What is shadow AI? The hidden risk in your tech stack

Most companies have an AI problem they don't fully see. Yet. It's not about whether employees are using AI tools, because they certainly are. The real question is where company data ends up when they do.

Every time someone pastes customer segments into ChatGPT or uploads usage data to Claude, company data flows into systems that your IT department has never evaluated and security has never approved. One Kiteworks study found that 93% of employees have shared confidential company data through unauthorized AI tools, and that about 8.5% of prompts to AI tools contain sensitive data.

This is shadow AI. And it spreads faster than most organizations realize.

This article looks at what shadow AI actually looks like, why employees turn to it, and how to address it through governance-based enablement rather than bans.

What is shadow AI?

Shadow AI is the use of AI tools without formal approval or oversight from IT. Employees typically turn to these tools to work faster or keep pace with company-wide AI initiatives. But unvetted AI tools can create real risks like data exposure, compliance gaps, and security vulnerabilities that traditional security controls can't catch.

Common examples of shadow AI include:

• Pasting data into public AI chatbots like ChatGPT and Google Gemini, which tend to be the most frequently accessed unauthorized AI tools in enterprise environments

• Logging into enterprise tools with personal accounts, where employees access tools like Microsoft Copilot through personal credentials on work devices, bypassing enterprise licensing and security controls

• Building department-level AI solutions, where business units spin up their own tools using commercial LLMs without ever looping in IT, creating ungoverned pockets across the organization

• Using browser plugins and embedded AI features for code generation, data analysis, and content creation, including AI capabilities quietly baked into otherwise approved software

Shadow AI can expose company data in ways the organization can't see or control, leaving security teams unable to track where company data ends up or who has access to it.

Why shadow AI is harmful to companies

Shadow AI can create real problems for organizations, even when employees are just trying to work faster, and the tools genuinely help them get things done.

It exposes sensitive data at scale

When employees paste information into public AI tools, that data flows to external servers outside your control. A significant portion of employees have entered confidential client data or private internal company information into unapproved AI platforms, often without realizing the implications.

This played out publicly in April 2023, when Samsung Electronics employees leaked sensitive corporate data to ChatGPT in multiple incidents, including cases where proprietary source code and internal meeting notes were pasted into the public AI system.

Employees likely had no idea that their prompts could become training data for future models, which is what makes shadow AI so hard to catch.

It creates compliance violations

Shadow AI bypasses the frameworks organizations rely on to stay compliant. Employees skip data classification procedures, circumvent data loss prevention controls, and avoid security reviews, all while organizations face GDPR, CCPA, and emerging AI-specific regulations that demand documented practices for how you handle data, get consent, and secure systems.

Think about what happens when a marketing team member opens ChatGPT and pastes in last quarter's customer segments, including names, emails, and purchase history, to get help drafting email copy. Three minutes later, they've got their draft. But they've also bypassed every data handling procedure your compliance team spent months building without any record of it happening.

When a breach like this surfaces, you can't demonstrate the due diligence that regulations demand.

It increases breach costs

Traditional security tools weren't built with shadow AI in mind, which means breaches often go undetected for extended periods. Shadow AI can make detecting and investigating incidents within regulatory reporting windows like GDPR's 72-hour requirement a lot harder, and you may lack the forensic evidence needed for effective incident response.

To put this in perspective, IBM's 2025 Cost of a Data Breach Report puts the average global breach in the multi-million-dollar range, with AI-related breaches costing more on average. While the report discusses shadow AI as a risk factor, these figures give you a sense of the financial exposure that uncontrolled AI usage can create.

The longer the exposure continues undetected, the more data leaks and the higher the remediation costs climb. Organizations often discover shadow AI breaches only after there's been significant damage, which is why early detection and prevention matter so much.

How to solve the shadow AI problem

Given these risks, the instinct to simply ban AI tools is understandable. Samsung tried exactly that after their leak, imposing an enterprise-wide prohibition on ChatGPT. But the thing with prohibition is that it doesn't really work.

According to UpGuard research, nearly 90% of security professionals use unapproved AI tools in their jobs. So the better solution to banning AI tools is shifting from control to enablement, which means giving people sanctioned alternatives while maintaining the governance and security your organization needs.

Establish cross-functional oversight

Effective AI governance means getting privacy, security, and legal teams working together rather than in silos. Privacy teams lead on what data can flow into AI inputs and establish anonymization requirements. Security teams extend threat modeling to address AI-specific risks and maintain approved vendor lists. Legal teams assess intellectual property exposure and liability for AI-generated content used in business decisions.

In practice, this often looks like a dedicated AI governance committee that meets regularly to evaluate new tools and update policies. When a department wants to adopt a new AI tool, the committee reviews it against established criteria before approval, rather than discovering the tool months later through a security audit.

Organizations that establish this kind of oversight catch shadow AI earlier and can respond with sanctioned alternatives rather than reactive bans. They also build the institutional knowledge needed to evaluate AI tools quickly, which means employees wait days for approval instead of months.

Deploy alternatives that people want to use

If your approved alternative is harder to use than ChatGPT, employees will keep using ChatGPT. Your sanctioned tools need to be genuinely better for their workflows, not just compliant. This means tools that deliver immediate value without weeks of training, and that integrate naturally into how people already work.

Data analysis is one area where this matters most, since employees frequently paste sensitive company data into ChatGPT to get quick answers. This is where AI-assisted data platforms like Hex come in. Instead of copying data into ChatGPT, business users can use Threads while data scientists can use the Notebook Agent  to query company data in natural language. A marketing analyst can ask, "Which customer segments have the highest churn risk?" and the AI generates SQL against your warehouse using your team's established metric definitions, all without data ever leaving your governed environment.

Hex connects directly to your data warehouse with proper access controls, SSO/SAML authentication, and audit logs, keeping everything secure. Your data team maintains full visibility into who's querying what, while business users get the speed they were seeking from public tools without the compliance risk.

For example, Workrise's data team consolidated to Hex specifically because they wanted a more secure environment while eliminating the tool fatigue that generally drives shadow AI adoption.

Implement technical controls

Beyond providing alternatives, you need visibility into what AI tools people are actually using and what data they're sharing. Cloud Access Security Brokers give IT visibility and policy enforcement across cloud applications. Data Loss Prevention tools flag sensitive data uploads to AI domains. End-user security software can detect suspicious activity patterns.

Consider what this looks like in practice: when an employee tries to paste customer PII into an unapproved AI tool, the DLP system flags it in real time. IT can then reach out with guidance and point them toward sanctioned alternatives, rather than discovering the behavior months later during an audit.

The goal isn't surveillance for its own sake. It's understanding what people are trying to accomplish so you can provide governed ways to accomplish it. When you know that dozens of employees are using ChatGPT for data analysis, you can prioritize deploying a secure alternative for that specific use case.

Close the training gap

Many organizations have AI use policies, but most employees receive no training on safe AI practices. Training should cover not just what's prohibited and why it matters, but more importantly, what sanctioned alternatives exist and how to use them effectively.

Effective training goes beyond annual compliance modules that employees forget within weeks. The best programs embed guidance directly into workflows through just-in-time prompts and contextual reminders. As an employee is about to paste something into an AI tool, they see a reminder about what data types require governed tools.

When employees understand both the risks and the alternatives, they're far more likely to make good choices on their own. They learn to recognize sensitive data types like customer PII, financial records, and proprietary code, and they know exactly where to go when a task demands a governed tool rather than a public AI chatbot.

The path forward

Shadow AI spreads because employees face a real gap between what they need to get work done and what their organization provides. Banning tools doesn't close that gap. The solution is governance-based enablement: giving people sanctioned alternatives that are genuinely better than what they'd find on their own, while maintaining the visibility and controls your security team requires.

One of the highest-risk areas for shadow AI is data analysis, where employees routinely paste sensitive company information into ChatGPT just to get quick answers. This is where Hex comes in. Hex is an AI-assisted platform where data teams and business users work side-by-side in a secure, governed environment. Instead of copying data into external tools, business users can query your data warehouse directly using natural language through Threads and the Notebook Agent. The AI generates SQL using your team's established metric definitions, so everyone works with the same numbers and the same security posture.

The difference from public AI tools comes down to control. Hex connects directly to your data warehouse with proper access controls, SSO/SAML authentication, and audit logs. Your data stays within your governed environment, and your data team maintains full visibility into who's accessing what.

If shadow AI is spreading through your organization, start by understanding why people turned to it. Then give them something better.

You can sign up for Hex to explore how governed AI assistance works in practice, or request a demo to see how it fits your specific data stack and governance needs.