The Rise of Shadow AI: When Innovation Outpaces Governance

As technologies evolve and become accessible to non-technical users, companies are increasingly confronted with practices that remain invisible yet very real: Shadow IT yesterday, Shadow AI today. Two sides of the same phenomenon: the appropriation of innovation flying under the radar, a need for agility that comes before governance, and a growing disconnect between users and control over their own information systems.

What happens when employees get a head start on their own IT department?

Shadow IT: The Quiet Disruption That Started It All

The story begins more than a decade ago. Dropbox, Gmail, Google Drive, Trello… All consumer-grade tools that made their way into professional use often did so at the initiative of an employee looking for the best tools to simplify or optimize their work. The intention isn't wrong, but the result is clear: data exits controlled systems, compliance starts to erode, and cybersecurity becomes more complex.

According to Gartner, up to 40% of an enterprise IT budget can be consumed by Shadow IT, without the IT department even knowing it.

Shadow AI: Same Pattern, New Scale

Since the generative AI boom in late 2022, “AI for everyone” has entered the day-to-day reality of employees. Writing an email with ChatGPT, generating a presentation image with Midjourney, analyzing an Excel sheet with Gemini, all these practical use cases are spreading at a pace that leaves no room for control. Much like Bring Your Own Device (BYOD) reshaped corporate IT a decade ago, a new trend has emerged: BYOAI (Bring Your Own AI). Tools follow the users, not the other way around.

And while it’s easy to understand the temptation, the risks are just as significant: leaks of sensitive data, prompts reused in model training, non-compliance with privacy regulations like GDPR or AI Act, hallucinated outputs presented as facts… And above all, a complete lack of oversight: in 50% of cases, employees would use these tools even if their company explicitly banned them.

To illustrate the risk of data leakage, let’s take the emblematic example of the Samsung incident, reported by Forbes in May 2023, which sent shockwaves through the industrial world.  

At Samsung, engineers from the semiconductor division were using ChatGPT for routine tasks: reviewing code, optimizing scripts, drafting internal notes. Within a matter of days, three cases of sensitive data leakage were reported: excerpts of proprietary code and confidential meeting summaries had been copied and pasted into OpenAI’s chatbot.  

The problem? Once submitted, that data could be stored, analyzed, and even incorporated into future model training. The line between personal productivity and uncontrolled data exposure had just been crossed. Samsung responded immediately: a full ban on generative AI tools on corporate devices, a drastic reduction in the allowed size of input prompts, and the launch of an internally developed alternative.

Beyond the incident itself, this episode reflects a broader dynamic: users are adopting AI tools faster than internal policies can catch up. And when AI becomes a reflex before it even becomes a topic of governance, the risk is no longer theoretical; it’s structural.  Samsung isn’t an isolated case. It’s simply one of the first to realize publicly what others will discover later, sometimes too late.

Very Real Risks

The dangers associated with Shadow AI are well documented. One of the most critical involves the leakage of sensitive data, as illustrated earlier. Added to that is the risk of violating regulations such as GDPR, the AI Act, or the NIS2 directive, especially when processing occurs outside approved governance channels. Companies can also lose control over their operational processes when AI-generated decisions or content are no longer traceable or auditable.

Relying on biased or unethical models further exposes organizations to systemic distortions that may be hard to correct once deployed. This is why understanding AI ethics means going beyond data privacy alone; it also involves how models portray (or fail to portray!) the world around us.
In this context, it becomes clear that users should not be left to navigate these tools on their own, but rather supported and guided, for the benefit of both the organization and its people.

Many users don't actively seek to bypass internal rules. In fact, a large part of Shadow AI relies on misplaced confidence. Tools like ChatGPT and Gemini, to name just a few, are so visible and widely used that employees assume they're safe by default. They might not realize they’re using consumer-grade versions, without the protections, auditability, or usage controls that come with enterprise-grade solutions.

The line between personal convenience and corporate risk gets blurry fast, especially when the user interface looks identical.

Take the example of Stable Diffusion, a major player in the field of AI image generation. In 2023, several researchers and Bloomberg journalists showed that the model consistently produced biased results aligned with dominant stereotypes.

Ask it for an image of a “cleaning lady”? You’ll get a majority of Black or Hispanic women. A “CEO”? Almost exclusively white men in business attire.

As Sasha Luccioni, a researcher at Hugging Face and co-author of a study on bias in text-to-image generative models, puts it, one of the key ethical issues isn’t just what AI creates, but what it leaves out:

“We are essentially projecting a single worldview out into the world, instead of representing diverse kinds of cultures or visual identities.” - Dr. Sasha Luccioni

In other words, when models are trained on datasets dominated by specific cultures, stereotypes, or visual archetypes, they tend to reproduce, and even amplify, that singular worldview, at the expense of diversity. What appears neutral may, in reality, render entire segments of humanity invisible.
The model isn’t malicious; it merely reflects the biases embedded in the data it was trained on. But that’s precisely the problem.

In fields like marketing, recruitment, education, or training, these biases can become embedded in the tools themselves, leading to very real consequences: implicit exclusion, underrepresentation of certain profiles, and the reinforcement of systemic inequality.

This emblematic case is a powerful reminder that adopting AI tools without validation, auditing, or even basic maintenance, especially open-source models, can expose organizations to ethical risks just as serious as legal ones. When decisions are made or content is generated through unauthorized tools, responsibility becomes unclear. If something goes wrong, this can be an error, a data leak, or reputational damage, then, who is held accountable? Governance isn’t just about control; it’s about clarity.

So, Should We Ban or Regulate?

Faced with the rise of uncontrolled usage, some companies opt for the simplest response: prohibition. But as the tools become increasingly easy to use, users manage on their own. In the end, banning often means ignoring. Or worse — rendering the phenomenon invisible. The risk isn’t mitigated; it’s hidden.

A century ago, the United States tried banning alcohol. The result wasn’t less drinking — it was secrecy, black markets, and a total loss of oversight. The lesson still holds today: prohibiting behavior without offering credible alternatives rarely works. It simply drives usage underground, where governance becomes nearly impossible.

The real answer lies in embracing the phenomenon while governing it.  Creating a clear policy, offering validated alternatives, training employees, auditing real-world usage. Each of these is a lever that can turn Shadow AI into a strategic driver for a more aligned digital transformation.

As Orange Cyberdefense puts it: “Reducing Shadow IT is far from being a purely technical matter. It also requires ongoing dialogue with employees, their needs, and how they use tools. Many are simply unaware of the risks certain software can pose.”

Toward a Sober, Pragmatic, and Responsible Form of Governance

Governing off-the-radar AI practices doesn’t mean shutting it down. Much like frugal AI, the goal here is to channel usage, not prohibit it. A policy of blanket bans, with no alternatives or education, only pushes practices further into the shadows.

To be effective, companies must avoid cultivating an illusion of control that only deepens opacity instead of addressing the root issue. Too often, the response to unapproved AI tools is limited to strict but easily bypassed restrictions, or to internal guidelines no one actually reads.

Ultimately, the practice survives, only now it’s happening in the shadows. Effective governance isn’t about appearances; it’s about understanding how tools are really being used, knowing where they emerge, and above all, supporting those practices in a tangible, operational way. Most organizations don't actually know which AI tools are being used across their teams. The disconnect isn’t just strategic, it’s also operational. Without real-time visibility, even the best policies remain blind.

In practice, effective governance relies first and foremost on a clear and differentiated usage policy — one that categorizes tools and use cases based on their risk level. Some uses can be encouraged within controlled environments, while others require stricter rules or prior validation. It’s not a one-size-fits-all model, but a flexible framework co-designed with business teams.  

This framework must be paired with meaningful cultural onboarding: explaining the risks tied to sensitive data, training teams on model biases, and fostering a culture of responsible prompting. Employees aren’t asking to be restricted; they’re asking to be guided.  

The key, then, isn’t to regain control through force, but through clarity: seeing what’s really happening, and responding with discernment.

Conclusion

Enterprise AI adoption without oversight isn’t the enemy. It’s a signal. Yesterday’s Shadow IT and today’s Shadow AI point to one simple truth: users no longer wait. When internal tools don’t meet their needs, they look elsewhere.

And if we look closer, this isn’t a problem, it’s an opportunity — an opportunity for dialogue, adaptation, and evolution.

The organizations that will succeed won’t be those that ban everything. They’ll be the ones who understand that innovation can’t be mandated; it has to be guided.