Shadow AI in Regulated Organisations: The Risk You're Not Measuring

Shadow AI is not a future problem. It is happening now, in your organisation, and the exposure is almost certainly larger than your compliance team believes.

What shadow AI actually looks like

It is not rogue developers running unsanctioned servers. It is a senior underwriter pasting a client's medical history into ChatGPT to get a summary. It is a compliance analyst using a consumer AI tool to draft a regulatory response. It is a finance team member uploading a spreadsheet of account data to run analysis faster.

Each of these is a data breach. None of them show up in your DLP logs if the tool is browser-based.

Why it happens

The tools are better than the approved alternatives. They are faster, more capable, and require no procurement approval. The employee is not being reckless — they are being productive. The risk is invisible to them.

Quantifying the exposure

Most organisations have no idea how widespread shadow AI use is. The measurement approach:

1. Run a targeted survey across 3-5 business units asking employees which AI tools they use for work tasks 2. Cross-reference with browser proxy logs for known AI tool domains 3. Interview 5-10 employees in high-risk roles about their actual workflow

In our experience, 30-60% of knowledge workers are using unsanctioned AI tools for work tasks. The data categories involved are frequently sensitive — client PII, financial data, medical records.

The governance response that actually works

Banning tools does not work. It pushes usage underground and removes visibility.

What works: sanctioned alternatives (Microsoft 365 Copilot within your own tenant), explicit policy (one page, specific, not vague), mandatory training (30 minutes, practical), and DLP monitoring for known AI tool domains reviewed quarterly.

The goal is not zero AI use. The goal is AI use that doesn't create regulatory exposure.