Shadow AI: what to do when staff adopt tools you didn't approve

It's happening in your business right now

Shadow AI — the use of AI tools by staff without organisational knowledge or approval — is one of the most prevalent and underappreciated AI governance challenges facing Australian businesses. It's not a future risk. It's a present one.

The dynamic is understandable. AI tools are free or cheap, genuinely useful, and easily accessible. Staff find them through word of mouth, social media, or personal use and start using them for work tasks without thinking through the implications. By the time the business becomes aware, client information may already have passed through systems the organisation never assessed or approved.

Why shadow AI creates real problems

The risks aren't theoretical. Shadow AI creates:

• Privacy breaches. Staff using consumer AI tools with client personal information — a scenario that may trigger NDB notification obligations — is one of the most common forms of shadow AI.
• Confidentiality exposure. Information entered into unapproved tools may be retained, used for training, or accessible to vendor staff — all without the knowledge of the clients whose information it is.
• Quality and liability risks. AI-generated work product that hasn't been through your approval and verification processes creates quality and professional liability exposure.
• Governance gaps. Shadow AI means your AI Register, your AUP, and your incident response plan don't cover a significant portion of your actual AI use.

How to detect shadow AI use

Detection doesn't require surveillance. It requires curiosity and open communication:

• Ask. Survey or informally ask your team what AI tools they're using for work. Most people will tell you if asked directly — they often don't realise there's a problem.
• Check browser extensions and installed applications. Many AI tools are accessed via browser extensions that IT can identify.
• Look for signs in work product. AI-generated text has recognisable patterns. Inconsistencies in writing style, unusually generic phrasing, or content that doesn't match the staff member's normal approach may signal AI use.
• Review expense claims and subscriptions. Staff sometimes expense AI tool subscriptions or use personal credit cards — both are detectable.

How to respond when you find it

Shadow AI is primarily a governance problem, not a disciplinary one — unless the use involved a deliberate breach of a clear policy. The first response should be to understand what happened, not to punish.

1. Assess the risk. What tool was used? What data was entered? Does this trigger NDB assessment obligations? Was any client information affected?
2. Address immediate harm. If personal information was entered into a consumer AI tool, follow your incident response process. Even if it doesn't meet the NDB threshold, document what happened and what steps you took.
3. Talk to the staff member. Understand why they used the tool, what they were trying to accomplish, and whether there's an approved alternative that would serve the same purpose.
4. Assess whether the tool should be approved. Sometimes shadow AI reveals a genuine gap in your approved tool list. If staff are using an unapproved tool because it does something useful that no approved tool does, consider whether it can be assessed and approved.

How to prevent it from happening again

• Make the approved list visible and easy to use. If staff don't know what's approved, they'll use what they can find. Your AI Register should be accessible, and approved tools should be easy to access.
• Create a clear request process. Staff should know how to request assessment of a new tool. A simple process — email a designated person, tool gets assessed within two weeks — removes the friction that drives shadow AI adoption.
• Train, don't just prohibit. Staff who understand why data handling rules exist are far more likely to follow them than staff who've been told what not to do without explanation.
• Review your approved list regularly. Shadow AI often fills gaps that approved tools don't cover. Regular reviews that add genuinely useful approved tools reduce those gaps.