Security & Risk
Shadow AI
AI tools adopted by employees without security team review or approval.
Shadow AI refers to any artificial intelligence tool, service, or feature used within an organization that hasn't gone through a formal review, risk assessment, or approval process. This includes standalone AI apps (like ChatGPT or Claude accessed via personal accounts), AI features embedded in existing SaaS tools (like Salesforce Einstein or Microsoft Copilot), browser extensions with AI capabilities, and AI coding assistants adopted by engineering teams.
Shadow AI is the AI-specific form of shadow IT, but carries additional risks because AI tools often process, learn from, or store the data they receive — meaning a single unvetted tool can create data exposure far beyond what a traditional shadow IT application would.
Why it matters
Research shows that the average enterprise has 3-5x more AI tools in active use than their security team is aware of. Each unvetted tool is a potential vector for data leakage, compliance violations, and vendor risk. You can't govern what you can't see — shadow AI discovery is the foundation of any AI governance program.