Blog

Article

Frequently Asked Questions About Shadow IT and Shadow AI

Joey Slof
6 minutes
Frequently Asked Questions About Shadow IT and Shadow AI
This article provides a concise overview of the most common questions surrounding Shadow IT and Shadow AI.

What is Shadow IT?

Shadow IT refers to software and cloud applications that employees use without the approval or oversight of the organization. Examples include free online tools, personal cloud storage services, or project management platforms operating outside the official IT environment.

The challenge is simple: the organization no longer knows which systems are being used, who is using them, or, most importantly, where company and customer data is being stored.

What is Shadow AI?

Shadow AI is a subset of Shadow IT focused specifically on AI tools. Employees use AI solutions such as ChatGPT, Claude, or local large language models (LLMs) for tasks including:

  • Writing content
  • Summarizing meetings
  • Analyzing documents
  • Creating proposals
  • Generating code

The risks differ from those associated with traditional software. Issues such as training data usage, hallucinations, compliance requirements, and transparency require separate consideration.

How Do Shadow IT and Shadow AI Develop?

Shadow IT rarely emerges because of negligence. More often, it stems from structural organizational challenges:

Rigid IT Processes

Software procurement can take months. A new tool can be available for free within minutes. The choice becomes obvious.

IT and Business Teams Operate in Silos

If IT consistently says "no" and business teams are excluded from tool selection, employees eventually stop asking and start finding their own solutions.

Lack of Trust in IT Security Policies

Many employees believe IT blocks everything "for security reasons" without fully understanding why. As a result, they trust their own judgment more.

No Budget for Small Tools

A team needs a $50-per-month solution. Obtaining approval takes weeks, while a free alternative is available immediately.

Limited Visibility into Available Solutions

Employees often don't know which approved tools already exist and therefore seek alternatives themselves.

This means stricter policies alone rarely solve the problem. Organizations must streamline processes, strengthen collaboration between IT and business teams, and build trust.

What Are the Risks of Shadow IT?

Shadow IT introduces several significant risks.

Data Breaches and Compliance Violations

  • Company or customer data is stored in unapproved applications.
  • GDPR violations occur due to missing processing agreements, inadequate data residency controls, or a lack of audit trails.
  • Employees upload customer information or contracts into unauthorized tools.

Loss of Control

  • Organizations lose visibility over where data is stored and who can access it.
  • Security incidents can remain unnoticed for weeks.
  • Backups, monitoring, and incident response become nearly impossible.

Unmanaged Integrations and Permissions

  • External tools gain access to Microsoft 365, Google Workspace, GitHub, or other systems.
  • Organizations often don't know why the access exists or what permissions were granted.
  • Every connected tool creates another potential attack surface.

Vendor Lock-In

  • Teams become dependent on a specific platform.
  • Leaving becomes difficult, even when security concerns emerge.

Business Continuity Risks

  • Free tools can disappear overnight.
  • Vendors can dramatically increase pricing.
  • No service-level agreements, support commitments, or contractual guarantees exist.

What Are the Risks of Shadow AI?

AI acts as a force multiplier. That creates opportunities, but also amplifies mistakes.

Training Data and Privacy Violations

  • An employee uploads a customer contract to ChatGPT.
  • Sensitive information such as salaries, medical records, or negotiation details is transferred to external systems.
  • Data could potentially influence future model outputs.

Hallucinations in Compliance-Sensitive Contexts

  • AI generates contracts containing inaccurate clauses.
  • Regulatory summaries omit critical details.
  • Legal guidance appears authoritative despite being incorrect.

EU AI Act Compliance Risks

Employees may use AI for:

  • Candidate selection
  • Performance reviews
  • HR decision-making

Many of these applications fall under the "high-risk" category of the EU AI Act.

Organizations must be able to demonstrate:

  • How the AI system works
  • What risks exist
  • How monitoring and governance are performed

That becomes impossible if nobody knows which AI tools are being used.

Vendor Lock-In Through Training Data

Organizations that train AI systems using proprietary data may find it difficult—or impossible—to fully withdraw that information later.

Lack of Version Control and Auditability

Organizations need answers to questions such as:

  • Which AI model generated this output?
  • Which version was used?
  • Who used it?
  • What data was provided?

These details are essential for audits and incident investigations.

How Can You Identify Shadow IT and Shadow AI?

Shadow IT and Shadow AI are often hidden, but warning signs exist.

Technical Indicators

  • Unknown applications have OAuth or SSO access to Microsoft 365 or Google Workspace.
  • Employees use personal accounts for business activities.
  • Files are shared through personal OneDrive, Dropbox, or Google Drive accounts.
  • AI tools are installed without tracking or governance.

Organizational Indicators

  • Multiple teams use different tools for the same purpose.
  • No central software inventory exists.
  • AI tools are used without policies or training.
  • Nobody can confidently explain where business data is stored.
  • Teams casually mention they've "always used AI for this."

Business Indicators

  • Teams depend on unsupported software.
  • Critical processes rely on free tools.
  • Integrations are improvised or manually maintained.
  • Customer data appears in AI-generated outputs unexpectedly.

When Is Shadow IT Acceptable?

Not all Shadow IT carries the same level of risk.

Controlled Experimentation

  • Teams test a tool for a predefined period.
  • No production data is involved.
  • A formal review follows the trial.

Low-Risk Collaboration Tools

  • Teams use platforms such as Figma or Miro for concepts and mockups.
  • No sensitive or customer data is involved.
  • Usage is transparent.

Internal-Only AI Use Cases

  • Employees use AI to organize personal notes.
  • No customer or confidential business information is processed.

The key consideration is always the sensitivity of the data involved.

How Can You Prevent Shadow IT?

Prevention starts with visibility and efficient processes—not stricter rules.

Accelerate IT Approval Processes

  • Standard tools should be approved in days, not months.
  • Trials should be possible without lengthy approval cycles.

Provide Strong Official Alternatives

When employees have access to effective tools, they are less likely to seek alternatives.

Build Trust Between IT and Business

  • IT should participate in business discussions.
  • Business teams should understand the reasons behind security controls.
  • Risk tolerance should be defined collaboratively.

Train Employees

Awareness alone isn't enough.

Provide:

  • Clear guidelines per tool
  • Practical examples
  • Regular refresher training

Regularly Review Application Integrations

  • Audit OAuth permissions monthly.
  • Remove unused applications.
  • Monitor critical integrations.

Use Multi-Factor Authentication Everywhere

MFA significantly reduces account compromise risks.

Establish Clear AI Policies

For example:

  • No customer data in public AI tools unless explicitly approved.
  • No sensitive business information in non-EU-hosted AI services.
  • Mandatory approval for high-risk use cases.
  • Maintain documentation of approved AI usage.

How Do You Remediate Existing Shadow IT?

The first step is visibility.

1. Inventory Everything

  • Review OAuth integrations in Microsoft 365 and Google Workspace.
  • Ask teams which tools they use weekly.
  • Analyze invoices and company credit card expenses.

2. Assess Risk

For each application:

  • What type of data is processed?
  • Where is the data stored?
  • Is there a data processing agreement?
  • Does the EU AI Act apply?
  • How critical is it to operations?

3. Take Action

Green: Approve and monitor.

Yellow: Allow temporarily while planning migration or replacement.

Red: Remove, migrate data, and implement alternative solutions.

4. Establish Future Governance

Define:

  • Which tools require approval
  • Which tools are prohibited
  • Who approves new software
  • Expected approval timelines

5. Continuously Monitor

  • Monthly reviews of new integrations
  • Quarterly reviews of approved software usage
  • Annual reassessments

What Helps During Large-Scale Remediation Projects?

When Shadow IT has grown significantly, external expertise can accelerate remediation efforts.

External specialists are particularly valuable for:

  • Large software estates with hundreds of tools
  • Independent risk assessments
  • Microsoft 365 and Entra ID audits
  • Data migration projects
  • GDPR, AI Act, and industry-specific compliance reviews

External support may not be necessary when:

  • The organization is relatively small
  • Existing visibility is already strong
  • Internal IT and compliance teams have sufficient capacity
  • The goal is monitoring rather than large-scale cleanup

Summary

Shadow IT is often a symptom of speed, accessibility, and trust issues—not simply poor governance.

Most Shadow IT can be prevented by making IT processes faster and bringing IT closer to the business.

AI acts as an amplifier. If Shadow IT is already a challenge, Shadow AI can make it significantly larger.

  • Remediation takes time, but it restores visibility, control, and security without unnecessarily slowing innovation.
#Ai #NWOW #Organization Change

About the author

The people and teams behind this article.

Applied AI, without the theatre

Want to see how this works in your organisation?

We help teams turn AI concepts into working workflows, usable tools, and measurable operational gains.

Start a 14-day AI sprint

Further reading

Continue reading

A few more articles worth reading after this one.

Hugo Pragt
Hugo Pragt

Distributed Teams: how to (really) make it work

In today's globalised world, working in distributed teams has become increasingly common. At Infodation, we have mastered the art of leveraging the strengths of ...
09 May 2025
Hugo Pragt
Hugo Pragt

Production Ready: Ensuring Seamless Transition from Development to Deployment in Custom Software

The Production Readiness Review (PRR) is a critical milestone that determines whether a software system is ready for deployment. It assesses whether adequate pl ...
11 April 2025
Elsje van de Kraats
Elsje van de Kraats

From Chaos to Clarity: The business value of visual hierarchy in complex interfaces

In my previous blog, I wrote about the added value of UX and UI design in software. If you haven't read it yet – you can find it here. In complex IT systems, ...
28 April 2025
Infodation Logo
info@infodation.nl
+31 172 759 002
Follow us on LinkedIn

What We Build

AI Solutions Consulting & Architecture UX / UI Design Software Development System Integration & Migration Cloud, Hosting & Support

Markets

Telecom & Connectivity Logistics & Distribution Energy, Oil & Gas Production & Manufacturing Other Industries

Explore

Home Cases Articles & Insights Vacancies Events About Us Contact
© 2026 Infodation KVK 34355772
Privacy Policy Terms and Conditions Campaigns Whitepapers
ICT Waarborg ISO 27001 Infodation SBB