Shadow AI and shadow IT: from perceived risks to real gains

Geoff Hixon at Lakeside Software describes how UK businesses can harness shadow IT and AI for productivity and innovation

 

Most organisations cannot claim that their employees have never used generative AI or unapproved applications to enhance efficiency. Known as shadow AI and shadow IT, these practices are not acts of defiance, but evidence of employees’ efforts to work more effectively. Rather than viewing them solely as risks, such as sources of potential data breaches, organisations should recognise them as indicators of a workforce seeking better tools and processes.

 

The rise of AI, remote work, and bring-your-own-device (BYOD) policies has accelerated the adoption of unauthorised technologies in the workplace. This trend reflects employees’ desire to innovate and streamline their work. Business leaders, particularly CIOs, can harness this momentum by fostering IT strategies that prioritise user needs, while ensuring security and compliance. 

 

This article explores how organisations can shift perceptions of shadow AI and shadow IT: transforming employees’ technology preferences into valuable insights that drive innovation, efficiency, and business growth.

 

 

Decoding employee tech choices

Observability tools, such as those focused on digital employee experience (DEX), deliver real-time insights into how employees use digital tools, revealing why some choose solutions like ChatGPT, often unaware of third-party data retention risks. DEX tools enable IT to guide employees toward approved alternatives, like Microsoft Copilot, which integrates seamlessly into a Microsoft-using company’s environment, fostering both innovation and compliance.

 

Using observability to understand and guide employee tech choices moves beyond blocking apps, an often ineffective tactic, much like trying to stop youngsters from using TikTok. An end-user monitoring strategy empowers businesses to harness innovation securely and foster collaboration between IT and employees, which ultimately enhances efficiency. All while ensuring compliance with regulations such as the UK GDPR and the Data Protection Act 2018. 

 

 

The dynamics of shadow AI and shadow IT

Shadow AI refers to employees using unapproved artificial intelligence tools to boost productivity, whether for software development, content creation, data analysis, or translation. A Forbes Advisor poll found that 79% of UK employees engage with generative AI, with high adoption across businesses, reflecting its widespread appeal. However, a recent Salesforce survey notes that 73% see new security risks, and nearly 60% are unsure how to use AI securely. This highlights a growing reality in many workplaces: convenience often trumps compliance.

 

Similarly, shadow IT involves the use of unauthorised applications, such as project management or file-sharing apps, chosen for their efficiency and ease of use. Gartner predicts that by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility, up from 41% in 2022, underscoring the growing demand for flexible tools. Employees aren’t bypassing IT to cause harm; they’re seeking solutions that help them work better. 

 

Unaddressed, shadow AI and IT can create several challenges. For instance, a healthcare worker might use an unapproved AI tool to summarise patient records, risking exposure of sensitive data to a non-GDPR-compliant platform that retains data for training. Similarly, a financial analyst using an unsanctioned AI coding assistant could inadvertently share proprietary algorithms. The 2023 Okta breach, caused by an employee’s personal Google account on a company device, underscores the need to understand these behaviours. 

 

Yet, the solution isn’t to clamp down with restrictions. Senior leaders, including CIOs, are inherently user-centric and productivity-focused, and already hear endless warnings about security threats. What they need is actionable data to drive meaningful conversations about why employees choose unapproved tools over approved ones like Copilot. For Microsoft-using companies, Copilot offers robust features within a secure, IT-managed framework that aligns with organisational goals. 

 

Traditional security tools, such as data loss prevention systems, often fall short in this new era of AI. Designed to monitor specific data locations like emails or company servers, they struggle to track the complex, secure web connections used by AI platforms or cloud-based apps. These systems lack the context to distinguish between safe and risky employee actions, such as entering company data into an unapproved platform.

 

The rapid adoption of generative AI, which processes data in ways that older systems can’t follow, amplifies these gaps. The Information Commissioner’s Office’s (ICO) AI guidance emphasises risk assessments before using AI tools with personal data, but many organisations lack visibility into what employees are using. Rather than relying on outdated controls, businesses can use observability to gain near-real-time insights into application usage and data flows across physical, virtual, and mobile devices.

 

 

Strengthening compliance and creativity

A proactive strategy centred on observability transforms these challenges into opportunities. Digital employee experience tools monitor usage patterns, identifying unapproved AI platforms or apps that could expose sensitive data. This visibility allows IT teams to understand employee needs, perhaps an approved tool lacks a key feature, and offer secure alternatives that align with business goals.

 

Emerging technologies, like federated learning to process data locally or explainable AI to trace data usage, can further enhance these efforts. Regular audits, guided by ICO’s AI recommendations, ensure ongoing compliance, while annual employee training keeps pace with evolving AI trends, reducing unapproved tool usage. By evaluating AI and IT tools for compliance, encryption, and integration before adoption, businesses can seamlessly incorporate solutions that boost productivity without compromising security. 

 

Shadow AI and IT are not risks to be feared but opportunities to lead in secure, innovative technology adoption. The UK government’s AI White Paper (2023) advocates responsible AI use, and enterprises that act decisively can shape a resilient digital future. A healthcare worker using an approved AI tool to summarise patient records can enhance care delivery without risking GDPR violations.

 

A financial analyst leveraging a secure, IT-approved coding assistant can protect proprietary algorithms while working efficiently. By aligning technology with employee needs, businesses build trust and drive innovation. It is here that observability data enables IT to have meaningful conversations about why employees might prefer unapproved tools.

 

Enterprises stand at a crossroads. By investing in real-time visibility through digital employee experience tools, adaptive governance, and comprehensive training, they can empower employees to innovate while ensuring compliance with regulations like those from the Financial Conduct Authority. Instead of stifling creativity with bans, businesses can harness the transformative potential of AI and IT. This fosters a culture where technology and human ingenuity thrive together.

 

The next headline for UK businesses doesn’t have to be about a breach; it can be about leading the way in productivity and innovation.

 

---

 

Steps to safely manage and harness shadow AI and IT

 

1. Gain visibility into shadow technology use

Use digital employee experience (DEX) or observability tools to identify which unauthorised apps or AI tools employees are using, across devices and environments.

 

Avoid defaulting to restrictive policies — instead, use this insight to understand how and where innovation is happening outside official channels.

 

2. Educate and involve employees

Run regular training on the risks of unapproved technology, including data privacy, third-party retention, and regulatory concerns.

 

Frame compliance as a way to support smarter, safer innovation, not as a barrier to productivity.

 

3. Strengthen the official toolset

Use insights from shadow tech usage to assess where approved tools fall short, whether on usability, functionality, or accessibility.

 

Work with vendors or internal teams to enhance existing solutions or integrate secure, approved alternatives that meet employee needs.

 

4. Build adaptive governance

Create a cross-functional review board (IT, legal, HR, and end users) to assess and approve new tools quickly and transparently.

 

Develop a clear process for evaluating, fast-tracking, and onboarding technology that meets minimum security, compliance, and performance standards.

 

---

 

Geoff Hixon is Vice President of Solutions Engineering at Lakeside Software

 

Main image courtesy of iStockPhoto.com and Dimitris66