Shadow AI: The Disaster Already Happening

What happens when your employees are already using ChatGPT and you don't have an AI strategy.

Most companies don't have an AI problem because they're using it badly, but because they don't realise they're using it at all.

In the flagship piece I argued that responsible AI for companies means having control over the model and the data. This post is about the practical reality that almost every company is already failing on the second half, whether they know it or not.

What shadow AI actually looks like

A lot of companies don't have an AI strategy. No usage guidelines, no internal policy, no sanctioned tool. What they do have is employees, and most of those employees have already tried ChatGPT.

This is what gets called shadow AI: people in your company using AI whether you sanctioned it or not, on whatever tool they happen to like, with whatever data helps them get their work done faster. Customer emails, internal memos, contracts, financial spreadsheets, support tickets, source code, half-finished strategy documents, anything that saves them an hour.

Most of them are doing it on the free tier of their favourite provider, which has no privacy guarantees worth the name. Your company's knowledge is going into systems you have no control over, and you don't know it's happening.

This is a disaster waiting to happen, or more accurately, already happening.

Why "we'll just block it" doesn't work

A common reaction, once leadership realises any of this, is to ban it: block ChatGPT at the network level, tell employees not to use AI tools, make it a disciplinary issue.

This does not work, for two reasons.

First, it doesn't actually stop anyone. People use their phones, personal laptops, a different network, or a tool you haven't heard of yet. The information still leaves the company, just through more channels and with less visibility for you.

Second, even if it worked, you would now have a company that is voluntarily not using AI while its competitors are. That is also a disaster, just slower, the same way it would have been a disaster to refuse to use computers, the internet, or modern software when those came along.

Banning is not a strategy, just a delay.

Why this is happening, and what people are actually telling you

Shadow AI is not rampant because employees are reckless. It's rampant because AI is genuinely useful, and the gap between "this saves me an hour every day" and "this might be a privacy problem for the company" is bigger than any individual employee can be expected to manage on their own.

The honest read is that your employees are telling you something. They are telling you there is real, daily, repetitive friction in their work that AI helps with right now. They have already decided AI is worth the trade-off. The only question left is whether they get to use AI in a way you control, or whether they keep using AI in a way you don't.

Saying "block everything" is the worst answer to this signal, because you'd be saying no to the productivity and no to the visibility, while the underlying friction stays the same.

What actually works

The right move is to give people a sanctioned, private way to use AI on the work that needs it. Easier to use than the free tier they're already on. Inside your perimeter. With logs and access controls. The mechanics (on-premise, private cloud, managed deployment, integration via APIs and MCP servers) live in the deployment piece.

If you're reading this and recognising your company, here's the honest sequence:

Assume shadow AI is happening already. It is.
Don't react with a ban. It will not work, and it is not the goal you want anyway.
Acknowledge that people are using AI because real work is genuinely easier with it.
Pick one painful workflow and build a sanctioned, private path for it. Make that path easier to use than the free tier.
Write a usage guideline that is short and actually realistic: tell people what is fine, what is not, and where to go for the sanctioned tool.
Once one workflow is working, do the next one.

If you're already thinking about this at all, you are far ahead of most companies. The next move isn't a strategy off-site, it is one workflow.