Cyber-summer at the Cybrela academy. 6 cybersecurity webinars, online every other Friday. Register for free ➡️

Shadow AI: How to set rules for using AI in your company

An employee at a desk uses ChatGPT on their phone next to an open laptop showing a work document.

AI found its way into companies before management came up with rules for using it. Employees open ChatGPT or a similar chatbot, paste in part of a contract or a table of client data, and finish their work a few minutes sooner. It works, it saves time, and no one gives it a second thought. This is exactly what's known as Shadow AI. How can you bring the use of AI in your company under control without simply imposing a blanket ban on it?

What is Shadow AI

Shadow AI means that people in a company use artificial intelligence tools without the knowledge or approval of the IT and security team. It builds on the older concept of Shadow IT, meaning software and services that employees acquire outside official processes. With AI, however, the whole problem is faster and less visible. All it takes is a web browser and a free account. No installation, no invoice, no request to IT.

Typically, the tools used this way are public generative tools: chatbots for writing texts, translators, image generators, tools for analysing data or summarising documents. Employees usually don't use them with bad intentions. Often they just want to make their work easier – to write a text faster, understand a document, or test out their idea. That's exactly why Shadow AI spreads through companies so easily. It doesn't look like a breach of the rules; it comes across as an ordinary effort to get work done faster. The problem only arises when the organisation doesn't know it's happening and has no control over which tools people use, what data they put into them, and where that data travels next.

What an organisation risks when AI is used without rules

At first glance, Shadow AI might look like a typical matter for IT, which deals with tools. Someone opens Gemini or ChatGPT, uploads some text, gets help with a spreadsheet or with drafting a contract. Done. But from the organisation's perspective, it's not so much a question of the tool as a question of data, accountability, and control over how employees work with AI. Unmanaged use of AI opens up three main risks:

Data leak: sensitive data entered into public models is something the company will never get back.

Accountability: the organisation, not the tool, is responsible for a faulty AI output.

Regulation: under the AI Act, whoever uses AI is responsible for it, even without developing it themselves.

Data leak

The most common problem arises when an employee enters internal information or client data into a publicly available tool. This could be a trade secret, clients' personal data, contracts, non-public financial documents, or part of internal documentation. Many public models store inputs and may use them further. Once sensitive data are sent to them, it becomes very difficult to regain control over where it ends up and who will have access to it.

Accountability for outputs

AI can be wrong very convincingly, which can be a problem when AI is used in a business setting. If an employee uses an output as the basis for a decision, communication with a client, a legal assessment, or an internal analysis, accountability for the result remains with the organisation. Not with the tool. An even bigger problem arises when no one knows that a given output was created using AI.

Regulatory framework

The AI Act, the European regulation on artificial intelligence (Regulation 2024/1689), also enters into this whole debate. For organisations, the important point is that the regulation doesn't deal only with developers of AI systems, but also with companies that use AI in their operations. A company therefore doesn't have to develop its own AI tool for obligations to arise. It's enough that it brings AI into a process, decision-making, communication with customers, or work with data. What makes Shadow AI awkward in this respect is precisely that accountability doesn't disappear just because management or IT doesn't know the tool is being used. The organisation still bears the risk – it just hasn't named it, assigned it, or brought it under control.

Why Shadow AI arises

It's worth pausing on the cause for a moment, because the solution follows directly from it. Shadow AI almost never arises because employees want to break the rules or harm the company. It arises when people have a tool to hand that genuinely helps them, but the company hasn't told them how to use it safely. There are no rules, no recommendations, and no approved alternative.

When an organisation doesn't officially address AI, people find their own way. Each person according to what they know, what a colleague recommended, or what happens to work at the time. Gradually, various tools, various habits, and various levels of caution settle into the organisation. And the longer it runs on the side, the harder it becomes to retrace who is using what and what data they're putting into AI tools.

How to bring AI in your organisation under control

The goal isn't to stamp out AI. People use it because it helps them. It makes more sense to move it out of the grey zone and into a mode where the organisation knows which tools are being used, what they're for, and what rules apply to them. In practice, this rests on five steps.

Find out where AI is already being used. Start with the actual situation. Which teams use AI? What for? What data do they usually upload there? Don't assume – ask, so that you find out the real situation. Without having the full picture, you can't move any further. Don't be alarmed if it turns out that AI is more widespread in the company than you expected.

Set simple rules. Internal guidelines for working with artificial intelligence that tell employees mainly what they need for everyday work: which tools they may use, what data they must not put into them, when they must verify an output, and when it's better to ask. Write the rules concretely but clearly. Don't turn it into a 20-page directive that no one will ever open.

Introduce an approval process for new tools. New tools will keep appearing, so the organisation needs a simple way to assess and approve them. The important thing is that the process is fast. If approval takes months, people will go back to Shadow AI.

Keep a register of approved tools. Having an overview of which tools are approved, who uses them, and what for is the foundation. AI tools are appearing fast, so update the register regularly.

Offer a safe alternative. This is often overlooked, but it's crucial. If a company bans something, it should at the same time offer an approved way to do the same work safely. A ban without an alternative won't get rid of Shadow AI – it will just drive it deeper into the shadows.

Where to start?

With Shadow AI, it pays to start with a simple question: do we actually know where and how employees are using artificial intelligence? The answer will reveal more than a long debate about whether to allow or ban AI. The organisation will find out which tools are already running in practice, what data people are putting into them, and where the rules need to be set. If you want to turn the use of AI into a managed company practice rather than a set of random habits, we recommend two practical courses at Cybrela Academy.

The course AI in companies under the AI Act is intended for management and responsible persons. It addresses how to set up AI governance, internal rules, and the approval of tools and responsibilities under the European AI Act regulation.

The course Safe use of AI in the company is intended for employees who use AI every day. It explains what data doesn't belong in AI, when to verify outputs, and how to work with the tools without unnecessary risks.

How to bring AI tools under control?

Employees won't stop using AI. Instead of a blanket ban, how can you set rules that leave people their useful AI tools and give the organisation its overview back? Find out at the webinar on 3rd July on cybersecurity and whitelisting of AI tools.

More articles

Are employees using AI tools without approval? Find out what risks Shadow AI brings, what the AI Act has to say about it, and how to set rules for AI in your company.
What must the management of organizations address under the new Cybersecurity Act? An overview of obligations for both the lower and higher regimes, sanctions, and practical implications.
The Cyber Resilience Act (CRA) introduces new cybersecurity requirements for products with digital elements. Whom does the CRA concern and what obligations does it bring?

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

By clicking subscribe you consent to the processing of your personal data for marketing purposes.