Think Twice Before Using That Unsanctioned AI App at Work

Your employees are running unsanctioned AI apps on company devices, and that could be a disaster waiting to happen. Shadow AI — the use of generative AI tools without IT approval — is surging in workplaces, creating unprecedented security, legal, and compliance risks that most organizations are ill-equipped to manage.

**WHO:** Employees across all sectors, enabled by the ease of access to tools like ChatGPT, Gemini, and Copilot. **WHAT:** The growing phenomenon known as 'shadow AI' — the use of generative AI tools without official IT approval or oversight. **WHERE:** Workplaces globally, with particular concentration in knowledge-intensive industries such as tech, finance, healthcare, and legal. **WHEN:** The trend has accelerated dramatically since the public launch of ChatGPT in late 2022, but is now reaching a tipping point as enterprises scramble to respond. **WHY IT MATTERS NOW:** Without controls, shadow AI can expose sensitive data, violate regulatory requirements, cause intellectual property leaks, and create legal liability — all while evading standard security monitoring.

**CONTEXT:** The 'shadow IT' problem is decades old — employees using unsanctioned software to get work done faster. But generative AI amplifies the risks exponentially. Unlike a rogue spreadsheet or messaging app, AI tools can ingest, process, and output company data in unpredictable ways. Data fed into a public AI model is often used for training, meaning proprietary information could become part of a model's public knowledge base. Regulatory bodies in the EU, US, and Asia are increasingly scrutinizing AI governance, and a single shadow AI incident can trigger investigations and fines.

**KEY DETAILS:** According to a 2024 report by Cyberhaven, the use of generative AI in the workplace grew by 640% in the past year, with over 75% of employees using at least one unsanctioned AI tool. Common examples include employees pasting confidential customer data into ChatGPT for summarization, using AI writing assistants to draft contracts, or employing code generators to build internal tools — all without review. CNET's report highlights that IT departments often discover shadow AI only after a breach or after data appears in external training sets. Named companies that have faced issues include Samsung, which banned ChatGPT after employees uploaded proprietary source code, and JPMorgan Chase, which restricted access due to compliance concerns.

**ANALYSIS:** 'Shadow AI is the new shadow IT, but on steroids,' says Dr. Lena Petrova, a cybersecurity researcher at MIT. 'The difference is that AI models are black boxes — once data goes in, you can't be sure where it ends up.' Experts argue that the root cause is not malicious intent but a lack of sanctioned alternatives. When employees need AI to boost productivity and the IT department hasn't provided approved tools, they will find their own. This creates a cat-and-mouse game where blocking one service leads to adoption of another.

**OUTLOOK:** Companies must move from outright bans to managed enablement. This means deploying enterprise-grade AI platforms with data privacy guarantees, training employees on safe use, and implementing monitoring tools that detect and flag unsanctioned AI activity. Regulators are also stepping in: the EU AI Act requires organizations to document AI use, and the US Executive Order on AI calls for risk management frameworks. Organizations that fail to address shadow AI now risk not only data breaches but also losing competitive advantage as AI becomes central to operations. Watch for increasing vendor offerings that provide 'AI firewall' capabilities and for regulatory actions that will set clearer boundaries.