Shadow AI: Your Organisation Uses More AI Than You Think

Ask any executive team how many AI systems their organisation uses, and the answer is often a hesitant "a handful". Ask the people doing the actual work, and the picture shifts entirely.

The marketing team runs copy through a generative AI model. An HR employee uses a convenient CV screening tool. Finance has an Excel plug-in with "smart" predictions. Customer service relies on a chatbot provided by a vendor. And somewhere, a team is running its own workflow on top of a foundation model, well outside IT's line of sight.

Welcome to Shadow AI: the totality of artificial intelligence used within your organisation without being centrally known, approved, or managed. It is the direct successor to Shadow IT, but with a fundamentally higher risk profile. Under the EU AI Act, this is no longer merely a management problem — it is an acute compliance risk.

The Three Faces of Shadow AI

To address Shadow AI effectively, you need to recognise the forms it takes on the ground.

Deliberately acquired, unreported tools. A department procures an AI service on its own — typically a SaaS subscription that falls just below the threshold for procurement or IT approval. The system works, delivers results, and is never reported.

AI embedded in existing software. This is the stealth variant. Your established vendor adds AI functionality to a product you have used for years — the "summarise" button in your meeting software, predictive analytics in your CRM, automatic sorting in your email client. You do not need to purchase a new AI product to become a deployer under the law. The obligation arises without any active decision on your part.

Internally built experiments. A technically skilled employee builds a script or workflow on top of a foundation model. This may seem harmless, but building a custom application can legally transform your organisation from a deployer into a provider — with considerably heavier statutory obligations as a result.

Why This Is a Compliance Problem, Not an IT Problem

With Shadow IT, the primary risk was typically a data breach or uncontrolled licence costs. With Shadow AI, a serious legal dimension is added on top.

You cannot govern what you do not know exists. The EU AI Act imposes concrete obligations on deployers: human oversight, transparency towards those affected, log retention, and — for high-risk applications — a fundamental rights impact assessment. None of these obligations can be met for a system whose existence is unknown to you.

The burden of proof rests with you. When a supervisory authority comes knocking, or when an individual challenges an AI-assisted decision, your organisation must demonstrate through documentation that it is in control. "We were not aware that department was using that" is not a defence — it is an admission that your governance framework has failed.

Risk scales with the application. An employee using AI to rewrite an internal memo represents a manageable risk. An HR department quietly using a CV screening tool is operating in a high-risk category (Annex III), with all the substantial compliance obligations that entails. The most dangerous aspect of Shadow AI is not the known, visible application — it is the system that no one in the boardroom knew fell under the most stringent category of the regulation.

From Blind Spot to Managed Register

Addressing Shadow AI requires an ongoing process, not a one-time cleanup. Four steps form the core.

Step 1: Inventory broadly, not narrowly.
Asking only "which AI tools have we purchased?" will miss embedded AI and internal experiments entirely. Instead, ask your organisation about concrete behaviours: "Which software makes predictions, generates text, or supports your decisions?" That framing surfaces significantly more.

Step 2: Engage the workforce, not just IT.
IT cannot map the blind spots by definition, precisely because these are systems that operate outside the network. A structured consultation with department heads will yield more than a technical scan. Make clear that the goal is not to catch people out, but to make the organisation compliant. A culture in which employees feel safe disclosing their AI use is your most effective line of defence.

Step 3: Classify on application, not on technology.
Once you have identified an AI system, determine which risk category under the AI Act it falls into. A critical principle applies here: classify based on the actual use case, not the underlying technology. The same language model may represent a minimal risk in one context, and in another — such as supporting medical decisions or screening job applicants — constitutes a high-risk system to which the most demanding obligations apply.

Step 4: Make it an ongoing process.
An inventory is outdated within six months. Embed periodic re-inventorying in your governance structure, and make reporting new AI applications a standard part of procurement and IT procedures.

Shadow AI Is a Symptom, Not the Disease

It is tempting to combat Shadow AI with an outright ban. In practice, that does not work. A ban drives usage further underground and strips your organisation of the productivity gains AI genuinely offers.

When employees do not know how to report AI use, or when that process is slow and bureaucratic, they take the path of least resistance. Shadow AI is, in that sense, a symptom of absent governance — not the disease itself.

Organisations that handle this well make AI use easier to surface than to conceal: a central register, a low-friction reporting process, and clear risk criteria. Only once you know which AI your organisation actually uses can you begin the real work: innovating with confidence. Inventory is not the final step towards compliance — it is the very first.