60% of employees admit they’d use an unsanctioned AI tool to meet a deadline. If that number surprises you, the actual situation at your organization is probably worse than you think.
Shadow AI means using AI tools at work without your employer’s approval. It’s not a niche problem. Between a fifth and a third of all workers currently do it, and the numbers are climbing.
This article explains what shadow AI is, why people do it (the reasons are understandable), the actual risks involved, and concrete steps for both employees and managers to handle it sensibly.
Shadow AI is using AI tools for work tasks without your employer’s knowledge or authorization. It sounds dramatic when phrased that way, but in practice it’s often just: you needed to draft a document quickly, you opened ChatGPT, you got the draft. Your company has no official AI policy. That’s shadow AI.
The term borrows from “shadow IT,” which has been a headache for IT departments for years. That’s what happens when employees use unsanctioned apps, storage services, or software because the approved alternatives are slow, expensive, or simply not provided. AI has the same dynamic, but the adoption speed is much faster and the potential for sensitive data exposure is higher.
It’s worth being clear about what shadow AI is NOT. It’s not employees using their company’s approved AI tools. It’s not using AI on personal time. It’s specifically using AI tools that the company hasn’t vetted or approved to process work-related information.
Let’s start with what’s verified. A Lenovo research series in 2026 surveyed 6,000 full-time employees at enterprise organizations globally. The findings are striking: between one-fifth and one-third of all workers are currently using AI outside the influence and governance of their IT function. [1]
Separately, a BlackFog study of 2,000 employees (1,000 each in the UK and US) found that 86% now use AI tools at least weekly for work-related tasks. [2] Not all of those are unsanctioned, but among respondents who used unapproved AI tools, 58% were relying on free consumer versions that lack enterprise-grade security or data governance protections.
On the training gap: 31% of employees report getting no AI training from their employer, and a significant share of those who do receive training describe it as irregular or one-off rather than ongoing. [1] Meanwhile, 80% of employees expect their personal AI use to increase over the next year. The trajectory is clear: adoption is outpacing governance everywhere.
Before jumping to “we need to lock this down,” it’s worth understanding why shadow AI happens. The honest answer: because AI tools are genuinely useful, easy to access, and many employers either haven’t provided approved alternatives or haven’t told employees what’s allowed.
63% of respondents in the BlackFog study said they believe it’s acceptable to use AI tools without IT oversight if no company-approved option is provided. [2] That’s not recklessness, that’s a reasonable conclusion when you’re faced with a deadline and no guidance.
The barrier to entry is also essentially zero. There’s no procurement process, no IT ticket, no waiting. You open a browser tab. The productivity gain can be immediate and significant. For an employee under pressure, that’s a compelling case.
The Lenovo data shows that half of all employees say better training and better approved tools would help them get more value from AI at work. [1] People aren’t trying to circumvent the organization. They’re trying to do their jobs.
The risks of shadow AI are real, but they’re worth being precise about rather than catastrophizing. The main categories are data exposure, compliance, and inconsistency.
When you paste company information into a consumer AI tool, that information is processed by systems your employer hasn’t assessed. Free tier products from most AI providers explicitly state that your conversations may be used to train their models. That means confidential strategy documents, client data, employee information, or financial figures could potentially end up in a training dataset.
The BlackFog data is specific on this: among employees using unapproved AI tools, 33% had shared research or data sets, 27% had shared employee data like names, payroll, or performance information, and 23% had shared financial statements or sales data. [2]
Depending on your industry, data protection regulations (GDPR in Europe, CCPA in California, sector-specific rules for finance or healthcare) may require that any system processing personal data be subject to appropriate technical and organizational controls. A free consumer AI tool almost certainly doesn’t meet those requirements. If a data breach occurred and it turned out employee data was being processed through unsanctioned tools, the liability sits with the organization.
This one gets less attention but it matters. When different team members use different AI tools with different prompts and different quality standards, outputs are inconsistent. One person’s AI-drafted report looks one way, another’s looks completely different. There’s no baseline for what “good” looks like, and no way to audit what was produced with AI versus without.
Here is the detail in the BlackFog research that should concern HR and compliance teams the most: the people most likely to accept security risks for speed are the most senior ones. 69% of respondents at President or C-level said they believe using unsanctioned AI is worth the security risk. 66% of Directors and Senior VPs agreed. [2]
Only 37% of administrative staff and 38% of junior executives said the same.
This matters because senior leaders typically have access to the most sensitive information. And because they’re setting cultural norms. If the leadership team is openly using ChatGPT for board presentations, it signals to the rest of the organization that this is acceptable behavior. A policy that says “get approval for AI tools” needs buy-in from the top, not just enforcement at the bottom.
If your company has no AI policy, you’re not alone, but that doesn’t mean anything goes. Here’s a practical framework:
For more on building smart AI habits, our 30-day AI confidence framework covers this in depth.
The instinct to ban all unapproved AI tools is understandable but usually counterproductive. Employees have already found workarounds. A blanket ban with no alternatives leaves your team less productive and equally exposed, because they’ll still use consumer tools, they’ll just do it more quietly.
A more effective approach:
One page is enough. Cover: which tools are approved, what types of data can and can’t be used with AI, who to ask if someone is unsure, and how to report a potential issue. Avoid legalese. People need to be able to remember what the policy says without re-reading it every time.
Employees use shadow AI because they have no approved option. If you give them a vetted tool that works as well, most of them will use it. Microsoft 365 Copilot, Google Workspace AI, and several enterprise AI platforms now offer data protection guarantees appropriate for business use.
74% of employees in the Lenovo study said better cybersecurity training on AI-related risks would reassure them. [1] One-hour training that explains the specific risks in human terms (not security jargon) and gives clear practical rules is more effective than a policy document nobody reads. See what Future Factors AI’s corporate workshops cover if you’re looking for something ready to roll out.
If leadership keeps using consumer AI tools for sensitive work, no policy will stick. The policy needs to apply equally to the C-suite. If senior leaders are visibly using approved tools and talking about why it matters, the cultural signal changes.
If you’re an individual: audit your own AI habits this week. Write down which tools you use at work and for what. Ask yourself honestly: does any of it involve confidential data? If yes, check whether your company has guidance. If there’s no guidance, use the principles above until there is.
If you’re a manager or in HR: the question isn’t “are our employees using shadow AI?” They almost certainly are. The question is “what are we going to do about it?” Start by drafting a one-page AI use policy this week. It doesn’t need to be perfect. Something concrete is infinitely better than silence.
What is shadow AI?
Shadow AI is when employees use AI tools that their employer hasn’t sanctioned or approved, usually consumer products like ChatGPT or free AI writing tools, for work tasks. It happens when companies don’t provide approved tools or don’t train employees on what’s allowed.
Is shadow AI illegal?
Shadow AI isn’t illegal in itself, but it can lead to breaches of company policy, data protection regulations, and contractual confidentiality obligations. The risk isn’t legal liability for the employee in most cases; it’s that sensitive company data could be processed by systems the employer hasn’t vetted.
Why do employees use shadow AI?
The main reason is that AI tools are genuinely useful and many employers either haven’t provided approved alternatives or haven’t given employees clear guidance on what’s allowed. When productivity pressure is high and the barrier to using a free AI tool is zero, many people make the pragmatic choice.
What should employees do if their company has no AI policy?
If your company has no AI policy, the safest approach is to avoid entering any confidential, commercially sensitive, or personally identifiable information into consumer AI tools. Use AI for tasks involving only your own work or publicly available information until a policy is established.
How should companies respond to shadow AI?
Banning AI tools without providing alternatives doesn’t work. Employees will find workarounds. The more effective approach is to provide approved tools, publish a clear and simple AI use policy, and run basic training so employees understand what’s allowed and what isn’t.
This article was written for professionals navigating AI at work without clear organizational guidance. Statistics are sourced from named primary research. If your organization needs practical AI training or policy support, Future Factors AI’s corporate workshops are built for exactly this.
Sources
Weekly tips. Real examples. Practical help for busy professionals.
We care about your data, check out our privacy policy.
