Acta acta.ink
Shadow AI · 5 min read

Shadow AI: Your Employees Are Pasting Sensitive Data Into ChatGPT

Most employees use AI tools without IT approval. Here's what that means for your data security and EU AI Act obligations.

Every IT and security leader knows about shadow IT — employees spinning up SaaS tools, personal cloud storage, and unsanctioned apps. Shadow AI is the same problem, orders of magnitude worse.

When someone signs up for a cloud storage tool, the risk is data leaving your perimeter. When someone pastes a customer contract into ChatGPT, the data has already left — and it may have been used to train a model you don't control.

The scale of the problem

Industry surveys consistently show that a majority of knowledge workers use AI tools at work, and a significant portion do so without formal IT approval. The pattern is the same across industries:

  • Customer support teams paste customer conversations to draft responses
  • Legal teams upload contracts for summarisation
  • HR pastes employee performance reviews for feedback drafts
  • Engineering shares proprietary code for debugging help
  • Finance uploads spreadsheets with revenue data for analysis

None of this is malicious. Employees use AI because it makes them faster. They don't think about data classification when they're under deadline pressure.

Why blocking doesn't work (and what does)

The first instinct for many CISOs is to block AI tools at the network level. This approach has two problems:

  1. It kills productivity. AI tools are genuinely useful. Blocking them entirely puts you at a competitive disadvantage and frustrates employees who will find workarounds (personal phones, mobile hotspots).
  2. It's whack-a-mole. New AI tools launch weekly. Your blocklist will always be incomplete.

The more effective approach is visibility + guardrails:

  • See which tools are being used and by whom
  • Approve specific tools and block unapproved ones
  • Scan what's being sent to the approved tools
  • Log everything for audit purposes
  • Educate users so they understand why it matters

This is the difference between a "no AI" policy (which nobody follows) and an "AI governance" posture (which protects you while letting teams work).

The EU AI Act angle

Shadow AI isn't just a security problem — it's a compliance problem. Under Art. 26, organisations that deploy AI systems have specific obligations:

  • Art. 26(1): Implement appropriate technical and organisational measures
  • Art. 26(5): Monitor the operation of the AI system
  • Art. 26(7): Inform workers about AI use

You can't monitor what you can't see. You can't implement technical measures for tools you don't know exist. And you certainly can't inform workers about AI systems if you don't know which ones they're using.

Shadow AI makes Art. 26 compliance effectively impossible. Every unapproved tool is an unmonitored, ungoverned AI deployment — exactly what the regulation is designed to prevent.

What a shadow AI audit looks like

Before you can govern AI use, you need to understand the current state:

  1. Network analysis — review DNS logs and web proxy data for AI tool domains
  2. Expense audit — search expense reports and corporate card statements for AI subscriptions
  3. SSO review — check which AI tools have been connected through corporate SSO
  4. Survey — ask employees directly (anonymised) which AI tools they use and for what
  5. Browser monitoring — deploy visibility tooling that can detect AI tool usage in real time

Most organisations that do this for the first time are surprised by the breadth of AI tool usage. Common finding: 3–5× more AI tools in active use than IT was aware of.

From shadow to governed

The goal isn't to eliminate AI use — it's to bring it into the light:

  1. Gain visibility into current usage
  2. Classify tools as approved, conditional, or blocked
  3. Route approved tool usage through a governed channel
  4. Apply data protection controls (PII detection, special category blocking)
  5. Log everything for compliance and audit
  6. Set budgets so costs don't spiral

This doesn't require a six-month project. With browser-based tooling, it can be deployed in days. The hard part isn't the technology — it's the decision to move from "ignore it" to "govern it."

Disclaimer: This article is for informational purposes and does not constitute legal advice. Statistics cited are drawn from publicly available industry research and may vary by sector and region.

Related reading

Your AI Costs Are Invisible — Here's How to Fix That Art. 26 Deployer Obligations: What the EU AI Act Means for Your Company

See how Acta can help

PII detection, audit logging, policy enforcement, AI literacy insights. One platform for EU AI Act compliance.

Try Acta free

Free extension included · Pay as you go

← All articles