What Is Shadow AI?
Shadow AI is the use of AI tools, models, and workflows within an organisation without the knowledge, approval, or governance oversight of IT, security, or compliance teams. It includes employees using personal ChatGPT, Copilot, Claude, or Gemini accounts for work tasks, teams adopting AI-powered SaaS features without IT review, and developers integrating AI APIs without security assessment. Research from MIT found that employees at over 90% of organisations use personal AI accounts for work. The Mimecast State of Human Risk 2026 report found that 80% of organisations worry about data leaking through generative AI, yet 60% have no strategy to address it.
Shadow AI — employee use of AI tools without organisational authorisation, oversight, or governance — typically through personal accounts or browser-based consumer AI services.
Shadow AI is now the most common AI risk in enterprise environments. MIT research suggests over 90% of organisations have employees using personal AI for work. The Verizon DBIR 2026 ranks shadow AI as a top insider threat. APRA's 30 April 2026 letter explicitly requires Australian financial institutions to maintain an AI inventory — which means knowing where shadow AI exists. Mitigation combines enterprise AI tooling (so employees do not need shadow tools), policy, and detection.
Source: MIT shadow AI research; Verizon DBIR 2026; APRA 30 April 2026 letter
Why it matters for governance
Shadow AI creates three categories of risk simultaneously. Data exposure risk: information entered into consumer AI tools may be used for model training, violating data protection obligations and contractual confidentiality. Regulatory risk: uncontrolled AI use can breach GDPR, the EU AI Act, sector regulations, and employment law without the organisation knowing. Quality risk: AI-generated outputs used in business decisions without validation can introduce errors, bias, and liability. APRA's April 2026 industry letter implicitly addresses shadow AI through its expectation of comprehensive AI use case inventories.