Shadow AI: Executive Briefing on Real Risks, Business Impact and Mitigation 

Shadow AI is here, and it’s growing

Shadow AI is the use of artificial intelligence tools and platforms outside the oversight of IT, security, or compliance teams. This is not a hypothetical concern. KPMG’s 2025 global survey found that up to 58% of employees are using AI productivity tools daily, and nearly half admit to uploading sensitive company information to unauthorised platforms. Only 41% of employees say their organisation has a policy guiding the use of generative AI, revealing a significant governance gap. 

The Risks Are Real and Substantial 

The evidence from leading analysts and recent incidents is clear: shadow AI is already impacting organisations. 

• Data Leakage and Loss of Control: IBM’s 2024 Cost of a Data Breach Report found that companies with high levels of shadow AI face data breach costs that are, on average, $670,000 higher than those with minimal unauthorised AI use. Once confidential data leaves the organisation, it cannot be retrieved or deleted and may be used to train third-party models. 

• Regulatory and Compliance Violations: Shadow AI can breach GDPR, HIPAA, PCI-DSS, and other regulations if personal or sensitive data is processed without proper consent or controls. The Information Commissioner’s Office (ICO) and other regulators have issued warnings about the use of unapproved AI tools in regulated sectors. 

• Security Exposure: Gartner’s 2025 Emerging Risk Deep Dive identifies shadow AI as a top concern for risk leaders. Unvetted AI tools may introduce malware, supply chain vulnerabilities, or integration risks. One in five organisations has already experienced a cyberattack linked to shadow AI. 

• Misinformation and Bias: AI outputs can be inaccurate, biased, or manipulated. Decisions made on faulty AI recommendations can lead to operational errors, legal action, or brand damage. 

• No Audit Trail: Shadow AI use leaves no logs or records, undermining the ability to investigate incidents or defend business decisions in audits or litigation. 

• Shadow Spending and Vendor Risk: Department-level AI subscriptions may not be budgeted or reviewed, leading to cost overruns and exposure to unvetted vendors. 

The Business Impact Is Measurable 

Forbes reports that 90% of IT directors and executives at large companies are worried about shadow AI from a privacy and security standpoint. This anxiety is well-founded. The Samsung Electronics incident, where engineers inadvertently leaked sensitive corporate data to a public AI platform, is a stark example of how quickly and irreversibly data can be exposed. Once information leaves the organisation’s perimeter, it cannot be retrieved or deleted and may be used to train third-party models—potentially ending up in the hands of competitors or the public. 

The business impact is already visible. One in five organisations has experienced a cyberattack linked to shadow AI, and the risks extend beyond financial loss to include regulatory fines, operational disruption, and strategic setbacks. 

Regulatory bodies such as the Information Commissioner’s Office (ICO) have issued warnings about the use of unapproved AI tools in regulated sectors, and the consequences of non-compliance are growing more severe. 

Why Shadow AI Is So Hard to Control 

Gartner’s 2025 Emerging Risk Deep Dive makes it clear that the root causes of shadow AI are not just technical, but deeply cultural and operational. Employees are moving faster than the systems designed to support them, often seeking out external AI tools to bypass slow or outdated enterprise systems. The accessibility of AI tools outside the corporate perimeter is accelerating this trend, and many organisations underestimate the scale of shadow AI and lack the visibility to manage it. This is not just a failure of technology, but a failure of governance and leadership. 

How to Reduce Shadow AI Risk 

Executives should take a proactive, governance-led approach to Shadow AI: 

• Discover and Inventory: Use SaaS discovery tools, network monitoring and endpoint telemetry to identify unauthorised AI tools in use. Conduct regular AI usage surveys with employees to surface shadow adoption. 

• Policy Creation and Enforcement: Define and communicate clear policies on approved AI tools, acceptable use and data classification. Require security and compliance sign-off before adopting new AI solutions. 

• Employee Awareness and Training: Run ongoing training on AI risks; such as data leakage, hallucinations and bias, and provide safe, approved AI workspaces to channel use into controlled environments. 

• Governance Controls: Implement AI gateways that log all prompts, responses, and metadata. Mandate data masking for sensitive fields and set role-based access to AI tools. 

• Continuous Monitoring and Auditing: Regularly scan for AI-related network activity, review usage against compliance requirements and audit results to ensure policy adherence. 

• Incident Response and Remediation: Establish clear procedures for responding to shadow AI incidents, including data breach notification, containment and remediation. 

Executive Actions 

• Demand regular reporting on shadow AI detection, incidents and remediation. 

• Ensure that AI governance is part of the broader risk and compliance framework. 

• Balance innovation with control: provide user-friendly, approved AI alternatives to reduce the temptation for shadow use. 

Shadow AI is pervasive and presents material risks to data security, compliance and business value. The evidence from KPMG, IBM, Gartner and others is clear: business leaders must take a proactive stance, combining technology, policy and culture to detect, control and safely harness AI innovation.  

For businesses wanting to embrace AI in a secure way, Microsoft Copilot operates within your Microsoft environment, scraping data from within your infrastructure without the risk of sharing confidential or sensitive company information outside your infrastructure. 

Written by Stephen Cook