Shadow AI: What It Is and Why 70% of Your Employees Are Using It in Secret

8 min read · AstraLoop Studio

While you're reading this sentence, chances are someone at your company is pasting a client file, a quote, or a chunk of code into ChatGPT. Nobody asked them to, it's written in no procedure, and they most likely don't see anything wrong with it: they're just trying to work faster. This phenomenon has a precise name, Shadow AI, and it's today one of the least monitored and most widespread risks among Italian SMEs.

Estimates circulating in 2026 put the figure between 68% and 76% of employees using generative AI tools without the company's knowledge or authorization. What's striking is that this isn't a big-corporation problem, it hits small and mid-sized businesses hardest, where there's no structured IT department and nobody has written a single line of AI usage policy yet. If you want to place this topic within a bigger picture, this article connects to our complete guide to AI consulting for businesses, where governance is one of the pillars.

Here we look at what Shadow AI really is, why it happens, what concrete risks it creates under GDPR and the AI Act, and, above all, how to build an internal policy that secures the work instead of blocking it.

Illustration of an office where ghost AI assistants work hidden alongside employees, a metaphor for Shadow AI

Shadow AI: what it is, in plain terms

Shadow AI is the use of artificial intelligence tools by employees outside any company control, approval, or policy. It's the recent cousin of "Shadow IT," the phenomenon where people in a company use software and services not authorized by IT: think of someone sharing files on a personal Drive instead of company systems.

The difference is that Shadow AI is far easier to trigger and far riskier. All it takes is a browser and a free account. No installation, no permission to ask for, no visible trace. Here are the most common forms it takes:

  • General-purpose chatbots: ChatGPT, Gemini, Claude, Copilot used with personal accounts to write emails, summarize documents, analyze data.
  • AI browser extensions: plugins that summarize pages, translate, generate text, often with read permissions over everything on screen.
  • AI features built into tools already in use: auto-generation in Notion, Canva, Grammarly, the "copilots" embedded in third-party software.
  • Meeting transcription bots: bots that join Zoom or Meet calls, record and summarize, carrying confidential conversations outside the room.

Here's the crucial point: in most cases there's no bad faith involved. The employee isn't "stealing data," they're trying to get things done faster. But the outcome is the same: company information leaving a controlled perimeter and entering systems the company knows nothing about.

Why 70% of your employees are using it (and not telling you)

Understanding the "why" is essential, because the solution isn't a ban. An outright ban is the perfect recipe for pushing usage even further into the shadows. There are three reasons Shadow AI keeps spreading, and all three are very human.

1. The tool works and saves time

A well-written email in thirty seconds, meeting minutes summarized in a minute, a draft quote ready before your coffee's even done. The perceived value is immediate and tangible. No internal procedure can compete with that level of instant gratification.

2. The company hasn't said anything

In the regulatory vacuum, everyone decides for themselves. If there's no policy, there's no "forbidden": the employee assumes in good faith that it's fine. The company's silence gets read as implicit permission.

3. The fear of asking

Many worry that asking "can I use ChatGPT for this?" will be read as "I can't do this myself." So they'd rather use it on the sly, pasting the text, generating the result, and rewriting it in their own words. This behavior, besides being the most widespread, is also the hardest to detect.

The consequence is that Shadow AI isn't a problem of undisciplined people, it's a problem of missing governance. And like every governance problem, it's solved with clear rules and literacy, not repression. It's the same principle behind a good AI training program for employees.

The concrete risks of Shadow AI

Let's move from the general to the specific. When an employee pastes data into an unauthorized AI tool, what real damage are you risking? We split it into four areas.

GDPR and data protection risk

This is the most immediate one. If an employee pastes a customer list with names, emails, and phone numbers, or a medical record, a CV, or bank details, into a chatbot, they're carrying out a transfer of personal data to a third-party provider (often outside the EU) with no legal basis, no privacy notice, and no data processing agreement (DPA). Under EU Regulation 2016/679 (GDPR) this can amount to:

  • Unlawful processing of personal data (violation of Articles 6 and 9).
  • Non-compliant transfer of data to third countries (Chapter V).
  • Complete loss, for the data controller, of any control over where the data ends up and for how long it stays there.

Italy's Data Protection Authority (Garante) has already moved on this front, with the well-known measure that in 2023 temporarily restricted ChatGPT in Italy. GDPR fines run up to €20 million or 4% of worldwide annual turnover, whichever is higher.

Trade secrets and intellectual property risk

Quotes, confidential price lists, sales strategies, proprietary source code, formulas, technical drawings. Anything you paste into a consumer tool can, depending on its terms of use, be used to train the underlying models or otherwise slip out of your control. The most-cited case is still that of the Samsung engineers who in 2023 pasted confidential code into ChatGPT, prompting the company to ban its use.

AI Act risk

EU Regulation 2024/1689 (the AI Act) is becoming operational in stages, with major obligations already kicking in on August 2, 2026. Shadow AI crosses paths with the AI Act on two fronts. First: Article 4 requires every organization using AI systems to ensure an adequate level of AI literacy among its staff. If half your employees are using AI in secret, you're not just failing to train anyone, you don't even know who's using what. Second: you can't classify systems by risk category if you don't know they exist. We dig into the deadlines and obligations in our dedicated article on AI Act obligations for SMEs.

Quality and reliability risk

Then there's the operational risk. An AI output used without review can contain errors (the so-called "hallucinations"), invented data, wrong calculations. If it ends up in a contract, a quote, or a customer communication without human review, the reputational and financial damage is real.

Illustration of a shield-shaped funnel sorting company data into three tiers, a metaphor for AI policy and data governance

How to govern Shadow AI: from policy to practice

The good news is that this is one of the most accessible "quick wins" on the path to AI adoption. It doesn't take a massive tech investment, it takes clarity. Here's a five-step path you can kick off in just a few weeks.

Step 1: map what's actually happening (assessment)

Before writing rules, you need to know what's already going on. A short internal assessment of AI use across your processes, run through anonymous surveys and interviews, tells you which tools are running, for which tasks, and on which data. The picture almost always surprises: usage tends to be higher than expected, and concentrated in unexpected areas like admin or sales.

Step 2: classify the data, not just the tools

Not all data is equal. The golden rule is easy to communicate: split information into three tiers.

TierExamplesAI rule
PublicContent already online, marketing material, product descriptionsFree to use, even on consumer tools
InternalDrafts, notes, non-confidential proceduresOnly on approved company tools
Confidential/personalCustomer data, health data, price lists, code, contractsNever on uncertified tools without a DPA

Step 3: write a short, readable AI policy

Forget the forty-page legal document nobody will read. An effective policy fits on two or three pages and answers concrete questions: which tools are approved, what should never be pasted in, who to contact to propose a new tool, what to do in case of a mistake. It has to be written in plain language, with examples. The goal isn't to scare people, it's to give them a clear lane to stay in.

Step 4: offer an authorized alternative

This is the step almost everyone forgets, and it's the most important one. Banning something without offering an alternative doesn't work: people will just keep using it in secret. If you give your team an enterprise version of an AI tool (with settings that exclude your data from training and with a data processing agreement in place), or an internal assistant built on a company knowledge base with a RAG approach, you remove the incentive to reach for consumer versions. Make the safe path the convenient one too.

Step 5: train and monitor

A policy without training stays on paper. One hour of hands-on training, with examples of what an average employee should and shouldn't do, is worth more than ten memos. It's also how you meet the AI literacy obligation under Article 4 of the AI Act. Monitoring, finally, shouldn't mean surveillance: periodic check-ins and an open channel where people can flag new tools without fear of being scolded are enough.

Shadow AI is already inside your company: the difference is governing it before it becomes a problem. Request a quick analysis of your real AI usage and we'll help you build a tailored policy.

Governing doesn't mean blocking

The takeaway is counterintuitive. You don't fight Shadow AI by switching AI off, you fight it by switching it on properly. Companies that ban everything get two outcomes, both negative: they lose the productivity gains and push usage even further into the shadows, where it's impossible to control.

Companies that govern it instead turn a risk into a competitive advantage. They bring real usage into the light, secure the data, train their people, and often discover processes worth automating for real. It's the first step of a genuine four-phase AI adoption roadmap: without governance, everything else rests on shaky ground.

If you're still figuring out where to start with AI at your company, this topic is an excellent entry point: it's cheap to tackle, it delivers an immediate return in reduced risk, and it naturally opens the conversation on what to automate. You'll find more pointers in our guide on how to take the first steps with AI at your company and on what's worth automating with AI.

Mistakes to avoid when tackling Shadow AI

  • An outright ban via email. It only pushes usage deeper underground. What's needed is a policy with alternatives, not a flat "no."
  • Copying a policy found online. Every company has different data, processes, and risk levels. A generic policy won't hold up under scrutiny from the Garante.
  • Stopping at the document. Without training and an authorized tool, the policy stays a dead letter.
  • Treating it as an IT-only problem. Shadow AI touches HR, legal, sales, and leadership. It needs to be tackled across the board.
  • Putting it off. With the AI Act becoming operational on August 2, 2026, the time to get compliant isn't unlimited.

Governing Shadow AI isn't a months-long project. It's a targeted, measurable intervention with an immediate return on risk reduction. It's, in every sense, one of the smartest quick wins to put on the agenda for 2026.

Frequently asked questions

What is Shadow AI in plain terms?

It's the use of artificial intelligence tools (like ChatGPT, Gemini, or Copilot) by employees without authorization, oversight, or a company policy. All it takes is a browser and a free account, so it's extremely easy to trigger and invisible to the company.

Why is Shadow AI dangerous for my company?

Because it carries company data outside the controlled perimeter. The main risks are: GDPR violations if personal data gets pasted in, loss of trade secrets, non-compliance with the AI Act, and unverified outputs ending up in real documents.

Does pasting customer data into ChatGPT violate GDPR?

In most cases, yes. You're transferring personal data to a third-party provider, often outside the EU, with no legal basis, no privacy notice, and no data processing agreement (DPA). It can amount to unlawful processing under Articles 6 and 9 of the GDPR.

Do I need to ban AI for employees to solve the problem?

No, an outright ban is counterproductive and pushes usage even further into the shadows. The solution is to govern it: map real usage, classify the data, write a clear policy, and offer a secure company AI tool as an alternative.

What does Shadow AI have to do with the AI Act?

The AI Act (EU Regulation 2024/1689), operational from August 2, 2026, requires under Article 4 that staff have adequate AI literacy and that systems be classified by risk. If half your team is using AI in secret, you can't meet either obligation.

How long does it take to build a Shadow AI policy?

It's one of the fastest interventions: with an initial assessment, a two-to-three-page policy, an authorized tool, and one hour of training, a small or mid-sized company can get itself secured within a few weeks.

Want to turn shadow AI into a controlled advantage instead of a risk? Talk to us: we'll define the policy, authorized tools, and training your team needs together.