# Shadow AI Employees using unapproved AI tools without IT or security knowledge. The AI equivalent of Shadow IT, but faster-moving and harder to detect. ## Why it happens Official tools are too slow, too restricted, or unavailable. Consumer AI (ChatGPT, Claude, Gemini) is frictionless and immediately useful. When the approved path has more friction than the unapproved one, people take the shortcut. ## Risks - **Data leakage**: employees paste proprietary code, customer data, or internal documents into consumer AI tools. See [[AI Privacy]] and [[AI Data Security]]. - **Compliance violations**: regulated industries (finance, healthcare) may violate data handling requirements. See [[AI Training Data Collection]]. - **Inconsistent outputs**: no standardization across teams using different tools with different prompts. - **No audit trail**: impossible to review what was sent, what was generated, or what decisions were influenced by AI. ## Detection - Monitor network traffic for AI service domains. - Survey employees anonymously about actual AI tool usage. - Review browser extensions and installed applications. - Check expense reports for personal AI subscriptions. ## Mitigation - **Make approved tools easy to use**: the best defense is making the official path frictionless. See [[Enterprise AI Deployment]]. - **Clear [[AI Usage Policy]]**: define what's allowed, what's not, and why. - **[[AI Governance]]**: establish oversight structures for AI tool adoption. - **Education, not prohibition**: teach employees about risks rather than just blocking tools. Prohibition drives usage underground. ## References ## Related - [[AI Usage Policy]] - [[AI Privacy]] - [[AI Training Data Collection]] - [[AI Data Security]] - [[AI Governance]] - [[Enterprise AI Deployment]]