The unsanctioned use of generative AI services creates new security and compliance risks.
Cloud applications and services make it easy for users to explore new ways to do their jobs with improved speed, flexibility and efficiency. Unfortunately, they also make it easy to circumvent IT authorization, significantly increasing the risk of data loss and compliance violations.
Various surveys show that shadow IT — the practice of adopting and using cloud-based applications or services without IT’s knowledge or permission — is commonplace. According to data from Zylo, 83 percent of Software-as-a-Service (SaaS) is purchased outside IT control. An IDC study found that more than 60 percent of IT budgets sit outside the IT department.
There typically isn’t any malicious intent — many users say they aren’t even aware they are dodging the rules. They just know that these services provide a hassle-free way to collaborate, share files and perform other routine tasks. And now, many users are taking advantage of generative AI tools without informing IT. Shadow AI creates a new set of risks.
Understanding the Shadow IT Risk
The use of unsanctioned services puts the IT team in a tough spot. If IT doesn’t know an application is being used, that app can’t be monitored, secured and controlled. Security policies can’t be applied, and activity can’t be tracked or analyzed. This not only increases the risk of data leakage but makes regulatory compliance very difficult. IT organizations can’t pass security audits if they don’t know what data is being accessed and shared.
Unmanaged file-sharing services are particularly problematic. Employees routinely use cloud-based services such as Dropbox and Google Drive in violation of IT policy. Because these tools were designed for efficiency and ease of use, they lack robust security and monitoring features. Industry analysts say data leakage and loss from consumer-grade file sharing is as significant a risk as data theft.
Inadequate access controls are another problem. Without IT oversight, users can set lax permissions, easily giving third parties access to sensitive information.
Uncovering the Shadow AI Threat
Like shadow IT, shadow AI often stems from good intentions. Users adopt gen AI tools to become more efficient and make better decisions. However, gen AI comes with serious security, privacy and compliance risks if it is not properly managed and controlled. For example, a user might enter notes from a meeting about a secret project into the AI chatbot to get a quick summary. The operator of the gen AI tools can incorporate the information into the system’s training model, potentially exposing intellectual property.
How prevalent is the problem? One study estimates that 28 percent of employees use gen AI without company oversight. A 2024 Tech.co study found that just 4 percent of organizations have established firm guidelines for gen AI use.
Some organizations have banned gen AI due to security and privacy risks. However, AI is being incorporated into a range of applications to personalize the user experience and provide predictive analytics. Furthermore, banning shadow IT applications in the corporate environment won’t prevent users from accessing them via personal devices. Organizations need a multipronged approach that incorporates detection tools, training and, above all, communication.
Gaining Control
One way to avoid these issues is to implement enterprise-class alternatives to popular shadow IT tools. Many organizations take advantage of Microsoft 365, which includes SharePoint for content and workflow management and OneDrive for file sync and share. They can also utilize Microsoft Teams for collaboration and Microsoft Copilot for gen AI. Unlike free consumer-grade services, these solutions offer significant security improvements, including access controls, encryption, policy management and more. Security awareness training programs should cover the risks of shadow IT and educate employees on the need to use approved solutions.
Organizations can gain visibility into shadow IT with cloud access security brokers (CASBs), which typically include a shadow IT detection tool. Data loss prevention (DLP) platforms can prevent unauthorized users from downloading or copying data to cloud apps. They can also inspect communications to ensure that confidential data is not transmitted via e-mail, chat or social networking sites.
The unmanaged use of cloud services creates significant risk, but it isn’t an insurmountable problem. There are simple steps organizations can take to reduce the spread of shadow IT, limiting the chance of data exposure and boosting regulatory compliance.
