SHADOW AI describes enterprise tools that process, generate and potentially retain sensitive data outside formal IT and security oversight, creating new blind spots beyond traditional shadow IT. The article notes that as AI tools become more accessible, employees adopt them with little or no approval, and a 2024 Salesforce survey found 55% of employees used AI tools that had not been approved by their organisation.
This unregulated usage can lead to sensitive data being shared externally, with the data leaving an organisation’s security boundary and, in some cases, being used for model training depending on the platform and account type. Shadow AI also expands attack surfaces as unvetted APIs and plugins may be insecure, and staff accessing AI platforms on personal devices place activity outside standard security controls, complicating monitoring.
The piece highlights identity security risks, including the creation of multiple accounts across AI platforms and the use of NHIs, which can complicate governance if centralised controls are lacking; according to Keeper Security. Ashley D’Andrea, Content Writer at Keeper Security.