Skip to content
NeoGuard

Shadow AI

The unsanctioned use of generative AI services (ChatGPT, Claude, Gemini, Copilot & co.) in day-to-day work.

Shadow AI refers to AI tools that employees use day-to-day even though they have not been formally approved by the IT department. The term is modelled on Shadow IT, the broader category of software in productive use but outside IT’s knowledge or control. It crops up most often with SaaS products, where signing up and getting started takes minutes. It often creates a status quo that bypasses procurement and compliance review.

Why Shadow AI is risky

The moment you paste source code, customer data, or internal research into a public AI model, that information leaves your organization’s control. Depending on the model’s terms, it can be logged, used to train future models, or routed through other jurisdictions (e.g. USA, China). Under nFADP or GDPR obligations, that counts as disclosure to a third party, not just an internal privacy matter.

What current research shows

Verizon’s Data Breach Investigations Report 2026 provides a useful snapshot of Shadow AI today:

  • 45% of employees are now regular AI users on their corporate devices, up from 15% in the previous year’s report.
  • 67% of that access happens through personal, non-corporate accounts.
  • In 2025, Shadow AI became the third most common non-malicious insider action in DLP data, a fourfold increase over 2024.
  • Source code was the data type most often uploaded, followed by images and other structured data; in 3.2% of DLP events, research and technical documentation turned up in unauthorized AI systems.

IBM’s Cost of a Data Breach Report 2025 fills in the cost side: 20% of the breaches studied were traced back to a Shadow AI incident. Organizations with high levels of Shadow AI usage saw on average USD 670,000 in higher breach costs than those with little or no Shadow AI, and 63% of breached organizations either had no AI governance policy or were still developing one.

Sources

Related Terms

PhishingEndpoint ProtectionnFADP (revised Federal Act on Data Protection)