There’s a new figure lurking in the shadows of enterprise ecosystems. Far beyond undeclared and unknown apps and software – traditional shadow IT – employees are turning in droves to the likes of ChatGPT and Claude.
About three-quarters of surveyed workers are now using generative AI in the workplace with nearly half (46%) doing so within the last six months. As a result, more workers are onboarding smart tools and offloading proprietary information. In many cases, admins are unaware of the security backdoors or what happens in the data black boxes. The compliance, regulation, and brand risks speak for themselves.
The What and the Why of Shadow AI
Shadow AI feels like the natural evolution of remote workers using more innovative tools. Much like during the pandemic, employees believe their tech stack is their decision, picking and choosing their preferred apps without a word to admins. But this opens up a security and privacy can of worms, particularly since there’s still so much we don’t know about AI.
For the record, I don’t blame employees striving for excellence or efficiency. These tools can deliver both and workers (especially in tech) are usually encouraged to move fast and break things. Large language models (LLMs) are adept at uncovering insights from vast amounts of text or code much more quickly than humans. The problem is that this new wave of “preferred apps” can hallucinate output, leak sensitive information, and introduce regulatory and compliance nightmares.
Why Shadow AI Is a Problem
Shadow AI provides admins with significantly less control and oversight over their ecosystem. If an employee is sharing sensitive data into these models, it’s likely happening without encryption and safeguards. Likewise, there’s no audit trail to prove who used what and why, nor is there visibility into where the information goes – critical concerns when researchers report 11% of files uploaded to AI contain sensitive corporate data.
The risks increase for enterprises handling sensitive information as unregulated use can violate industry regulations like GDPR or HIPAA. Also, it’s worth remembering that the technology isn’t perfect. Biased answers and broken logic appearing in corporate output are a bad look.
Unfortunately, you don’t need to look far for AI horror stories in the enterprise – nearly 80% of IT organizations reported negative outcomes (inaccurate results, data leaks) from employee use of generative AI.
How Admins Can Fight Back
Much like shadow IT, admins should work with rather than against employees in finding a solution to shadow AI. Educate them on why unfettered AI access can be bad for business.
At the same time, help keep them on the straight and narrow by exploring data guardrails like blacklisting access to questionable tools and blocking file uploads to unauthorized services.
Going forward, however, the adoption of generative AI is accelerating whether IT approves or not. Smart admins will get ahead by treating unauthorized AI as market research – identify what employees need, evaluate the risks, and deploy enterprise-grade alternatives with proper guardrails. This is how ecosystem orchestrators can shine a light on the situation, enable innovation, and protect the business (and themselves).
