Shadow AI: Three Critical Risks Organizations Face

Recent research reveals a concerning pattern: employees are increasingly sharing sensitive data with AI tools, delegating entire tasks to AI, and often doing this through external (shadow) accounts outside IT oversight.

These form three mutually reinforcing risks:

1. Use of personal AI tools for work purposes

When employees use their personal AI accounts for work tasks, the organization loses visibility into what data and tasks are being handed over to AI. MIT research shows that in 90% of companies, employees utilize AI tools in their work with their own accounts – often without IT or security approval. This means that a significant portion of AI usage happens outside the company's control and oversight, making both risk management and regulatory compliance more difficult.

2. Risk of confidential information leakage

Using AI tools is not just a governance issue – it's also a security challenge. Cyberhaven found that nearly one-third of the data employees input into AI tools is sensitive, and about 4% is confidential information. When this happens through personal or other external accounts, the risks of data leakage increase significantly, and potential damage is difficult to trace and manage.

3. Risks of delegating entire tasks

AI usage is shifting from assisted work toward full task delegation — from co-pilot to autopilot. Anthropic's Economic Index shows that 77% of enterprise customers' API usage follows patterns where entire projects are given to AI to handle from start to finish. A Nature study (N ≥ 500 per experiment) found that goal-based delegation (e.g., "maximize profit") increased unethical outcomes: AI followed problematic requests 60–95% of the time, while humans had a corresponding rate of 25–40%.

This development is directly at odds with Article 14 of the EU AI Act, which requires that high-risk AI systems be supervised by natural persons who have the ability to override or stop the system. The "set and forget" approach will soon be in conflict with EU requirements – and requires organizations to adopt a new model where efficiency and oversight go hand in hand.

This is not a technology problem, but a governance and design challenge. The solution is not to prohibit delegation, but to redesign it: maintain human checkpoints at key decision points and build clear oversight processes. This requires viewing AI governance as part of the organization’s management system and strategic decision-making — not merely an IT issue.

How does your organization balance AI efficiency with the oversight that both ethics and regulation now demand?

#AIStrategy #EUAIAct #ShadowAI #DataGovernance

Sources & Further Reading

1. Köbis, N., Rahwan, Z., Rilla, R., Bonnefon, J.-F. & Rahwan, I. (2025). Delegation to artificial intelligence can increase dishonest behaviour. Nature, 646, 126–134. https://doi.org/10.1038/s41586-025-09505-x
2. Anthropic. (2025). Anthropic Economic Index Report - September 2025. Retrieved October 7, 2025, from https://www.anthropic.com/research/anthropic-economic-index-september-2025-report
3. MIT Project NANDA (2025). State “The GenAI Divide: State of AI in Business 2025” (PDF): https://mlq.ai/media/quarterly_decks/v0.1_State_of_AI_in_Business_2025_Report.pdf
4. Cyberhaven Labs (2024). Shadow AI: How Employees Are Leading the Charge in AI Adoption and Putting Company Data at Risk. https://www.cyberhaven.com/blog/shadow-ai-how-employees-are-leading-the-charge-in-ai-adoption-and-putting-company-data-at-risk
5. Metomic (2025). Survey of Security Leaders. Referenced in Cybernews, October 2025. https://cybernews.com/ai-news/ai-shadow-use-workplace-survey/
6. IBM (2025). Cost of a Data Breach Report 2024. IBM Think Insights, April 17, 2025. https://www.ibm.com/think/insights/hidden-risk-shadow-data-ai-higher-costs
7. European Union (2024). Regulation (EU) 2024/1689 - Artificial Intelligence Act. Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

Related Insights

3/12/2026•AI

The bottleneck in AI strategy isn't ideas - it's prioritization

With dozens of AI use cases identified, the real challenge isn't what could be done, but what should be done first. Strategic alignment beats technical novelty.

Marko PaananenRead more →

3/9/2026•AI

Building AI Capability vs. Finding Perfect Tools

Organizations should focus on building capability to evaluate and adopt AI tools continuously rather than searching for the perfect solution.

Marko PaananenRead more →

2/19/2026•AI

OpenClaw Experiment: Personal AI Assistant Revolution

OpenClaw represents a shift from passive AI tools to proactive digital teammates that operate applications independently and maintain persistent memory.

Marko PaananenRead more →