Years ago, when the iPhone first came out people wanted to use it for work as well as personal uses. Company security policy however forbid its usage in favor of the proven, secure and stable Blackberry product line. What did workers do? They used their iPhone for work purposes without ITSec knowing. This was true for devices, software products and any other technology that made work easier but wasn’t on the corporate approved list. They called this Shadow IT – the usage of unapproved technological tools to do one’s job. Today, we have the same problem – but now it’s called Shadow AI.

What is Shadow AI?

Most organizations have very strict data protection policies. This is on top of security protocols and firewalls designed to ensure sensitive company information is viewable only by authorized personnel. Enter AI. Bosses are demanding teams start using AI to be more efficient and to implement it in the company’s products and services. Except there’s one challenge. The company doesn’t allow access to the broad set of AI tools. At best, most corporate employees have access to Microsoft’s Copilot bot. So what do employees do? They feed their sensitive company data to ChatGPT and Claude on their personal laptops to get the answers, productivity and efficiency they need to demonstrate. 

Adoption > Automation

At a conference last week I saw Alexandre Kavinski from WPP Media Services discuss the challenges of broad AI usage inside organizations. He said something I found powerful. To get the kind of AI-boosted efficiency companies are seeking, the trick was in broad employee adoption rather than the automation of mundane tools. He argues that the collective power of the employee base, amplified with AI tools, will be more productive, responsive and impactful than automating a series of boring tasks with AI bots. To do this though, employees need to be presented with compelling AI-powered tools to use and currently that’s not happening. 

Avoiding Shadow AI and finding efficiency opportunities

Companies that want to avoid Shadow AI practices which put the company at risk and, at the same time, empower their employees to be as efficient as the new tools will allow, need to build a new type of collaboration. If we continue to allow IT Security to write all the rules on their own we risk our company lagging behind others in this new reality. Instead we want to put a governing body in place that combines IT Security, legal, HR and Ops (at the very least). This organization’s role is to identify opportunities for AI-powered efficiency and determine how to test and experiment with the technology in a safe way. The ultimate goal is to put policies in place that make the best tools available to our people at the least risk to the company. If we can build these experimental sandboxes and decide how to deploy our learnings and tools in a way that meets legal, security and professional development and performance goals we stand a chance of limiting the impact of Shadow IT and getting our folks on a productive track faster.