What Is Shadow AI, and How Do You Get It Under Control?

Shadow AI is the use of AI tools that your organisation hasn't approved or doesn't even know about: marketing running ChatGPT on personal accounts, support installing an AI browser extension, an engineer pasting code into a free assistant. It's the AI version of 'shadow IT'.

Why it happens

Because AI tools are useful and free, and approval is slow or non-existent. People aren't being reckless; they're trying to do their jobs faster. Banning AI outright just drives it further underground.

The risk

Consumer/free tiers of many AI tools train on your inputs by default and retain data. Confidential plans, customer data and source code entered into them can leak into model training or be exposed in a breach, and you have no record it happened.

How to control it (without a ban)

Give people an approved path. Publish a short AI usage policy, maintain a list of approved tools (with the safe tiers named), and make it easy to request new ones. When the sanctioned route is as easy as the shadow one, shadow AI shrinks.

Know your tools

Start by checking how your most-used AI tools actually handle data: whether they train on it, their retention, and whether they offer a business tier that doesn't. Our AI Tool Risk Directory rates the popular ones from their own policies.