Three strategies to stop shadow AI without killing productivity

A study by Software AG showed that around half of corporate workers are using at least some unapproved AI tools. Even those who are aware of the dangers — such as security professionals — still use shadow AI technologies because the tools are so effective and the employees are willing to take the risk.

The real issue is that the demand for AI capabilities is far outpacing the infrastructure built to govern it. Instead of focusing on policies and restrictions, companies need to read the signs behind employee behavior and implement strategies that both protect their organization and provide their people with the tools they need to perform their duties efficiently.

A familiar challenge but with new risks

Employees leveraging unauthorized technology is not a new phenomenon. In the early days of public cloud adoption, developers used Kubernetes and containers to test and build applications because it was much faster than using the approved internal systems. It could take days or weeks to get a virtual machine set up by the IT department. We would just say, “Somebody put this on your corporate card, go to Amazon, and start using this stuff.”

AI improves work performance

With the development of generative AI (gen AI) and large language models (LLMs), workers suddenly have access to a powerful new suite of tools. Human-quality content, including written articles, graphics and video, can be created with a few well-crafted prompts. AI chatbots can provide detailed answers to the most complex questions. Gen AI can produce hundreds of lines of code with a single prompt. Employees are already relying on these platforms to do their jobs, even when their organization hasn’t yet sanctioned these applications.

 79% of IT leaders have seen unauthorized AI being used in their organizations (Nutanix).

It’s clear we are on the same trajectory as shadow IT, but what’s different is the level of threat. 

AI increases the blast radius

Imagine an employee transfers files that contain proprietary information to an unauthorized cloud application such as Dropbox. If there’s a breach,the damage could be severe, but it’s at least contained to those files.

By contrast, an AI agent can pull data and execute decisions across multiple different IT systems without human input or oversight. If left unchecked, a poorly configured or compromised agent could penetrate across the entire organization, impacting every system it touches.

The structural gaps that enable shadow AI

The spread of shadow AI is not due to employees acting recklessly. Often the problem is caused by gaps in the organizational structure in knowledge, process, and leadership.

Knowledge gaps 

Employees may be unaware that they aren’t authorized to use certain AI tools or they may be ignorant of the risks involved. For example, employees may not realize that many AI chatbots don’t protect data as standard, or they may believe it’s fine to use AI tools on their own devices.

Process gaps

Alternatively, an employee may attempt to go through the formal processes to use a new AI tool but get frustrated by the amount of time it takes to get approvals. They think, “My job’s on the line, my reputation’s on the line. I’ve got to get this task done. So I’m going to go ahead and use whatever tool I have at my disposal.”

Gen AI is moving quickly, so companies must respond at the same speed. If employees are waiting months for a procurement cycle to complete, then the risk of shadow AI spreading becomes more acute.

Leadership gaps

Shadow AI is also a leadership issue. A lack of consistent policies, messaging, and enforcement from senior management is a major risk factor when it comes to the unauthorized use of AI tools. Often this is due to a lack of in-depth knowledge on the issue at the top levels of the organization, especially from managers that come from a non-IT background.

Why relying on policies, training, or blocking is ineffective

Although the gaps driving shadow AI are clear, the solutions aren’t straightforward. Simply providing clear organizationwide policies, training, and education is rarely enough. 

An UpGuard survey of 1,000 IT leaders showed 88% of security professionals have used unauthorized AI at work, and they use these tools 33% more frequently than other employees.

Blocking access is often unenforceable

With so many new platforms emerging, all with similar capabilities, networkwide enforcement becomes unfeasible. Blocking services just becomes a game of whack-a-mole. You press it down in one place, but it pops up when they go home. It pops up when they go to lunch. 

Most employees aren’t even aware when a tool has been blocked. Of those who are, almost half reported finding a workaround to keep using the tool.

82% of IT leaders agree controlling unauthorized AI use is challenging, and only 5% of IT decision-makers believe their organization has zero blind spots created by AI (ManageEngine).

Look for the signal in the cluster

To better manage shadow AI, organizations first need to monitor usage patterns. What organizations learned from the shadow IT era is that usage tended to cluster around specific workflow bottlenecks. A similar phenomenon is happening for shadow AI.

By analyzing these three common clusters, IT departments can stop taking a scattergun approach and get crucial signals to inform their strategy.

Marketing teams use gen AI for content creation

Signal: Advanced gen AI models can be used to edit and create content with human-level accuracy and quality. This allows companies to scale their marketing content output. Most approved marketing stacks have some embedded gen AI tools, but they don’t have the capabilities of the frontier LLMs.

IT’s move: IT teams need to recognize that their current marketing software is simply outgunned. They must start the procurement process for enterprise-grade LLMs and begin proactively ending their current vendor relationships where necessary.

Developers turn to vibe coding to meet deadlines

Signal: Companies may be acquiring the latest AI coding platforms, but the procurement timelines don’t match the relentless pace and pressure software engineers are under to ship products. Vibe coding is great if you’re a seasoned programmer and you want to accelerate the process. But ultimately it needs to go through proper review and cleanup by experienced coders.

IT’s move: Vibe coding needs to be treated as a governance design program. Instead of banning it outright, there must be defined rules as to what data can be fed to an external AI platform. There must also be a clear review process, as well as quality assurance layers to make this pathway effective.

Employees share internal docs with AI to solve challenges

Signal: Arguably the most severe risk is when employees, such as customer service reps, use an unauthorized AI tool to solve a particular problem. Perhaps they uploaded some spreadsheets or documents authorized only for internal use to ChatGPT or Claude and started asking questions. The response may be better, but if it’s an unofficial account, they have now leaked a great deal of proprietary information to a system the company doesn’t control.

There’s no flag when data leaves the internal IT environment, which makes the access controls that the IT department spent years building redundant.

37% of employees admit to sharing internal documents including strategy and financials with unauthorized AI tools, and 63% of IT leaders cite data leakage as their top shadow AI concern.

IT’s move: This is primarily a knowledge access risk. Companies need to implement well- governed access control on all proprietary company information, as well as approved AI-based enterprise search systems. This is where having a governed platform truly shows its value.

Three strategies to manage shadow AI

The cluster analysis points to where the approved stack is failing. But identifying the gaps is only half the job. The following three moves address the structural conditions that allow shadow AI to take hold in the first place.

Accelerate authorized AI usage

The leading driver of shadow AI is that the approval path for using authorized AI tools is too slow. IT departments need to reduce internal friction and massively accelerate access to AI tools for employees. They must also understand which tools their employees are using and why and then focus on the right areas.

85% of surveyed IT leaders say AI adoption is moving faster than their teams can assess it, making speed of sanctioning a strategic priority (Forrester).

Read adoption patterns as a strategic backlog

Every cluster of shadow AI use is a prioritized, evidence-based signal about what to sanction next. Rather than reacting to each incident, IT teams should look at the broader patterns and build a roadmap from them. The use cases for marketing, developers, and support reps described earlier all point to something specific about where the approved stack is falling short.

Get data governance right

To stop employees sharing confidential information with an AI platform, companies first need to audit the data they have, locate where it is stored, and monitor who can access it. An AI policy doesn’t protect you if you don’t know what data you have or who has permission to access it. Instead, you just have something to point to after a breach. 

85% of IT leaders say fragmented data and knowledge systems must be unified for AI to succeed, and 83% say that unifying data will become increasingly difficult as more AI is layered onto existing stacks (Forrester).

Attempting to build AI controls on top of ungoverned data is a recipe for failure. I’ve talked to a lot of CIOs and CTOs, and I can tell you that data governance is 100% top of mind for all of them.

Manage shadow AI by empowering employees

Shadow AI isn’t a compliance problem that policy alone can solve. The IT leaders making progress are the ones who stopped treating unauthorized adoption as a threat to suppress and started treating it as a roadmap for what to sanction next. A big part of closing that gap is making sure employees can find what they need inside approved systems in the first place.

How Simpplr helps IT leaders govern AI

Simpplr provides a unified user experience that brings content, tools, and business workflows into a single digital workspace. Built into that experience is a suite of gen AI capabilities, including enterprise search with smart answers, a writing assistant, and communications tools.

For IT, Simpplr’s AI Control Center provides a single console to govern every AI feature, provider, and configuration across the platform. Because the controls are built natively into Simpplr, administrators can manage AI at the feature level. They can enable or disable individual capabilities, select from validated LLM providers, or route requests through their own corporate accounts. 

Every configuration change is captured in a chronological audit log noting what changed, who made the change, and when. This gives IT and InfoSec the traceability they need. Organizations can deploy AI within Simpplr without sacrificing security, compliance, or control. Ready to find out how Simpplr can help you manage shadow AI? Request a demo today.