Need support? Helpdesk: (780) 800-5528
Home / Insights & Resources / AI Risk Series / Shadow AI

Risk 01 of 13 · AI Risk Series

Shadow AIMay 2026 • 7 min read

Shadow AI: the tools your IT team cannot see

AI may already be in your business, even if leadership has never formally approved an AI tool.

AI tools may already be running on business work through personal accounts, outside identity, procurement, and offboarding.

Where it comes from A genuine work need meets no approved option and a free signup form. The business has no rule.
What the business loses The ability to inventory, audit, transfer, or terminate AI accounts that hold customer work and reusable prompts.
What ends it A short list of approved AI tools with company-managed accounts and an intake path staff will use.
← Series introduction Article 01 of 13

Staff have been signing up for AI because work needed doing: newsletter drafts, client summaries, RFP language, data cleanup, meeting notes, spreadsheet cleanup, and rough first drafts that save half an hour. They often use personal Gmail accounts, personal credit cards, work laptops, home computers, and personal phones already used for work. Most did not set out to hide anything. The business had no clear rule, no approved option, and no quick path for asking.

Shadow AI is what happens when a genuine work need meets no sanctioned option and a free signup form.

The security issue is control. A tool signed into with a personal account has no relationship to the business's identity provider, procurement process, vendor list, device management, or offboarding routine. Microsoft 365 may have MFA and conditional access. Google Workspace may have strong account controls. The business may have a careful checklist for approved vendors. Those controls govern the tools the business knows it has. A personal AI account sits outside that administrative surface.

What the risk is

Shadow AI is uncontrolled AI adoption. Tools enter the business through staff action, outside the systems the business uses to approve, monitor, and terminate access.

If a business approves an AI tool and provides company-managed accounts, it can answer basic questions: who may use it, what data may go into it, which contract applies, who administers it, and how access ends when someone leaves. If staff use personal accounts or install AI tools on their own, those decisions move into individual habit.

Common examples include:

  • A staff member uses a personal ChatGPT, Claude, Gemini, or similar account for business drafting.
  • A browser extension offers to summarize pages, rewrite text, or assist with research.
  • A desktop AI app is installed on a work laptop because it helps with notes, screenshots, PDFs, or writing.
  • A personal productivity tool adds AI features and starts handling business content inside a staff-owned account.
  • An AI tool asks for permission to read email, calendar, files, or contacts through a consent screen.
  • A staff member reads work mail on a personal phone where AI keyboards, mobile assistants, or operating-system AI features can process work content outside company management.

Some tools only receive whatever the staff member pastes into them. Others can read more through browser permissions, OAuth grants, connectors, or device access. Those technical differences matter, but the first problem is more basic: the business cannot produce a reliable list of the AI tools touching its work.

This is separate from the vendor-feature problem covered later in the guide. If a CRM, accounting platform, HR system, or document tool the business already pays for adds AI, the business at least knows the vendor relationship exists. Shadow AI is the situation where the business does not know the tool exists in the first place.

How it happens in a normal SMB

A small Alberta service business has one operations coordinator who quietly becomes the team's "AI person." She signs up for a chat-style AI writing workspace with her personal email because it is faster than asking for a new tool. She uses it to rewrite customer emails, summarize complaints, draft quotes, clean up job descriptions, and turn rough notes from the owner into polished client updates.

The tool works well, so the habit spreads informally. Other staff send her rough notes and ask her to "run it through AI." Over time, the account accumulates customer names, pricing language, internal service explanations, complaint history, draft HR material, and reusable prompts that make the business sound more professional.

The work is useful, and the employee is trying to help. The business has never given staff an approved AI path, so nobody treats the account as a system that needs to be owned, documented, or offboarded.

Then she resigns with two weeks' notice.

The owner asks IT to make sure her access is removed. IT disables Microsoft 365, payroll, and CRM, then collects the laptop. The AI account is absent from the offboarding checklist because the business never knew it existed. It is tied to her personal email, her personal phone, and her personal subscription.

Two weeks later, the replacement coordinator cannot recreate the same quote language, customer response templates, or job posting drafts. Staff keep saying, "She used AI for that." The owner asks which tool she used, and nobody knows for sure.

The former employee is cooperative at first, but she is now working somewhere else and still controls the AI account. The business asks her to delete anything related to company work, and she says she did. The business has no admin console, export function, logs, ownership transfer, or way to verify deletion.

By then, useful company work is sitting in a tool IT cannot administer: customer details, quote language, HR drafts, complaint summaries, and prompts the replacement now needs.

The failure path

In plain language, the failure path looks like this:

Case file Sequence 01 · Shadow AI

  1. Staff have a business need that AI can help with.

  2. The business has no approved AI path that is useful enough, clear enough, or fast enough.

  3. Staff choose a personal AI account, browser extension, desktop app, or mobile assistant.

  4. Business content, reusable prompts, templates, and informal process knowledge move into that tool.

  5. The tool sits outside company identity, procurement, vendor review, and offboarding.

  6. The employee leaves, the laptop is replaced, a client complains, or the owner asks what AI tools are in use.

  7. The business cannot recover, audit, delete, transfer, or terminate what it never controlled.

Company-managed tools give IT an administrative surface; personal AI accounts usually sit outside it. Conditional access, MFA, SSO, and identity-based offboarding cannot terminate a relationship the business never owned.

Three related paths deserve attention during discovery.

OAuth consent grants happen when staff sign into an AI tool using a company Microsoft or Google account and approve access to mail, files, calendar, or contacts. In that case, there may be a record in the admin console. Many SMBs review those grants only during a problem or a major rollout. In small tenants, an owner or administrator may also approve broader access than intended because the consent prompt is treated like a routine sign-in screen.

Browser AI extensions are often more powerful than they look. An extension that rewrites email tone or summarizes web pages may request permission to read or change content on every page the browser visits. That can include authenticated sessions in email, CRM, accounting, file storage, and banking sites. On managed devices, browser extension inventory and browser policy are often the cleanest way to find and control this path.

Personal phones create a separate gap. Many SMBs allow staff to read company email or Teams messages on personal devices. Mobile AI features, AI keyboards, and app-level assistants can process work content on phones outside company management. Without mobile device management, the business is mostly relying on policy and staff disclosure for that surface.

Business consequence

Shadow AI creates a business continuity problem and a data-control problem at the same time.

The continuity issue is familiar. A process quietly becomes dependent on a staff member's personal AI account. The useful prompts, examples, drafts, customer language, and formatting habits live in that account. The company systems hold only fragments of the workflow. When the employee leaves or changes devices, the business loses part of the process.

The data-control issue follows immediately. Customer names, complaint details, pricing language, HR drafts, and internal service notes may remain in saved chats, projects, memory features, or vendor systems. The business cannot inspect the account, preserve the history, export the useful work, transfer ownership, or confirm deletion through an administrative process.

That sounds like an internal cleanup problem until someone outside the business asks a direct question. A client, insurer, buyer, regulator, or lawyer may ask which AI tools handled company or customer information. An SMB with Shadow AI can list known vendors, while personal tools and unmanaged extensions remain outside the answer.

The consequences are practical:

  • Staff turnover breaks workflows that were never documented.
  • Useful prompts, templates, and customer-response patterns remain in personal accounts.
  • The business cannot verify deletion when company work was stored in a staff-owned AI account.
  • Vendor questionnaires may be wrong when signed.
  • Contractual representations about approved tools, subprocessors, or data handling may be challenged later.
  • Vendor terms for unknown AI tools have never been reviewed.
  • Offboarding is incomplete because staff-owned AI accounts stay alive after employment ends.
  • Insurance renewal or claim questions may become harder to answer where AI use was never inventoried.

Shadow AI also makes incident response weaker. If sensitive data is found in an unapproved tool, the first question is often, "Who else used this, and what else went into it?" With no sanctioned account, no admin console, and no central log, the business is left reconstructing the history from staff memory, browser history, endpoint telemetry, and whatever the vendor exposes to a personal account holder.

At that point, the business is investigating under pressure with weak evidence.

Controls that interrupt the failure path

The strongest control is a sanctioned AI tool list with an intake path staff will actually use.

A policy that only says "ask before using AI" will fail if staff have no approved option for common work. The business needs a short list of approved AI tools, company-managed accounts for those tools, a plain rule for what data may go into them, and a simple way to ask for a new tool or use case. Staff route around approval when the approved path is missing, slow, or disconnected from the work they are trying to do.

Start here

  • Maintain a sanctioned AI tool list and update it as tools are approved, paused, or retired.
  • Provide company-controlled accounts for approved AI tools.
  • Give staff a fast intake path for new tools and use cases, with a practical alternative when the answer is no.
  • Inventory installed AI applications on managed devices.
  • Inventory browser extensions and block unapproved AI extensions where browser policy supports it.

Add where needed

  • Use DNS or web filtering to restrict consumer-AI categories on managed devices when the business has decided those tools are out of bounds.
  • Use endpoint DLP where available to detect work content moving to unknown AI destinations.
  • Review OAuth grants in Microsoft 365, Google Workspace, and major SaaS platforms on a schedule.
  • Decide whether personal phones with work mail require mobile device management or a stricter device-access rule.

Identity controls still matter for tenant-integrated tools. Conditional access can restrict sign-in to sanctioned tools and approved devices. OAuth grant reviews can find AI apps that staff authorized under company accounts. For personal AI accounts in a personal browser session, the useful controls sit in endpoint, browser, network, mobile, procurement, and staff intake.

Procurement has to support the rule. If the approved route takes weeks for a basic writing or summarization use case, staff will route around it. Intake can be light for low-risk use and heavier when the tool wants connectors, broad permissions, sensitive data, or company-wide rollout.

With that path in place, staff have somewhere legitimate to go, and IT has specific surfaces to monitor.

Policy rule this creates

Rule 01 of 13

AI tools may only be used for business work after they are approved and listed on the sanctioned AI tool list. Staff may not sign up for AI tools using personal credentials for business purposes, install AI applications or browser extensions on work devices without approval, or authorize AI applications to access company mail, files, or accounts.

Common questions about shadow AI

The questions that come up most often when a business starts looking at how much AI is already in use.

What is shadow AI?

Shadow AI is the use of AI tools for business work without the business's approval, oversight, or control. Tools enter through staff action, often on personal accounts, browser extensions, or mobile apps, outside identity, procurement, and offboarding systems.

Why is shadow AI a risk if the tool itself is safe?

The risk in shadow AI is not the AI tool's safety record but the loss of business control over the account. A personal AI account sits outside the company's account systems, purchasing process, and vendor review. The business does not own the login, has no administrator view of what is in the account, cannot list the tool as one of its vendors, and cannot decide who has access. Even if the AI tool itself is safe to use, an account the business does not control is not the business's account.

What about Copilot in Microsoft 365 or AI features inside our CRM? Is that shadow AI?

Microsoft 365 Copilot and AI features inside your CRM are usually not shadow AI. The underlying software is already an approved vendor with a known relationship, so this sits in a different category: vendor AI features. The risk is also different. When AI is switched on inside a tool you already pay for, the vendor relationship and contract exist; what changes is what the vendor does with your data, whether the AI uses it to train or help other customers, and whether the on/off switch is in your hands. Treat vendor AI features as a vendor-management question: re-read the terms, decide whether to turn the feature on, and confirm what changed in how the vendor handles your data.

How do I find out which AI tools my staff are already using?

Start by asking your staff directly during a no-blame conversation. Most will tell you. Then have your IT person or MSP check three places: which AI apps signed in with your Microsoft 365 or Google accounts, what browser extensions are installed on work laptops, and what has been installed on company devices. No single check finds everything, but those three plus an honest conversation will surface most of it.

What should be on an approved AI tool list?

The approved AI tool list names each AI tool the business permits, who owns the account or contract, what business information may go into it, and what the tool is approved to do. It also names how staff request a new tool or use case, with a target response time so staff do not route around approval.

Do I really have to do something about this if nothing has gone wrong yet?

The cost of shadow AI usually arrives later, not the day it starts. A few months in, an employee leaves and takes the AI account, the customer-language templates, and the prompts that made the work go faster. A client, insurer, or buyer sends a vendor questionnaire asking which AI tools handle company data, and the business cannot answer it cleanly. A complaint or audit lands and the business is now reconstructing what AI did from memory and browser history. The work to get ahead of this is much smaller than the work to clean it up after it has surfaced.

What happens to our work when the staff member who uses AI leaves?

The work that lived inside the personal AI account leaves with the staff member. The reusable prompts, the customer-response templates, the phrasing that made client emails sound right, and the rough-to-final drafting habit all sit in an account tied to a personal email, a personal phone, and a personal subscription. The business has no admin console, no export function, and no way to transfer ownership. The replacement coordinator cannot rebuild from saved company files because saved files only hold the final outputs, not the working knowledge that produced them. The business can ask the former employee to delete company material, but it cannot verify that they did.

What if I just tell everyone to stop using AI?

Telling everyone to stop using AI rarely holds for long. Staff are using AI because the work it does for them is real, like cleaning up drafts, summarizing complaints, and turning rough notes into polished client updates. A blanket ban removes the visible AI without removing the work pressure that drove staff to use AI in the first place, so the tools move further out of sight: personal phones, home computers, accounts the business knows even less about. The stronger move is to give staff a short list of approved AI tools, company-managed accounts for those tools, and a fast path to ask for a new tool, so the legitimate AI option is at least as convenient as the unsanctioned one.

What's the smallest first step I can take this week?

The smallest first step is to pick one AI tool, give the team company-managed accounts for it, and tell them that is the approved path for now. Choose the use case that is already happening most often, like email drafting, document summarizing, or rough-to-polished writing, and choose the AI tool that fits it best. A company-managed account means the business pays for the subscription, controls the login, can add and remove team members, and can recover the account when someone leaves. The point of the first step is not to cover every AI use case in the business, but to give staff a legitimate option for the use case that drives the most informal AI activity today. Everything else can wait until that first path is working.

One of 13 rules for your AI usage policy

The rule above is one of 13 that make up a working AI Usage Policy. The SMB AI Policy Builder walks you through the full set of decisions and produces the policy, working documents, and a 90-day implementation plan.

Launching soon. Join the waitlist to be notified.

Get practical insights like this in your inbox

Occasional articles and updates on technology, risk, operations, and support.