Shadow AI is the use of artificial intelligence tools, ChatGPT, copilots, agents and applications built on large language models, by employees without approval or oversight from security or IT. This is not a marginal phenomenon: according to the Verizon 2026 DBIR, roughly 45% of workers now use generative AI regularly on corporate devices, and UpGuard's State of Shadow AI 2025 report found that 81% of employees and 88% of security leaders admit to using unapproved AI tools. The combination of mass adoption and absent governance makes shadow AI one of the biggest emerging compliance and cybersecurity risks facing the modern enterprise.
At Secra, as an offensive security company, we see shadow AI from the attacker's perspective: every uninventoried AI tool is a new attack surface, a data exfiltration channel and one more identity to manage. In this article we explain what shadow AI is, why it exploded in 2025-2026, the concrete risks it introduces and how to build an AI governance framework that actually works in practice.
What shadow AI is and how it differs from shadow IT
Shadow AI is the AI-specific version of shadow IT. Classic shadow IT is any software, cloud service or device that employees use without going through the organization's controls. Shadow AI inherits that problem but adds three aggravating factors that make it far more dangerous.
The first is data leakage by design. When an employee pastes a contract, source code or customer data into a free chatbot, that information leaves the perimeter and, depending on the platform and plan, may be used to train the model. The Samsung engineers who pasted confidential chip design code into ChatGPT are the canonical example of why this matters.
The second is opacity. According to LayerX Security's 2025 analysis, 82% of paste operations into AI tools come from unmanaged personal accounts, leaving the enterprise almost blind to what is being shared. No logs, no DLP, no controlled retention.
The third is that many of these tools are no longer simple chatbots but autonomous agents with the ability to act. An agent connected to internal APIs can read, write and execute actions, amplifying any misconfiguration or abuse. We analyze that dimension in depth in our article on autonomous AI agent security.
Why shadow AI exploded in 2025-2026
Generative AI adoption has grown faster than any other recent enterprise technology, and governance has not kept pace. The 2025-2026 data paints a clear picture.
Menlo Security recorded a 50% increase in traffic to generative AI tools between February 2024 and January 2025, and found that 68% of employees access generative AI through free personal accounts. Cisco, in its survey of privacy and security professionals over the same period, found that 46% admit to having entered employee names or information into generative AI tools. And according to LayerX, more than 50% of paste events into AI chatbots included corporate information.
The causes of this explosion are several:
- Perceived productivity: employees get immediate results and do not want to wait for IT to approve a tool.
- Zero barrier to entry: anyone can open a free chatbot from the browser or phone without installing anything.
- Copilot proliferation: assistants embedded in office suites, IDEs and CRMs blur the line between approved and unapproved tools.
- Lack of official alternatives: when the company offers no secure, approved option, the employee finds their own.
The result is that, per UpGuard, 81% of employees admit to using AI tools not approved by their employer. Official and shadow usage can coexist within the same workforce, but most of the activity happens outside IT's control.
Shadow AI risks for the enterprise
Confidential data and intellectual property leakage
This is the most obvious and best documented risk. According to the IBM Cost of a Data Breach report, one in five organizations that suffered a breach attributed it to a shadow AI related incident, and organizations with high levels of shadow AI recorded an average breach cost roughly 670,000 dollars higher than those with little or no usage. Source code, strategy, financial data, customer information: all of it can end up in a third-party model with no retention or deletion control.
GDPR, EU AI Act and NIS2 non-compliance
Pasting personal data into an unauthorized AI tool is often a data transfer with no legal basis, no impact assessment and no contractual safeguards. That can constitute a GDPR violation. The EU AI Act does not impose the same obligations on every system: they depend on the organization's role (provider or deployer), the use case and the system's risk level. Most minimal-risk systems take on no additional obligations, whereas high-risk systems and general-purpose models do, under a phased timeline (obligations for general-purpose models took effect on 2 August 2025, with further phases arriving later). Even so, maintaining an inventory of the AI systems your workforce uses is a recommended governance control, because without one it is impossible to know which role, use case and risk level apply in each case. For essential and important entities, shadow AI also complicates the risk-management measures required by NIS2, as we detail in our NIS2 compliance guide for Spain.
A new attack surface
Every unmanaged AI tool widens the attack surface. Models are vulnerable to specific techniques such as prompt injection, which manipulates model behavior through malicious inputs, and to the rest of the risks captured in the OWASP Top 10 for LLM. An AI agent with credentials connected to internal systems can become a lateral movement vector. Attackers also use AI to automate attacks, a topic we cover in agentic AI cyberattacks.
Biased decisions and quality errors
A model can hallucinate, introduce bias or generate incorrect content. If an employee makes business, legal or technical decisions based on the output of an unvalidated tool, the operational and reputational risk is real and hard to trace.
Non-human identities out of control
Agents and copilots authenticate via tokens, API keys and service credentials: non-human identities (NHI) that rarely appear in the inventory when the tool is shadow AI. These identities often hold broad permissions and rarely rotate. Governing shadow AI and managing non-human identities and secrets are two sides of the same problem.
How to govern shadow AI: a practical framework
The answer to shadow AI is not to ban AI, because prohibition only pushes usage further into the shadows. The answer is to govern: provide visibility, offer secure alternatives and set clear rules. This is the framework we recommend.
1. AI usage discovery
You cannot govern what you cannot see. The first step is discovering which AI tools are actually used across the organization. This is achieved by combining:
- Network traffic and proxy analysis to identify AI service domains.
- Review of managed browser logs and CASB.
- Inventory of extensions, plugins and copilots embedded in corporate suites.
- Anonymous staff surveys to capture usage from personal devices and accounts.
The goal is a living AI inventory. It is a recommended governance control that also makes it easier to determine the role, use case and risk level relevant to the EU AI Act, and it aligns with the governance approach of the NIST AI RMF, a voluntary framework.
2. AI acceptable use policy
An AI acceptable use policy should be short, clear and enforceable. It must answer concrete questions: which tools are approved, which data types can and cannot be entered, when human review is required and what the consequences of breaking the rules are. A 30-page policy no one reads does not reduce risk.
3. DLP and technical controls
Data loss prevention controls are essential to detect and block the exfiltration of sensitive information toward AI tools. If your organization does not yet have a mature strategy, our guide on what DLP is explains the fundamentals. Modern DLP must understand the context of paste and upload operations toward AI domains, not just email and files.
4. Approved secure alternatives
The most effective lever against shadow AI is offering an approved, secure and genuinely good alternative. An enterprise AI deployment with controlled retention, no training on your data, SSO and logs sharply reduces the incentive to go to the free version. People use the shadow when the light does not work.
5. Training and awareness
Employees do not leak data out of malice but out of ignorance. Training must explain concretely what happens when you paste a contract into a free chatbot and how to use the approved tools correctly. Recurring awareness is more effective than a single annual course.
6. AI governance framework and regulatory alignment
Above the individual controls there must be an AI governance framework: an accountable committee, an intake process for new tools, a risk classification by use case and a dedicated incident response procedure. This framework can be designed drawing on the NIST AI RMF and the ISO/IEC 42001 standard, avoiding duplicated work. Keep in mind that aligning with NIST or ISO does not on its own demonstrate EU AI Act compliance, whose obligations depend on role, use case and risk level, but it does provide a solid governance foundation on which to build that compliance.
Validating governance with an offensive perspective
A policy on paper does not prove the controls work. From our offensive security perspective, the best way to validate AI governance is to test it: verify whether DLP truly blocks leakage toward unapproved tools, whether discovery detects real usage and whether authorized AI agents withstand manipulation attempts. Pentesting AI and LLM models lets you assess the robustness of approved tools before an attacker does it for you.
Frequently asked questions
What exactly is shadow AI?
Shadow AI is the use of artificial intelligence tools (chatbots, copilots, agents and LLM-based applications) by employees without approval or oversight from IT or security. It is a variant of shadow IT focused on AI, with the added risk that these tools process and sometimes store the data entered into them.
Is using unapproved AI tools at work illegal?
Not illegal in itself, but it can cause concrete legal violations. Entering personal data into an AI tool without a legal basis or safeguards can breach the GDPR. As for the EU AI Act, its obligations depend on the organization's role, the use case and the system's risk level, so failing to inventory your AI tools makes it harder to know which requirements apply and to meet them. It also usually violates the company's internal security policies.
How can I tell whether my company has a shadow AI problem?
It very likely does. According to Varonis, 98% of organizations have employees using unverified applications, a category that includes unauthorized AI tools. The way to confirm it is to run an AI usage discovery combining network traffic analysis, CASB and proxy review, extension inventory and anonymous staff surveys.
Does banning AI solve the problem?
An outright ban usually makes the problem worse, because it pushes usage toward even less visible channels such as personal devices and accounts. The effective strategy combines discovery, an acceptable use policy, DLP controls, training and, above all, offering secure, approved AI alternatives.
How does shadow AI relate to NIS2 and the EU AI Act?
Both frameworks call for visibility and control. NIS2 requires essential and important entities to manage supply chain and system risks. The EU AI Act imposes obligations that depend on role, use case and risk level, and maintaining an inventory of AI systems is a recommended governance control for determining which apply. Being invisible, shadow AI hinders that inventory and, with it, both NIS2 risk management and the classification the EU AI Act requires, until it is discovered and governed.
Conclusion: from the shadows to governance
Shadow AI is not going away, because AI is too useful for employees to give it up. The question is not whether your organization has shadow AI, but how much visibility and control you have over it. AI governance (discovery, policy, DLP, secure alternatives, training and a governance framework aligned with the EU AI Act and NIS2) turns an uncontrolled risk into a managed capability.
At Secra we help organizations discover their real exposure, validate their AI controls with offensive testing and build governance that holds up to both an auditor and an attacker. If you want to know which AI tools are used in your company and whether your controls hold, contact our team and we will design a plan tailored to you.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

