Why Shadow AI is the Next Major Business Risk – and How You Can Address It

Shadow IT – the use of unapproved apps or devices – has been a known issue for years, but Shadow AI introduces deeper, more systemic risks. Figures from the Komprise’s 2025 IT Survey of 200 U.S. enterprise executives reveals significant AI risks: 90% fear security and privacy threats from Shadow AI, 80% have experienced AI-related data incidents, and 13% have already suffered financial, client, or reputational damage.

Three key concerns for organizations include:

1. Sensitive data is being fed into external systems: TechAhead’s analysis shows that corporate data fed into AI tools increased 485% in one year, while the sharing of sensitive data within those inputs nearly tripled – from 10.7% to 27.4%. The research also found that 75% of knowledge workers already use AI tools at work and, worryingly, that nearly half would continue even if banned. TechAhead’s analysis also emphasized that Shadow AI often involves unvetted tools processing sensitive information without encryption, governance, or accountability.
2. GDPR and EU AI Act compliance risks: Under GDPR, organizations remain responsible for how personal data is processed – even if an employee uploads it to an external AI tool without permission. The EU AI Act, which officially came into force on 1^st August 2024, adds further obligations, including transparency requirements, data governance and quality controls, risk management for high-risk systems, and documentation and auditability requirements. Shadow AI directly conflicts with these requirements, exposing organizations to regulatory penalties and reputational damage.
3. Inconsistent or inaccurate outputs: Unregulated AI tools can generate fabricated facts, biased or incomplete analysis, and outputs that cannot be audited or explained. This undermines decision making and creates operational risk – especially in sensitive sectors such as finance, healthcare, legal services, and public administration.

Shadow AI risks cannot be solved by banning tools – determined employees will simply work around restrictions. Instead, organizations need a balanced approach that combines governance, technology, and culture.

However, policing Shadow AI can be complex, especially for organizations that don’t have internal expertise to analyze and assess the tools being used. It is more logical to remove the need for Shadow AI by replacing it with safe, approved, and effective AI systems which will help employees meet the needs without putting the organization at risk.

Below is a practical framework that helps an organization to align with European regulatory expectations and industry best practice:

1. Be aware of what AI is being used already: As AI becomes essential to operations, internal audits are critical for ensuring the technology is used safely. While the focus has shifted from standard software to complex algorithms, the core goals – evidence, traceability, and accountability – remain the same. The process starts with creating a clear inventory of all AI models, integrations, and APIs, documenting their purpose, data sensitivity, and ownership. This baseline allows companies to manage risk effectively. By adopting industry standards like NIST or ISO/IEC 42001, organizations can turn technical oversight into clear, verifiable business accountability.
2. Establish a clear, organization-wide AI usage policy: Employees may turn to unapproved tools in the absence of formal AI usage rules. A robust AI policy provides clear direction and sets binding standards across the organization. It should define approved AI tools, specify what data may or may not be shared, and establish mandatory requirements for handling personal and confidential information. It should also set clear expectations for transparency and traceability in AI use. This will provide a strong basis for ensuring all systems comply with GDPR and the EU AI Act.
3. Provide secure, enterprise-grade AI tools: As we have discussed, the most effective way to reduce Shadow AI is to offer officially sanctioned tools that are secure, auditable, and integrated into existing workflows. For example, solutions such as Microsoft 365’s Copilot provide enterprise level governance, encryption, and data residency controls – giving employees the productivity benefits they want without risks.
4. Build AI literacy and awareness: As we have seen, Microsoft’s research shows only 32% of employees are concerned about privacy risks when using consumer AI tools. This means effective training – often referred to as “AI literacy, or AI fluency” – will be needed to help employees understand how AI tools store and process data, what constitutes high risk behavior, the regulatory implications under GDPR and the EU AI Act, and underline when human oversight is required. It is also worth remembering that any governance framework is only as effective as the culture supporting it. While policies set boundaries, culture dictates behavior – transforming compliance from a mandatory requirement into an ingrained organizational habit.
5. Implement strong data governance and access controls: As previously highlighted,TechAhead’s findingsshow that the volume of sensitive data entered into AI tools nearly tripled within a year, reinforcing the need for robust controls. Organizations should classify data, restrict external sharing, and deploy Data Loss Prevention (DLP) tools to prevent unauthorized uploads. They should also monitor AI-related activity for anomalies and ensure encryption and audit trails for all approved systems. This aligns directly with the EU AI Act’s requirements for transparency and risk management.
6. Create a central AI governance team: Ideally, an organization should appoint a cross functional group – typically IT, security, legal, HR, and business leaders – that can oversee the use of AI systems. This can include tool evaluation and approval, risk assessments, vendor due diligence, and compliance monitoring. This AI management group ensures AI adoption is strategic, consistent, and aligned across the organization.
7. Encourage responsible experimentation: While there are potential issues, Shadow AI often emerges from innovation. In some cases, instead of shutting these efforts down, organizations can turn AI curiosity into structured value creation by channeling this approach and providing sandboxes for testing new tools, clear processes for proposing new use cases, and supporting experimentation with proper oversight.
8. Communicate the benefits of using approved tools: Employees that clearly understand why some AI tools are permitted whilst others need to be banned are more likely to follow the rules. Therefore, it is important to communicate how approved tools protect client and business data, how they reduce personal risk, and how they support long term AI strategy. This will help to build a culture of trust and shared responsibility.

9. Monitor, measure, and continuously improve: The use of Shadow AI is not a one-time issue – it will evolve and change as new tools emerge in the future. With this in mind, organizations should track AI usage trends, review incidents or near misses, update policies as regulations change, and ensure training is refreshed regularly. This creates a living governance model that adapts to the pace of AI innovation.

Successfully addressing Shadow AI can be daunting for businesses that don’t have the expertise or knowledge base to do so effectively. This is where expert assistance makes a considerable difference.

At Konica Minolta, we help organizations get the most out of technology – whether it's the effective and planned deployment of AI in Microsoft 365 Copilot, intelligent document processing or business processes and business intelligence. We combine technology expertise with business understanding to help your company streamline processes, improve productivity and make better decisions by taking an information-led approach.