AI Governance

Shadow AI is your next audit finding

78% of employees are already using AI tools. That's not a problem. It's a signal of demand. Channel it with the right governance framework and you turn a compliance risk into a competitive advantage.

Rafal Bergman··5 min read
Summary

Shadow AI is employee use of AI tools the organisation has not sanctioned or governed, and it is already everywhere: 78% of employees use AI their employer hasn't approved, and 38% are sharing confidential data through consumer accounts. Blocking it fails, because people just switch to personal devices. The better move is to treat the 78% as a demand signal: run an audit across employee surveys, network telemetry, SaaS spend, and manager interviews, then channel that demand into a sanctioned enterprise deployment with data controls and an audit trail. With EU AI Act enforcement beginning 2 August 2026 the governance is no longer optional, but done well it turns a compliance risk into a competitive advantage.

Your employees are already using AI. The question is whether you know about it.

Cyberhaven's research found that 38% of employees are sharing confidential company data through consumer AI tools: ChatGPT, Claude, Gemini, Copilot. Not through sanctioned enterprise deployments with data handling agreements. Through personal accounts, on personal devices, with no audit trail and no governance.

The broader number is worse: 78% of employees are using AI tools their employer hasn't approved. They're summarising client documents, generating financial analysis, drafting legal correspondence, and processing sensitive data through systems their IT and compliance teams don't know exist.

This is shadow AI. And it's about to become a very expensive problem.

The regulatory clock is ticking

The EU AI Act's major enforcement milestones begin August 2, 2026. That includes transparency obligations, high-risk system requirements under Annex III, and governance structures that most organisations haven't built yet.

If you're operating in the EU or processing EU citizen data, which includes most UK businesses with European clients, you need to be ready. Not "aware." Ready. With documented governance frameworks, risk assessments for every AI system in use (including the ones your employees adopted without telling you), and human oversight structures that can withstand regulatory scrutiny.

This isn't theoretical. IBM's Institute for Business Value reports that 82% of organisations say AI risks have accelerated their need for governance modernisation. They know the gap exists. Most haven't closed it.

Why governance fails when it's treated as a blocker

The instinct in most organisations is to respond to shadow AI with a ban. Lock down the tools, restrict access, send a memo. This doesn't work. The tools are too useful, the workarounds too easy, and the productivity gains too visible for people to stop using them just because a policy document said so.

The organisations that get this right treat governance as an enabler, not a blocker. The goal isn't to stop people using AI. It's to channel that usage into managed, monitored, compliant systems that the organisation controls. Governance that makes AI adoption faster, not slower, by removing the ambiguity that forces employees to make their own decisions about what's acceptable.

A proper governance framework does three things:

First, it maps what's actually happening. A shadow AI audit identifies every tool in use, every data flow, every risk. You can't govern what you can't see. Most organisations are genuinely surprised by what they find.

Second, it provides sanctioned alternatives. For every unapproved tool your employees are using, there should be an approved path that's at least as convenient. If the governance framework makes people's work harder, they'll route around it, and you're back to shadow AI.

Third, it builds the compliance structure. Risk classifications, human oversight requirements, data handling protocols, incident response procedures. The EU AI Act doesn't require perfection. It requires a demonstrable, documented framework that shows you're managing AI risk systematically. This is the approach I took at NHS Wales, where governance had to withstand national-level scrutiny. The same principles apply at any scale.

The cost of waiting

Informatica's 2026 survey of 600 data leaders found that three out of four say governance hasn't kept pace with AI adoption. Nearly 7 in 10 organisations have adopted generative AI, and almost half have moved into agentic AI. The tools are already deployed. The governance is months, or years, behind.

The gap creates three categories of risk:

Regulatory risk. EU AI Act non-compliance penalties scale to 7% of global annual turnover for the most serious violations. Even for mid-market companies, that's a material number.

Data risk. Confidential client data, financial information, proprietary IP, all flowing through systems with no data processing agreements, no audit logs, and no retention controls.

Operational risk. Decisions being made based on AI outputs that no one is verifying, using models that no one has validated for the use case, with error rates that no one is measuring.

What I'd do in your position

If I were sitting in your seat (CTO, COO, or board member of a company with 50+ employees) I'd do three things in the next 30 days:

Run a shadow AI audit. Not a survey. A proper audit. Map the tools, the data flows, and the risks. Accept that you'll find things you didn't expect.

Build a governance framework that enables, not restricts. Classify your AI use cases by risk level. Provide sanctioned tools for the high-value, high-frequency use cases. Build monitoring into the approved stack.

Set a timeline for EU AI Act readiness. August 2026 isn't far. If you need to be compliant, work backwards from that date and identify every gap.

If you'd like help with any of that, let's talk. I've built governance frameworks alongside production AI systems, not as a separate workstream, but as part of the deployment. It's the only way it works.

Related: Turning AI theatre into AI that moves the numbers · How to unlock AI ROI: what the 20% do differently · The AI Transformation Sprint

Rafal Bergman
Rafal Bergman
Fractional CTO | Director of AI Engineering | PhD

Serial founder, four exits. Currently Director of AI Engineering at OpenAsset. As a Fractional CTO, I help startup founders and small to mid-market companies stop running AI pilots and start shipping systems that move the P&L. Connect on LinkedIn

Frequently asked questions

What is shadow AI?
Shadow AI is employee use of AI tools that the organisation has not sanctioned, deployed, or governed. Cyberhaven found 38% of employees are sharing confidential company data through consumer AI tools (ChatGPT, Claude, Gemini, Copilot) on personal accounts. 78% are using AI tools the employer hasn't approved. The audit risk is concrete and the data exposure is already happening.
When does the EU AI Act apply to my business?
Major enforcement milestones begin 2 August 2026. That includes transparency obligations, high-risk system requirements under Annex III, and governance structures. If you operate in the EU or process EU citizen data (which includes most UK businesses with European clients), you need documented governance, risk assessments per AI system, and human oversight that can withstand regulatory scrutiny.
How do you do a shadow AI audit?
Five steps. Survey employees with anonymity guarantees so the answers are honest. Inspect network and endpoint telemetry for traffic to consumer AI domains. Review SaaS spend for unsanctioned AI subscriptions. Interview managers about what AI is being used in their teams. Cross-reference everything against your data classification policy to identify exposure of sensitive data.
Should we block consumer AI tools?
Generally no. Blocking pushes shadow AI further into the shadows: people use personal devices on mobile networks. The better play is to channel the demand into a sanctioned enterprise deployment with data handling agreements, train people on what they can and can't process, and use the shadow AI audit as the demand signal for which capabilities to formalise first.
How do you turn shadow AI from a risk into an advantage?
Treat the 78% as signal. Your employees are telling you which AI capabilities they actually find valuable. Use the audit findings to prioritise your sanctioned AI roadmap: deploy enterprise versions of the tools people are already trying to use, with the data controls and audit trail that consumer tools don't have. The risk closes and the productivity gain compounds.
Stay ahead

AI & tech are moving fast.
Get the signal, not the noise

Get in touch

Ready to make AI actually work?

Tell me what you're working on. I'll respond personally. If there's a fit, we'll take it from there.

Start a conversation See the engagements first Free AI readiness assessment
Accepting one new client · second slot opens Q3 2026