DEEP DIVE: “Shadow AI is dangerous”, What partners need to know about shadow AI

Employees are using unauthorised AI tools for several reasons.

Shadow IT used to be the bugbear for organisational leaders making sure that staff uses the correct software within their digital environment, now shadow AI is posing a new threat.

And partners are still trying to wrap their heads around how to mitigate this growing issue within organisations.

Shadow AI is the unauthorised use of AI-based tools like ChatGPT, Claude, Anthropic within an organisation.

A KPMG and University of Melbourne study, called shadow AI a “symptom of deeper friction between employee needs and AI capabilities provided by an enterprise”.

The same study highlighted that 44 percent of employees have used AI in ways that contravene their organisation's policies and guidelines.

Maria Padisetti, CEO at Digital Armour told CRN Australia, “Shadow IT used to be annoying, but shadow AI is dangerous.”

Padisetti explained that the use of shadow AI isn’t malicious, it’s “desperate people trying to work faster”.

She pins it down to increasing pressure from organisational leaders and employers to do more with less.

"Banning AI, doesn't work, but ignoring it is what is worse,” she noted.

Vito Rinaldi, managing director at Blue Crystal Solutions said shadow AI today feels very similar to the early days of cloud and SaaS adoption.

“It is the wild west,” he stated.

“People are using whatever AI tools they want, on whatever device they want, often with no oversight and no safeguards.

He added, “The reality is simple: the business isn’t responding fast enough, users aren’t waiting for permission, and users are even willing to pay for their own subscriptions.”

Why is this happening?

Rinaldi explained that partners need to understand that shadow AI is not being driven by novelty, but utility.

“Employees are using it to summarise documents, generate code, analyse data, or assist with writing,” he said.

“The risk is not that AI is being used, but that it is being used without any control over what data leaves the organisation, what models retain it, or where that data ultimately ends up.

“Once information leaves the perimeter, particularly into public non-sovereign models, it cannot be retrieved or audited.”

More than a technology issue

Shadow AI is more than just a technology issue, it impacts other departments and business Padisetti at Digital Armour says it is a “governance, culture and leadership problem”.

“If your people are going off doing things, it's because you're not taking this seriously, and you're not bringing it to the forefront,” Padisetti warned.

“They're off doing stuff because you haven't picked up fast enough. You can't stick your head in the sand and go, ‘AI is not going to do anything’. It's already in your business, you just don't know about it because most of these tools are browser based.”

Padisetti is seeing a concerning trend of employees and leaders using whatever AI tools they can put their hands on.

“I've had three CIOs in the last three months come to me and go, ‘leadership people have gone off rogue and started using tools’,” she explained.

“The IT leaders are asking ‘can you please help us put governance in place? Because these guys and girls have no idea what they're doing’.”

Rinaldi agreed noting that shadow AI is a “technical risk as well as a trust, compliance, and sovereignty issue”.

“AI is now forcing the next evolution of governance, particularly in data classification, access control, auditability and sovereignty,” he said.

How to avoid shadow AI?

To counteract this problem, Padisetti explained leaders need to be on the front foot and start looking at AI governance and strategy “hand in hand”.

She said, “An AI strategy without governance is a silly thing to do.”

Padisetti suggested that organisations begin conversations about governance and strategy immediately.

“Start those governance and strategy right up front before it gets out of hand, and even if it feels like it has, at least you're starting that right. So just make a start, take a small step.” she said.

“Governance doesn't sound sexy, but neither was cyber. But this one's more dangerous than cyber, [it brings] reputational damage.”

Sharing is caring when it comes to building a strategy to remove shadow AI.

Anthony Ferrier, CEO at Choir Digital said partners can build transparency by jointly sharing AI policies, systems and activities.

“As a baseline for review, gap analysis and structured conversations around how to manage effectively going forward. A focus on assessment, prioritisation and mitigation of gaps is something we are seeing more of from clients,” he said.

Rinaldi suggested providing sanctioned private AI environments, implementing data classification and security controls, and setting clear acceptable use guidelines, as some of the ways organisations can avoid shadow AI use.

“The key is to make the safe path more attractive than the unsafe one. If authorised AI is usable, fast, and valuable, shadow usage declines naturally. If it is restricted, expensive, or impractical, users will route around it,” he explained.

What next?

For those who are on the journey to counteract shadow AI, Jeff Voigt, head of AI adoption at AWS partner explained who will emerge winners in the race against unauthorised AI use.

“The winners will be organisations that lead early, set clear guardrails and enable safe speed to value,” he explained.

“You can’t eliminate it entirely, but you can contain it by being an early adopter and making sanctioned AI the easiest path.”

Rinaldi said partners should look to the past and how organisations tackled the rise of cloud computing.

“The lesson from cloud still holds: the fastest way to eliminate shadow adoption is to provide a better alternative,” he ended.