The Unignorable Reality of “Shadow AI”
Is your company’s staff secretly using ChatGPT or Claude without permission?
According to a Yahoo! News survey, the use of “Shadow AI” is spreading in companies. Shadow AI refers to generative AI services that employees start using individually without IT department approval.
What’s surprising is that managers are actually less aware of the risks of Shadow AI than regular employees. This reveals a reality where managers lack AI literacy while AI is being used recklessly on the front lines.
This article analyzes this issue from a management perspective and presents concrete countermeasures.
Why Shadow AI Is Dangerous
The biggest risks of Shadow AI are “information leaks” and “compliance violations.”
If employees input customer data or internal confidential information into the free version of ChatGPT, that data could be used for learning on OpenAI’s servers. This could lead to violations of personal information protection laws and confidentiality agreements with business partners.
Additionally, even if AI responses contain incorrect information, there’s a risk that employees will use them in their work as-is. Without managers verifying AI outputs, projects could proceed based on flawed decisions.
In my own work supporting AI adoption at client companies, I often hear, “We can’t keep track of which AI tools employees are using on their own.” This isn’t just an IT management issue—it’s a management risk in itself.
Why Managers Have Low Awareness
There are two main reasons why managers show low awareness in the survey.
The first is that they “haven’t mastered AI themselves.” Managers have few opportunities to interact with AI and can’t truly grasp the risks. It’s hard to imagine the dangers of something you don’t use.
The second is that they “can’t see what’s happening on the ground.” Managers don’t have a detailed understanding of their subordinates’ work. Especially with the rise of remote work, it’s difficult to see which tools employees are using and when.
If left unchecked, Shadow AI will only expand further. The fact that managers “don’t know” is the biggest risk of all.
Three Actions Executives Should Take
So, what should you do specifically? Here are three measures I actually propose to my clients.
1. Operate with a “Blocklist” Instead of a “Permit List”
If you say “all AI tools require approval,” the approval process becomes cumbersome, and employees will ignore it out of annoyance. Instead, a practical approach is to create a list of prohibited AI tools and allow everything else.
Specifically, create a blocklist based on the following criteria:
- Free AI services that store data on external servers
- Services whose terms of use allow learning from input data
- Services that haven’t obtained security certifications (such as SOC2)
With this method, employees can freely try AI, but they can’t use dangerous tools. Management effort is also minimized.
2. Mandate AI Literacy Training for All Employees
Conduct basic AI literacy training for all employees, including managers. The following three points are sufficient:
- Information that must not be entered into AI (personal data, confidential information, client information)
- AI responses must always be verified by a human
- Any AI tools used must be reported
The training can be as short as 30 minutes. What’s important is to enforce the rule that “I didn’t know” is not an excuse.
3. Introduce Official AI Tools to Eliminate Shadow AI
The root cause of Shadow AI is that “employees want to use AI, but the company hasn’t provided official tools.”
Therefore, introduce safe AI tools as a company and create an environment where all employees can use them. For example, ChatGPT Enterprise (approximately $28/user/month) or Microsoft Copilot (approximately $22/user/month) ensure data is not used for learning and security is guaranteed.
There is a cost, but it’s a cheap investment considering the risk of information leaks. It’s about $300–$400 per user annually. For 10 people, that’s $3,000–$4,000 per year; for 100 people, $30,000–$40,000.
At one of my clients, reports of Shadow AI dropped dramatically after introducing official tools. When employees use “company-approved safe AI,” risks decrease significantly.
Turning Shadow AI into an Opportunity
Shadow AI is a risk, but it’s also a sign of employees’ desire to actively use AI.
Rather than ignoring this need, properly establish guidelines and enable AI use in a safe environment. That’s the role of management.
For example, holding an internal “AI Use Case Contest” to share excellent practices is effective. Create a system where employees voluntarily try AI and share their insights across the organization.
At my company, we provide an environment where all employees can freely try AI tools. However, we have a rule that they must report which AI tools they used and for what purpose. With this system, we’ve had zero information leaks so far.
Summary: Changing Manager Mindsets Is Urgent
The risk of Shadow AI isn’t a technology problem—it’s a “people problem.” The low awareness among managers is particularly serious, and if left unaddressed, it could damage a company’s credibility.
First, start by understanding the actual situation: which AI tools are being used in your company. Then, consider implementing a blocklist, introducing official tools, and conducting training.
AI can be a powerful weapon for management. But used without order, it can also become a weapon. Leverage AI under proper governance to enhance competitiveness. The first step is visualizing and managing Shadow AI.
Is your company truly “managing” AI?
Comments