Back to Insights

    20 May 2026

    What Is Shadow AI and Why Should Your Board Care?

    Only 24% of businesses using or considering AI have processes in place to manage AI risks (UK Cyber Security Breaches Survey, 2025). Shadow AI is the risk they can't see.

    SH

    Sam Hawkins

    Syntra Automate

    Right now, somewhere in your organisation, an employee is pasting confidential client data into an AI chatbot.

    Another is using an AI-powered browser extension to summarise internal documents. Someone in finance has installed an AI add-in for their spreadsheets. Your legal team is drafting contracts with AI assistance and not telling anyone.

    None of these tools were approved by IT. None were reviewed by compliance. None appear on any risk register.

    This is shadow AI. And it is almost certainly happening in your business.

    What is shadow AI?

    Shadow AI is the use of artificial intelligence tools by employees without the knowledge, approval, or oversight of IT, compliance, or senior management. It is the AI equivalent of shadow IT — but with significantly higher stakes.

    Shadow IT gave us employees using personal Dropbox accounts for work files. Shadow AI gives us employees feeding sensitive business data into third-party AI models with no control over where that data goes or who can access it.

    The scale of the problem

    According to the UK Cyber Security Breaches Survey 2025, only 24% of businesses using or considering AI reported having processes in place to manage AI risks. The overwhelming majority of UK organisations are operating without a framework.

    AI tools are being adopted faster than the policies needed to manage them. The gap between adoption and governance is where shadow AI thrives.

    What shadow AI looks like in practice

    Shadow AI does not look like rogue employees deliberately circumventing security. It looks like well-intentioned people trying to do their jobs better.

    Customer-facing teams paste client enquiries or personal data into ChatGPT to draft responses faster. The data leaves your control entirely.

    HR teams use AI-powered screening tools found online. These may be making high-risk decisions without anyone in compliance being aware.

    Finance teams install AI spreadsheet add-ins that process financial data through external servers with unreviewed data processing terms.

    Legal teams draft or review documents with AI, then present output as their own work. AI-generated legal text can contain hallucinations — fabricated case references or subtly wrong interpretations.

    Sales teams upload client lists and pricing data into AI tools for proposals. Proprietary commercial information now sits on a third-party server.

    Why it happens

    The tools are freely available, require no technical expertise, and deliver immediate productivity gains. An employee who discovers that ChatGPT can draft a client email in 30 seconds is not going to stop because there is no policy. They will keep using it — and tell their colleagues.

    Employees are not trying to create risk. They are trying to work efficiently. The problem is the absence of a framework that channels that intent safely.

    The risks your board needs to understand

    Data leakage. Data entered into third-party AI tools may be used to train future models, stored in jurisdictions with weaker protections, or accessed by the provider's staff. Once entered, control is lost.

    GDPR breaches. Personal data entered into AI tools without safeguards may breach the UK GDPR. There is no exemption for "we didn't know our staff were doing it."

    Intellectual property exposure. In 2023, Samsung engineers reportedly leaked proprietary source code by entering it into ChatGPT on multiple occasions. Samsung subsequently banned generative AI on company devices. The damage was already done.

    Regulatory non-compliance. AI systems used for high-risk purposes — recruitment screening, credit decisions, performance management — carry obligations under the EU AI Act (Regulation (EU) 2024/1689). If compliance does not know these tools exist, you cannot comply.

    Hallucinated outputs in decisions. AI can produce convincing but fabricated information. If employees use unverified AI outputs in business decisions or regulatory submissions, the consequences can be severe.

    Why this is a board-level issue

    Many organisations treat AI risk as an IT concern. This is a mistake.

    Regulatory liability sits with the data controller — the organisation and its directors. The EU AI Act's fines reach up to EUR 35 million or 7% of worldwide annual turnover. UK regulators, including the ICO and FCA, are increasingly scrutinising AI use.

    When a regulator asks your board what AI systems the organisation uses and how they are governed, "we didn't know" is not an acceptable answer. It is an admission of governance failure.

    What to do about it

    Addressing shadow AI does not require banning AI tools — that will fail. You need a structured approach that acknowledges AI's productivity benefits while managing the risks.

    Conduct a shadow AI survey. Ask every department what AI tools they use. Make clear this is not disciplinary — it is fact-finding. You need an honest picture before you can govern.

    Develop an AI usage policy. Set out which tools are approved, what data can be entered, and what oversight is required. Keep the language plain. A policy nobody reads is worse than no policy.

    Establish an approved tools list. Evaluate tools against data protection, security, and regulatory requirements. Give people good options and they will not go looking for unsanctioned ones.

    Invest in staff training. Ensure everyone understands the risks of entering sensitive data into AI tools and the importance of verifying outputs. This must be ongoing, not a one-off exercise.

    The connection to EU AI Act compliance

    You cannot comply with AI regulations if you do not know what AI systems your organisation uses. The EU AI Act requires organisations to identify and classify their AI systems, implement risk management for high-risk systems, maintain documentation, and ensure human oversight. Every one of these obligations assumes visibility of your AI estate.

    Shadow AI makes that impossible. It is the blind spot that undermines every other compliance effort.

    The bottom line

    Shadow AI is not a future risk. It is a current reality. The question is whether your board knows about it — or whether you are among the roughly three quarters of organisations operating without any AI governance at all (UK Cyber Security Breaches Survey, 2025).

    The businesses that address shadow AI now will be ready when the regulator comes calling.

    Want to know where your business stands?

    Request a free AI audit. Personally reviewed, delivered to your inbox within 5 business days.

    Get a free AI audit