Shadow AI
Also: shadow IT for AI, unapproved AI tools
Shadow AI is AI tools that employees adopt on their own, such as a personal ChatGPT account, a browser extension or a free transcription app, without IT or security ever approving or even knowing about them.
Shadow AI is the AI-tool version of shadow IT: software an organisation is using that never went through a security review, a procurement process, or even a conversation with the people responsible for data protection. It shows up because AI tools are frictionless to adopt, with no purchase order, no install, and often no sign-up beyond an email address, and because employees are under real pressure to move faster, so they reach for whatever works.
The risk is the tier, not carelessness
The risk isn't that employees are being careless. It is that a consumer-tier AI account frequently has a different data policy than the enterprise tier of the same product. A free ChatGPT or Otter.ai account, for example, can have a different training posture, retention window, or compliance status than the business plan of the exact same tool, so the same product name can mean two very different risk profiles depending on which tier someone happens to be signed up on.
When it becomes a real problem
Shadow AI becomes a real problem the moment sensitive data enters the picture: a support rep pastes a customer's details into a chatbot to draft a reply, a clinician runs patient notes through a free transcription tool, a paralegal uploads a contract to get a summary. None of that shows up on an approved-vendor list, so none of it gets vetted, and none of it gets picked up if the vendor's policy quietly changes.
The fix is visibility, not a ban
The fix is not a ban; bans just push usage further into the shadows. It is visibility (a living register of what is actually in use), a fast lane for getting new tools vetted so people aren't stuck waiting weeks, and clear tiering guidance ('use the Business plan, not the free one') so the tools people already like become safe to keep using. ModelCharter's team dashboard keeps that tool register, and the AI Tool Risk Directory provides the sourced facts to vet each entry.