What is shadow AI?

Shadow AI is any use of AI tools, models, or agents within an organization that hasn't been authorized, registered, or sanctioned by IT or security. The name comes from shadow IT (the older problem of employees using unauthorized software and services), and the underlying dynamic is the same: teams adopt tools to work faster, do it before policy catches up, and end up with systems running outside any organizational oversight.

What's different is what's in the shadow. Shadow IT was mostly unauthorized SaaS applications. Shadow AI is a mix of unauthorized tools, unauthorized agents, and AI features that got enabled without anyone making a deliberate choice to adopt them. Those three categories look similar on the surface and carry very different risks in practice.

Shadow AI definition: what counts and what doesn't

Shadow AI covers any AI use that organizational policy hasn't authorized. There are three distinct forms, and they're worth separating because they create different problems.

Unauthorized AI tools. An employee using a personal ChatGPT, Gemini, or Claude account to draft work documents, summarize meeting notes, or analyze data they've pasted in is using shadow AI. The tool doesn't have a connection to internal systems, but the data the employee inputs may be sensitive, and the outputs may inform business decisions no one has visibility into. This is the most visible form of shadow AI because it leaves network traffic traces to external AI provider endpoints.

Unauthorized AI agents. An employee who connects a third-party AI agent to an internal data warehouse role, builds an agent in a low-code platform and points it at a production database, or enables an AI assistant in a SaaS tool without IT review is running a shadow AI agent. These are a different category from unauthorized tools: agents inherit enterprise credentials, query production data, and act autonomously without human review at each step. For a detailed treatment of this category, see how to detect shadow AI agents.

Default-enabled AI features. Enterprise software vendors have embedded AI into products organizations already use: Salesforce, Microsoft 365, Notion, Slack, and most modern SaaS platforms now include AI capabilities that are sometimes enabled by default. When a vendor enables an AI feature without a policy review from the purchasing organization, that feature becomes shadow AI regardless of whether any individual employee made a deliberate choice to adopt it.

Authorization is what separates shadow AI from legitimate AI use. A tool that went through procurement, a feature IT reviewed, or an agent that's registered and governed (regardless of who built it) isn't shadow AI. The shadow is the missing review, not the technology.

Shadow AI examples

These five scenarios are recognizable to anyone who's run a shadow AI audit.

A finance analyst pastes quarterly revenue data into a personal ChatGPT account to generate a summary for an executive presentation. The data is confidential. It's now in a conversation that lives outside any enterprise data governance program.

A sales operations manager uses a low-code platform to build an AI agent that queries the CRM and generates weekly pipeline reports. The agent runs under the manager's Salesforce credentials, inheriting their access scope. IT doesn't know it exists.

A developer enables GitHub Copilot on a personal account to accelerate work on an internal codebase. The code Copilot processes includes proprietary business logic and internal API specifications.

A customer success team adopts Notion AI after one team member enables it on the workspace. It starts summarizing customer notes, some of which include confidential contract terms. No one submitted an AI tool request.

An operations team connects an AI agent to the company's Snowflake environment using a service account with broad SELECT access. The agent runs daily reports and summarizes findings in Slack. It has access to every table the service account can reach, including HR and financial data.

Why shadow AI happens

Most shadow AI isn't created by people trying to work around the rules. It's created by people who needed something working today and found a tool that did the job before any formal process could catch up.

Approving a new AI tool through procurement might take weeks. Connecting it through a low-code platform takes an hour. Vendors have accelerated this by shipping AI as a default feature rather than an opt-in. The result is tools and agents in production before anyone has assessed them, at a rate that most governance programs weren't designed to handle.

Microsoft's February 2026 research found 29% of employees using unsanctioned AI agents for work tasks, with more than 80% of active Fortune 500 AI agents built using low-code or no-code tools. Most of those deployments came from teams solving real problems, not evading policy.

Shadow AI risks

The risk profile varies by type, but four problems show up consistently.

Data exposure. Employees inputting sensitive data into unauthorized AI tools send that data to external systems with no organizational visibility or control. This is the risk profile for personal AI account use: once data enters an external AI conversation, the organization has no audit trail of what was shared, no ability to retrieve it, and no control over how the provider uses or retains it. GenAI data exposure across enterprise workforces reached 7.7GB per organization per month by the end of 2025, with 22% containing sensitive data (Help Net Security, December 2025).

Unauthorized data access. Shadow AI agents that inherit enterprise credentials can reach any data the underlying credential permits. CSA found that 53% of organizations have had AI agents exceed their intended permissions. For shadow agents, there are no intended permissions on record. The agent has whatever the credential it runs under allows, with no floor set by intended use.

No audit trail. When a shadow AI agent queries sensitive data or takes an action, that activity doesn't get logged against a registered identity. CSA's March 2026 research found that 68% of organizations can't clearly distinguish AI agent actions from human activity. Shadow agents are a direct contributor: their activity logs against credentials, not identities, making reconstruction and accountability difficult.

Regulatory exposure. The EU AI Act's obligations for high-risk AI systems, enforceable August 2, 2026, require automatic logging of risk-relevant events and technical documentation. The IMDA Model AI Governance Framework for Agentic AI (Version 1.5, May 2026, voluntary) recommends organizations enumerate all agents and establish accountability for each. Shadow AI systems are outside any such documentation by definition.

How enterprises respond to shadow AI

Network-level blocking is increasingly impractical. AI capabilities are now built into the tools organizations already run. Block the AI feature and you block the product. The programs that make actual progress on shadow AI do two things that initial programs usually skip: they give employees a fast path to legitimize tools they've already adopted, and they enforce at the data layer rather than the network layer.

Treating shadow AI as an inventory and registration problem tends to work better than treating it as a prohibition problem. Find what's running, make the registration process easier than the workaround, and you move the shadow population into governance over time rather than just accumulating more of it.

For shadow AI agents specifically, Bigeye's Agent Trust Hub provides this layer: agents that connect to governed data sources appear in the registry, and AI Guardian blocks unregistered agents before their queries execute.