Shadow AI: Detection and Action

Avatar
Lisa Ernst · 13.11.2025 · Technology · 7 min

In many companies, Shadow AI has long since become a reality. Studies show that a large proportion of employees use unauthorized AI tools and input sensitive data. This article offers a step-by-step guide to making Shadow AI visible and managing it without hindering innovation.

Fundamentals of Shadow AI

Shadow AI refers to the use of AI systems within a company that takes place outside official IT and governance structures. Swisscom describes this as the use of unapproved or private AI tools with company data that are neither controlled nor documented ( swisscom.ch). ). This leads to “blind spots” in security, data protection, and compliance, as it is unclear which data flows where and which models influence decisions ( swisscom.ch).

The Cloud Security Alliance summarizes the main problems: uncontrolled data leaks, increased compliance risks, and automated workflows that bypass established controls ( cloudsecurityalliance.org). ). Examples include employees using private chatbots to formulate emails, teams integrating open-source models without consultation, or browser plugins with AI functions that extract content from emails or CRM data.

Source: YouTube

Step 1: Define the scope and playing field

Before Shadow AI can be detected, it must be clearly defined what constitutes Shadow AI in your context. Three guiding questions help with this:

A written definition, such as “Shadow AI is any use of AI tools, models, or AI functions with corporate data that has not been explicitly approved by IT, information security, and data protection,” establishes a clear line for all subsequent steps.

Detection Methods

Shadow AI poses significant risks to companies, including misinformation and the exposure of sensitive data.

Source: walkme.com

Shadow AI poses significant risks to companies, including misinformation and the exposure of sensitive data.

Step 2: Ask employees openly instead of just controlling them

Employees often use AI out of a desire for higher productivity. IBM shows that they see AI as a help but switch to private tools due to a lack of official offerings ( ibm.com). ). Transparency is more effective than surveillance. A short, honest survey can provide insights:

Workshops with key areas (e.g., Sales, HR, Development) can reveal specific use cases. It is important to emphasize that this is not about control, but about jointly finding secure solutions. Employees sometimes use Shadow AI with the silent approval of their superiors because official alternatives are missing ( techradar.com). ). The result is an initial map of reality and the identification of valuable shadow solutions.

Step 3: Analyze network and browser trails

Objective measurements through network access and browser usage are crucial. In smaller environments, proxy or firewall logs can be used; in larger ones, Secure Web Gateways or Cloud Access Security Brokers. The goal is to find out which AI-related services are accessed from the network and by whom.

Typical indicators are:

A report by Cyera shows that generative AI tools like ChatGPT are a major cause of data leaks, as employees copy and paste sensitive content into personal accounts ( tomsguide.com). ). Classical DLP tools often do not recognize this. The goal is to recognize patterns: Which AI services appear regularly, which were not mentioned in surveys, and which areas are particularly noticeable?

Step 4: Check SaaS and identity integrations

Shadow AI is also hidden in linked apps and plugins. Important checks include:

This is where the "quiet" shadows become visible: AI functions quietly integrated into systems but with deep-reaching access.

Step 5: Check development, pipelines, and models

In software development, Shadow AI is often present in the code ecosystem. Practical approaches are:

This step uncovers technical shadow projects: internal models, scripts, or automations that run productively but have never gone through a governance process.

Strategies and Management

Dealing with Shadow AI requires a shared understanding of the risks and the development of appropriate solution strategies within the company.

Source: demeterict.com

Dealing with Shadow AI requires a shared understanding of the risks and the development of appropriate solution strategies within the company.

Step 6: Layer data classification on top

Detection alone is not enough; risk assessment is crucial. A pragmatic way is to define simple data classes:

Subsequently, the found AI uses are classified: Which Shadow AI cases only concern internal, non-personal data? Where are customer, patient, or employee data given to external, unregulated services? Swisscom emphasizes that Shadow AI becomes dangerous when sensitive data ends up in tools that are neither contractually secured nor technically controlled ( swisscom.ch). ). Cyera warns that generative AI surpasses classical channels as the main source of data leaks, as employees copy confidential content into AI chats ( tomsguide.com). ). The combination of “highly sensitive data” and “uncontrolled external AI” is the first priority area for measures.

Step 7: Create a safe space for AI experiments and reporting channels

Bans alone do not eliminate Shadow AI; they encourage circumvention strategies. Many executives report that employees switch to private tools when official alternatives are missing ( upwork.com). ). Therefore, it is important:

). This turns Shadow AI from a risk into an idea radar for sensible, official AI uses.

Source: YouTube

Step 8: Set up continuous monitoring and clear rules

Shadow AI is a continuous process that requires technical visibility and clear guardrails. Building blocks for this are:

This shifts the balance from random shadow decisions to visible, controllable AI usage.

Conclusion and Outlook

AI-generated shadows can be subtle and remain unnoticed at first glance – similar to Shadow AI in business processes.

Source: user-added

AI-generated shadows can be subtle and remain unnoticed at first glance – similar to Shadow AI in business processes.

Detecting Shadow AI in companies does not mean opening a witch hunt for employees. It means honestly analyzing where AI is already in use, what data is being moved, and which risks are critical. The figures show that unauthorized AI usage is the rule rather than the exception today, with all its opportunities and dangers ( cybernews.com) ibm.com).

By implementing the steps in this guide - definition, open questioning, technical visibility, data classification, creating a safe space, and continuous governance - companies can make Shadow AI visible, systematically evaluate it, and convert shadow projects into official, secure AI solutions. The real opportunity lies in collaborating with the people who are already creatively using AI, rather than acting against them.

Share our post!