Shadow AI: The Hidden Risk of Unauthorized Tools at Work

What happened?

According to a TechRadar report based on a study by cybersecurity firm Cyberhaven, 75% of workers use AI tools not approved by their companies. Furthermore, 46% have shared sensitive company or client information with these public AI systems. This phenomenon, dubbed 'Shadow AI,' represents a growing threat to corporate security. The study, conducted between January and March 2025, analyzed network traffic from over 10,000 employees across various industries, revealing widespread use of tools like ChatGPT, Google Gemini, and Microsoft Copilot without explicit IT department authorization.

Why is it important?

Shadow AI not only violates IT policies but also exposes companies to data breaches, regulatory non-compliance, and loss of intellectual property. Unlike traditional Shadow IT (e.g., using Dropbox without permission), AI can learn and retain information, multiplying the risk. For instance, if an employee inputs financial data into ChatGPT, that data could be used to train future models, leaving it beyond the company's control. According to Cyberhaven, the most commonly shared information types include customer data (20%), proprietary source code (15%), and strategic plans (11%). This is especially critical in regulated sectors like healthcare, finance, and government, where regulations such as GDPR (Europe), CCPA (California), or HIPAA (US) impose severe penalties. A breach could cost a company up to 4% of its annual global revenue under GDPR, or fines of up to $7,500 per violation under HIPAA. Additionally, Shadow AI erodes customer trust and competitive advantage: if a competitor gains access to trade secrets through a public model, the damage is irreversible.

What consequences will it have?

The consequences are manifold: from penalties for violating regulations like GDPR or CCPA, to reputational damage and lost competitive advantages. Companies will need to implement clear AI usage policies, monitoring tools, and mandatory training. A boom in 'Shadow AI Discovery' solutions that detect unauthorized use of these tools is also expected. Companies like Netskope, Zscaler, and Proofpoint already offer products that analyze network traffic to identify interactions with unapproved AI models. Gartner predicts that by 2026, 60% of large enterprises will have adopted such solutions. Likewise, AI providers like OpenAI and Google are launching enterprise versions with privacy guarantees (e.g., ChatGPT Enterprise, which does not train on customer data), but adoption remains low. The 'Shadow AI Discovery' market could reach $1.2 billion by 2028, according to MarketsandMarkets estimates. On the regulatory front, the European Union is advancing the AI Act, which will require transparency in AI use, pressuring companies to audit their data flows. In parallel, HR departments will need to update codes of conduct and provide ongoing training: an IBM study revealed that 84% of employees using AI have not received clear guidelines from their employers.

What should readers know?

If you are an employee, avoid sharing confidential data on public AI platforms. Even if you delete the history, the models may have retained the information in their weights. Always use tools approved by your company or request secure alternatives. If you are a manager, educate your team about the risks and provide secure alternatives, such as private instances of open-source models (e.g., Llama 2 or Mistral) or subscriptions to enterprise versions of ChatGPT or Copilot. The key is not to ban AI but to integrate it in a controlled manner. Shadow AI is a sign that demand for AI tools outstrips corporate supply; companies must adapt quickly. A proactive approach includes: conducting regular AI usage audits, establishing an AI governance committee, and fostering a culture of transparency where employees report their technology needs. Success stories: companies like Accenture and PwC have implemented 'AI sandboxes' where employees can experiment with approved tools without risk. In contrast, the 2023 Samsung case, where engineers leaked source code to ChatGPT, shows the danger of inaction. Shadow AI is not a passing phenomenon: it is a symptom of digital transformation that organizations must manage urgently.