Shadow AI

Definition

The unsanctioned use of AI tools, models, and APIs by employees without IT or security oversight, creating data exposure, IP leakage, compliance violations, and governance blind spots.

Technical Details

Shadow AI parallels the earlier shadow IT problem but with higher risk due to the potential for sensitive data sent to external AI APIs to be used for model training. Organizations must audit network traffic for unauthorized AI API calls, establish approved AI tool catalogs, implement data classification policies for AI inputs, and deploy DLP controls at egress points.

Practical Usage

Employees routinely paste source code, customer data, or confidential strategies into public AI chatbots to boost productivity. Security and governance teams must balance productivity benefits with data protection requirements through policy, training, and technical controls rather than outright prohibition.

Examples

A developer pastes proprietary source code into ChatGPT to debug a function, violating IP protection policies.
A finance analyst uploads client financial data to an AI spreadsheet assistant not covered by a data processing agreement.
HR staff use an unapproved AI tool to screen resumes, introducing algorithmic bias and EEOC compliance risk.

Related Terms

AI Hallucination Risk Data Leakage Governance Risk and Compliance Data Classification Insider Threat

← Back to Glossary