Shadow AI is the use of AI tools inside an organization without the knowledge or approval of IT, security, or data governance.
The name echoes shadow IT. It usually starts with good intentions: a team has a job to do, an approved tool cannot touch the sensitive data involved, so someone reaches for a public AI tool. The work moves faster, but now it happens outside any policy, log, or review. Two risks follow: sensitive data can leave through a channel nobody watches, and there is no record of what was sent, so the activity cannot be audited or reproduced.
Shadow AI grows wherever sanctioned tools cannot run on the data people actually work with. The durable fix is a sanctioned path: a way to run sensitive AI workflows inside the organization’s own environment with the record kept intact, so the incentive to route around policy fades.