Shadow AI
Shadow AI is the use of AI tools by employees without the organization’s knowledge, approval, or oversight — creating hidden privacy, security, and compliance risks that governance is meant to control.
Shadow AI is the AI-era cousin of "shadow IT": staff paste customer data into a public chatbot, use an unvetted transcription tool, or wire an AI plugin into a workflow — all without security review or a record in the AI inventory.
The risks are real: [personal information](/glossary/personal-information) leaving the organization, breaches of confidentiality, biased or wrong outputs used in decisions, and violations of privacy laws like PIPEDA or Law 25 that the organization never sees coming.
The answer is not a blanket ban — which usually fails — but governance: an acceptable-use policy, approved tools, and an inventory that makes shadow AI visible so it can be assessed and either sanctioned or shut down.