Shadow AI: Implement policies in the company
AI tools are often tested before official approvals. This increases the risk and governance problem. Shadow AI is the second most common form of Shadow IT. The EU AI Act comes into force gradually, with already applicable rules for prohibited practices and requirements for General-Purpose-AI.
Introduction
Shadow AI describes the use of generative AI tools without knowledge or approval of IT. This happens, for example, when texts, code or customer data are pasted into external chats without prior contractual or data-protection review. Shadow IT informally refers to technologies introduced outside official processes; Shadow AI is the specific manifestation for Artificial Intelligence. Governance provides the framework for the safe and compliant use of AI, including policies, roles and controls. An example of this is the NIST AI Risk Management Framework with the functions Govern, Map, Measure, Manage. Model Risk Management (MRM) includes model inventory, validation, monitoring and documentation. It has been established in financial supervision for years (SR 11-7) and transferable to AI models. For an organizational-level management system, there exists the ISO/IEC 42001:2023.
Current status
The current 1Password-Report 2025 shows that Shadow AI is the second-most common Shadow IT category after email. 27% of employees use unauthorized AI apps. Additionally, 37% stated they follow company policies only 'most of the time', indicating policy gaps. Another market observation by Zluri, via Help Net Security , indicates that 80% of AI tools used by employees bypass IT and Security. Regulatory rules in the EU have bans on certain AI practices and AI literacy obligations since 02-02-2025. GPAI obligations have been in force since 02-08-2025 with broader application from 02-08-2026. The EU Commission sticks to the timetable, despite industry pleas for delay, as Reuters reported.

Source: infoproteccion.com
The iceberg model illustrates the hidden nature of Shadow AI compared to officially approved AI systems.
Causes and context
Shadow AI arises from various reasons. Convenience and the desire for productivity gains are the main drivers. Policies are often unclear or inconsistently communicated, as the 1Password-Report shown. Platform dynamics amplify this: low barriers to entry, plug-ins, browser extensions and app integrations make experimentation easier, often without SSO, DLP or audit, such as Help Net Security reports. At the same time, concrete countermeasures come within reach. OWASP describes typical LLM risks such as prompt injection, data leaks, or excessive agent rights, which can serve as anchor points for controls. On the vendor side, enterprise offerings refer to tenant protection, logging and data retention duration control, for example at ChatGPT Enterprise/Edu and Microsoft 365 Copilot.

Source: walkme.com
The main risks of Shadow AI include misinformation, data exposure and potential customer risks.
Facts and misunderstandings
It is documented that Shadow AI is widespread in companies. The 1Password-Report shows that 27% of employees use unauthorized AI apps and Shadow AI is the second-most common Shadow IT category. Additionally, 80% of the AI tools used are unmanaged, leading to large blind spots, such as Help Net Security reports. The duties of the EU AI Act take effect gradually since 2025, with GPAI rules since 02-08-2025 and broader application from 02-08-2026. It is unclear how quickly companies will roll out MRM standards across generative AI. MRM is established in banking supervision ( SR 11-7), ), but maturity levels vary between industries. The claim 'We don't have to do anything until 2026' is false or misleading. Already today EU bans and literacy obligations apply (since 02-02-2025) as well as GPAI obligations (since 02-08-2025). The Commission confirms the timetable, as Reuters reports.
Source: YouTube
Recommendations
To pragmatically and robustly implement Shadow AI guidelines, companies should define permissible use cases, prohibited inputs (e.g., personal data, confidential customer data), allowed tools and approval pathways. The NIST-Rahmenwerk offers a suitable structure for this. A continuous discovery and inventory process is necessary to make new AI tools visible, such as Help Net Security emphasizes. Technical controls such as DLP/labels, Conditional Access, logging and audit trails should be anchored; examples are provided by the Copilot-Architektur. The introduction of MRM processes, including model inventory, documentation of assumptions and data provenance, independent validation, drift and performance monitoring, and change controls, is essential. SR 11-7 offers here a robust blueprint. Whoever wants to establish governance that is organizationally certifiable, can ISO/IEC 42001 as a management system and the NIST-Playbook use for concrete measures.

Source: linkedin.com
An ethical framework is essential for the responsible use of AI and the implementation of policies.
Outlook
Open questions concern the specification of GPAI requirements and the expectations of the supervisory in audits. The Commission continues to work on guidance documents and sticks to the phased plan, as Reuters reports. The standardization of tests for prompt-injection and agent risks in complex workflows is another challenge. OWASP provides continuously updated risk catalogs for this purpose. Also the question of metrics for fairness, robustness and hallucinations, which are likely to become the de facto standard, remains open. NIST works on profiles and evaluation methods for generative AI.
Shadow AI shows that people want quick results. Good policies connect this drive with protection. Those who now formulate clear usage rules, establish discovery and monitoring, implement technical controls and set up MRM processes, reduce risks without slowing productivity. This also better prepares companies for the EU AI Act forward and uses frameworks such as the NIST AI Risk Management Framework and ISO/IEC 42001.
Source: YouTube