TLDR:
- Shadow AI describes the use of AI tools within organisations without approval from IT or security teams.
- 81% of employees use unapproved AI tools, and 45% of workers have used AI at work without informing employers, often paying for tools themselves.
- Employees routinely input sensitive data into unsanctioned tools, and IBM estimates AI negligence costs organisations $10.22 million annually.
- Most AI governance frameworks are reactive, with only 37% of organisations having policies to detect shadow AI.
- Emerging agentic AI systems, already adopted at many firms, present governance challenges that current frameworks are not equipped to address.
Shadow AI refers to any artificial intelligence tool, AI model, or system used inside an organisation without the approval or oversight of IT, security, or risk management teams.
It follows the same pattern as shadow IT: workers adopting capable, unofficial tools to close workflow problems their organisations haven’t addressed. The difference lies in the scale, the speed, and the sensitivity of the data involved.
By the numbers: Shadow AI statistics
- UpGuard’s State of Shadow AI report found that 81% of employees and 88% of security leaders use unapproved AI tools.
- Harmonic’s analysis of over 22.4 million prompts discovered 665 generative AI applications and AI-embedded tools across enterprise environments.
- Gartner’s 2025 survey of 302 cybersecurity leaders found that 69% of organisations suspect or have confirmed employees using forbidden public generative AI tools.
- Per Fortune, 78% of executives say they want to ‘discipline shadow AI use,’ but 34% of workers don’t know which AI tools their employers have approved.
Why shadow AI adoption keeps growing
People want tools that save them time. A 2025 report by the London School of Economics found that professionals using AI save 7.5 hours per week on average. Workers find capable generative AI tools, adopt them, and produce better AI output faster.
Meanwhile, a 2025 Gusto survey found that 45% of US workers have used AI at work without telling their employers, and 66% of those workers pay for the tools themselves.
Yet, only 21% of workers report ever being warned about AI policy. The absence of communicated policy on approved AI use leaves workers to make their own decisions about which generative AI tools to use and how.
The data and security risk of shadow AI
When employees use unvetted AI tools without IT visibility, sensitive information enters uncontrolled environments.
BlackFog’s shadow AI risk research reveals that 33% of employees using unsanctioned AI tools shared research data, 27% shared employee records including salaries and performance data, and 23% inputted company financial statements.
Shadow AI adds an average of $670,000 to breach costs, and breaches from AI negligence costs organisations $10.22 million annually, per IBM’s 2025 Cost of Data Breach Report.
The same report found that one in five organisations (20%) has already experienced a breach linked to unsanctioned AI.
Why AI governance keeps failing
Only 37% of organisations have policies to manage or detect shadow AI, meaning most governance frameworks arrive after widespread shadow AI usage is already established.
A 2023 Salesforce survey of 14,000 employees found that 55% of workers globally use unapproved AI tools, and 40% do so even when explicitly banned.
All of this ladders up to compliance gaps. The EU AI Act introduces regulatory pressure that raises the cost of inaction, and organisations without visibility into their own AI usage are poorly positioned to demonstrate compliance with external frameworks.
Managing shadow AI: what works
Effective shadow AI management starts with visibility into which AI apps and tools employees already use.
Blocking shadow AI tools without first auditing shadow AI usage patterns removes visibility without removing risk. Workers simply move to personal devices, personal accounts, or less traceable AI systems.
| Step | Action | Goal |
| 1. Audit | Map current shadow AI tool usage across the organisation | Establish visibility |
| 2. Communicate | Publish clear policies on approved and unsanctioned AI use | Address the awareness deficit |
| 3. Provide alternatives | Deploy governed AI platforms that match employee workflow needs | Remove the incentive for unsanctioned AI |
| 4. Train | Build role-specific AI capability covering practical use and AI risks | Reduce AI misuse at the source |
Organisations with governed AI alternatives report lower rates of unsanctioned AI tool use. Workers with access to approved AI platforms have less reason to seek out unapproved ones.
Training failure remains a primary driver of shadow AI risk. According to 2025 research from SAP, over two-thirds of UK businesses report ‘shadow AI’ use, and 60% say staff haven’t completed comprehensive training, indicating most workers have never received formal guidance on AI security best practices.
Shadow AI agents
The current shadow AI conversation focuses on generative AI tool usage: employees using AI chatbots, AI features embedded in consumer apps, and unsanctioned artificial intelligence tools to produce AI output at work.
But agentic AI systems (autonomous AI agents built on frameworks like LangChain) are already in production at some organisations. In a PwC May 2025 survey of 300 senior executives, 79% said AI agents are already being adopted in their companies
Unlike a single paste into a generative AI platform, an agentic AI system with API access to internal data runs continuously, takes actions across connected systems, and generates AI output without human review at each step.
Governance frameworks built for today’s shadow AI usage aren’t fully equipped to address agentic AI risk.
This is especially critical because shadow AI risks are projected to produce compliance and security incidents affecting over 40% of enterprises by 2030, per Gartner.
For enterprises that default to bans instead of enablement and governance, wider agentic AI adoption will merely accelerate that timeline.