Definition
Shadow AI
Shadow AI is the use of generative-AI services (ChatGPT, Claude, DeepSeek, Perplexity, Mistral, Grok, etc.) by employees without the knowledge, approval or oversight of the IT or security team.
Shadow AI is the direct successor to shadow IT. The pattern is similar — productivity-driven adoption that bypasses procurement — but the data exposure is qualitatively worse because the destination is a third-party model whose retention, training-data policy and jurisdictional exposure are usually opaque. The headline number across 2026 audits: in a typical 500-person enterprise, security teams know about ~3 AI services; the actual count of services in regular use sits between 11 and 18.
Why it matters
- ✓Without visibility into which AI services are in use, no GDPR Article 30 register entry can be made.
- ✓Shadow AI is the primary vector for credential leakage to LLMs.
- ✓Many shadow-AI services run on US infrastructure subject to the CLOUD Act and FISA 702.
Common questions
How do I discover shadow AI?
Three complementary signals: SSE / SWG logs for outbound DNS to known AI-service domains; browser-extension telemetry; CASB inspection. The Operator Console of an AI DLP product surfaces this directly because it is in the prompt path.