

This behaviour is rarely malicious, it is practical. But it introduces risk.

Why shadow AI is a real risk

Shadow AI creates risk because it operates outside the controls organisations rely on.

Common issues include:

• Sensitive or regulated data processed with no legal basis
• Intellectual property shared with external models
• AI outputs used in decisions without validation
• No audit trail for how conclusions were reached
• No clear accountability if something goes wrong

The risks become operational, regulatory, and reputational. And it grows quietly.

The misconception: banning AI fixes the problem

Many organisations respond by blocking tools or issuing blanket bans.

This rarely works. People continue to use AI:

• Through personal accounts
• On unmanaged devices
• Via browser plug‑ins or unofficial tools

Bans tend to push usage further out of sight, increasing risk rather than reducing it.

Shadow AI is not caused by lack of rules.
It is caused by lack of safe, approved alternatives.

What good looks like

Organisations that manage this well focus on three things:

• Clarity
  • Clear guidance on what tools are approved
  • Clear rules on what data can and cannot be used
• Visibility
  • Understanding which AI tools are being accessed
  • Knowing where data flows and who is accountable
• Enablement
  • Giving people secure, approved tools that meet real needs
  • Training leaders and teams on responsible use

What to do next

If AI is being used informally across the organisation, that is normal. The first step is not enforcement. It is understanding. Start by asking these three questions:

• Where is AI already being used?
• What data is involved?
• Who is accountable?

That clarity and visibility are what allow organisations to enable AI safely, rather than react to it.

NEED TO SPEAK TO SOMEONE?

If you would like to speak to one of our experts about how to get that balance right, we can help you take a clear, structured view of the governance and controls your organisation will need next.