A partner at a mid-sized accounting firm discovered something troubling during a routine client audit.
One of their senior consultants had been using ChatGPT to draft client advice letters — uploading financial statements, strategic plans, and confidential projections to a free AI tool with no enterprise agreement, no data processing terms, and no visibility to IT.
The consultant wasn’t malicious. He was just trying to work faster. But the firm now faced a potential breach of client confidentiality — and had no idea how many other staff were doing the same thing.
This is shadow AI. And it’s everywhere.
The Numbers Are Alarming
• 74% of organisations have employees using AI tools without formal approval, according to Gartner’s 2025 AI Governance Survey.
• 32% of Australian SMEs experienced a security incident in 2025 — double the rate from 2024, per the ACSC Annual Threat Report.
• Only 26% of SMEs have any AI usage policy in place, based on the Decidr AI Readiness Index 2025.
The risk isn’t hypothetical. It’s happening now, in your organisation, without your knowledge.
Why Shadow AI Spreads
People use unsanctioned AI tools for one reason: the approved options aren’t good enough — or don’t exist.
• IT hasn’t provided an alternative that solves their problem
• The approval process for new tools takes months
• Leadership hasn’t said what’s allowed and what’s not
In the absence of clear guidance, people make their own decisions. And those decisions don’t always account for data security, client confidentiality, or regulatory compliance.
What’s Actually at Stake
Shadow AI creates three categories of risk:
1. Data leakage
When employees paste sensitive information into consumer AI tools, that data may be stored, logged, or used for model training — depending on the provider’s terms. You lose control of where your IP and client data ends up.
2. Compliance exposure
If you operate in a regulated industry (finance, health, legal), using AI tools without proper agreements can breach Privacy Act obligations, professional conduct rules, or contractual NDAs.
3. Inconsistent outputs
When everyone uses different tools with different prompts, you get inconsistent quality, tone, and accuracy. That’s a brand risk and a liability.
How to Get Control Back
Step 1: Find out what’s actually being used
Run a short, anonymous survey: “Which AI tools have you used for work in the past 3 months?” You’ll be surprised by the answers. This isn’t about punishment — it’s about visibility.
Step 2: Publish a simple AI use policy
You don’t need 30 pages. You need one page that answers:
• What tools are approved?
• What data can and can’t be shared with AI?
• Who do I ask if I’m unsure?
Make it visible. Put it in onboarding. Reference it in team meetings.
Step 3: Provide a sanctioned alternative
If you ban ChatGPT but offer nothing in return, people will ignore you. Provide an approved tool — Copilot, Claude for Enterprise, or a purpose-built agent — that meets their needs within guardrails.
Step 4: Appoint someone accountable
Shadow AI thrives in the absence of ownership. Assign a person (not a committee) responsible for AI governance. Give them authority to make decisions and visibility across the organisation.
The Opportunity Hidden in the Risk
Shadow AI isn’t just a problem — it’s a signal. It tells you where your teams are looking for help and not finding it through official channels.
As MIT Sloan’s 2025 AI Governance Study noted, “Organisations that respond to shadow AI with enablement rather than prohibition see 40% higher adoption of sanctioned tools.”
Meet people where they are. Give them something better. Then set the rules.
Sources: Gartner AI Governance Survey 2025; ACSC Annual Threat Report 2025; Decidr AI Readiness Index 2025; MIT Sloan AI Governance Study 2025.
