Ask leadership whether the company uses generative AI and you'll get a policy answer. Ask the network logs and you'll get the truth: marketing is drafting in ChatGPT, engineering pastes stack traces into a copilot, finance built a GPT that summarizes contracts, and someone in HR is screening resumes with a browser extension nobody has ever heard of.
This is shadow AI — and it follows the same arc shadow IT did a decade ago, at ten times the speed and with a sharper edge: the data doesn't just live somewhere unsanctioned, it gets absorbed. Prompts can become training data. Uploaded files persist in histories on personal accounts. An employee who leaves takes their chat history — full of your contracts, code, and customer records — with them.
Why bans fail (and make it worse)
The reflex is a prohibition memo. The result is predictable: usage continues on personal devices and personal accounts, where you have zero visibility, zero contractual protection, and zero ability to respond when something goes wrong. A ban doesn't reduce shadow AI; it just guarantees that all of it is shadow.
What a real response looks like
1. Measure before you legislate
Your secure web gateway, DNS logs, and M365/Google admin consoles can already enumerate which AI services your organization touches and how often. Every shadow-AI discovery exercise we've run has surprised the leadership team — in volume, and in which departments lead it.
2. Give the demand a sanctioned home
People use these tools because they work. Provide an approved path — enterprise tenants with training opt-outs, SSO, and logging — and most usage migrates willingly. The sanctioned option must be genuinely good, or the shadow returns.
3. Write an AI use policy people can follow
One page beats twelve: which tools are approved, what data classes may never enter a prompt (regulated data, credentials, client confidential), and who to ask when unsure. Then train against it with the same realism you'd use for phishing — because pasting a customer list into a chatbot is this decade's clicked link.
4. Fold it into governance you already run
Shadow AI isn't a new risk category — it's data handling, vendor risk, and acceptable use converging on one interface. Your inventory feeds the risk register; your approved-tool list feeds vendor management; exceptions feed the board packet.
The uncomfortable good news
Shadow AI is evidence your organization wants to move faster. The companies that handle this well don't treat employees as the threat — they treat ungoverned data flow as the threat and channel the enthusiasm. Getting from invisible to governed is a 60-day project with the right structure. Our AI assessment starts precisely there: discover, tier, and govern what's already running.