Adoption and use of unsanctioned AI tools comes with the heightened risk of data loss and exposure, inaccurate output and compliance gaps.
Most organizations are familiar with shadow IT. Shadow AI poses a much greater threat.
Shadow AI is the adoption and use of AI tools without the knowledge or oversight of the IT department. It’s more common than organizations might think. In a 2024 Microsoft study, 75 percent of knowledge workers said they used AI, and 78 percent of those said they were “bringing their own AI tools to work.”
Often, workers are using publicly available tools such as ChatGPT to draft documents, generate charts and jumpstart creativity. However, shadow AI is also entering the workplace in other, more insidious ways. AI is increasingly embedded in cloud-based software in the form of bots, coding assistants, meeting transcription tools and other features.
AI agents are also proliferating across organizations. The autonomous tools interact with applications and data, make decisions, and carry out an array of tasks. Humans may have little insight into what these agents are doing.
When Private Data Becomes Public
AI is transforming organizations in virtually every industry by enabling unprecedented levels of productivity. In the Microsoft study, 90 percent of users said AI helps them save time, while 85 percent said it enables them to focus on their most important tasks. However, AI also comes with significant risks and shadow AI ups the ante.
If users enter sensitive information into public AI tools, that data can be subsumed into the model’s training data and later exposed as part of the model’s output. Unsanctioned tools are especially risky due to weak security controls and the lack of IT oversight. Malicious actors are aggressively targeting public AI systems for the sensitive data they contain with sophisticated attacks designed to bypass any security guardrails developers built into the model.
Even if sensitive data doesn’t become part of the AI model, organizations in highly regulated industries could face substantial penalties if that data is simply entered into publicly available tools. These rules hold organizations accountable for their data processing and management practices, even if activities are unauthorized.
New AI Features and Rogue Agents
AI tools embedded in cloud-based applications create additional threats. The IT team may not approve or even be aware of these tools, even if use of the application is authorized. Security tools such as cloud access security brokers (CASBs) can detect unauthorized usage of tools such as ChatGPT but cannot identify AI features in otherwise sanctioned apps.
Rogue AI agents are even more difficult to detect. Organizations are deploying these in growing numbers and adopting protocols that enable them to easily access applications and data. However, these protocols can be exploited despite built-in security controls. Because AI agents act autonomously without human oversight, a hijacked agent could cause serious damage.
Some organizations have responded to these threats by banning the use of AI-powered tools. However, outright bans only tend to drive shadow AI further into the shadows. They also limit the organization’s ability to take advantage of AI’s benefits.
Strategies for Combatting Shadow AI
A better approach is to balance irrational exuberance with outright prohibition. Organizations should take a strategic approach to AI adoption and define policies and procedures for the safe, secure and ethical use of AI. User training can also go a long way toward preventing unauthorized use of AI applications and features.
Organizations should also assume that shadow AI is already lurking in their environments. They should conduct a formal audit using CASBs, network monitoring and other tools to detect shadow AI usage. They should then develop a continuous monitoring program to identify new shadow AI apps and ensure compliance.
The audit can help organizations fine-tune their AI policies and training programs and identify any gaps in their AI toolsets. Employees generally adopt AI tools to help make their jobs easier. By understanding what shadow AI tools employees are using and why, organizations can determine if new AI tools would provide business benefits.
Stopping Unauthorized Behavior
Organizations should use data loss prevention (DLP) tools to ensure that sensitive data is not entered into sanctioned apps with AI features. DLP tools look for specific types of data based on predefined policies and can take various actions when they detect unauthorized activity. For example, the DLP tool could display a warning or block the user from entering the data.
To detect rogue AI agents, organizations need tools that monitor the resources agents typically access and identify deviations from expected behavior. These tools establish baselines of what “normal” behavior looks like and then flag deviations such as accessing large volumes of data or operating at unexpected times.
Clearly, organizations need a comprehensive approach to detect and address shadow AI. A qualified managed services provider with expertise in AI can help organizations develop the right strategy and implement tools to prevent data loss and exposure and compliance violations.
