Archos Labs
Human-Centered Transformation

Shadow AI Is Already Here

Rob Angeles4 min readPublished
Share
An article about Shadow AI in the enterprise by Rob Angeles.

Shadow AI is quietly reshaping enterprise workflows. Learn how to assess and control it before it costs you more than just data security.

The AI strategy most companies are running isn't the one their CIO approved. It's the one their employees improvised. Tools like ChatGPT, Midjourney, and Runway slip past governance with a corporate email login and ten minutes of curiosity. Adoption isn't measured in licenses. It's measured in habits.

Why your AI risk posture is out of date

Compliance teams mapped out acceptable tools. Procurement launched an intake process. Security built policy around known behaviors. Those frameworks are being bypassed hourly. Salesforce's 2024 State of IT report found that 56% of IT leaders believe generative AI is spreading faster than their teams can govern. That’s not a speed issue. It’s a blind spot.

Most Shadow AI usage comes from good intentions. Employees are solving real problems faster than official tools allow. A project manager assembles a deck in Tome. A recruiter writes outreach with GPT. A product analyst runs customer journeys through a third-party plugin. None of it registers in the tool inventory. None passes review. Employees make practical choices even when the tools carry risk. Exposure happens because the workflow is faster that way.

JPMorgan Chase pulled access to ChatGPT in 2023 after internal teams flagged data handling issues. Samsung followed with a restriction of its own. Amazon and Apple made similar moves as usage spread without approvals. These actions created obstacles, but none stopped the trend. Employees kept moving forward with whatever worked.

The productivity gains are real — and uneven

A July 2023 study published in Harvard Business Review tested GPT-4 on strategic consulting tasks. Performance jumped by more than 40% when consultants were allowed to use the model. These results won’t replicate everywhere. Still, they highlight something executives can’t ignore: generative AI works. And users don’t wait for IT to catch up.

Shadow AI gains traction where experimentation is valued and formal review is minimal. Visual teams, outbound functions, and customer analysts tend to adopt fastest. This leads to uneven advantage. It’s not about who has access — it’s about who already knows how to use it. That skill gap is compounding quietly inside your organization.

They trade tips with each other and adjust fast. By the time your official tool launches, they’ve already built their own workflows.

Inventory first, then decide what to allow

Most generative AI policy assumes organizations are leading. In practice, they’re catching up. Linear rollout strategies fail because usage isn’t linear. It's scattered, siloed, and invisible until someone opens a browser history.

Start by observing. A 30-day Shadow AI Amnesty gives you that chance. Create a space for employees to log tools they’ve tested. No legal disclaimers. No policy approvals. Just a confidential prompt: What are you using that we didn’t approve?

The data won’t be perfect, but it gives you signal. You’ll see where usage clusters. You’ll spot plugins employees won’t give up. You’ll identify exposure points security didn’t plan for. From that position, governance becomes practical. You’re no longer making guesses — you’re responding to patterns.

PwC treats generative AI as something to discover, not dictate. Their leaders set boundaries and invite teams to test tools that fit their workflows. Microsoft led with access, not blockage, when it launched Copilot. Policy followed.

Start with a 30-day amnesty

Risk teams can’t patch Shadow AI with document updates. HR can’t train for tools executives haven’t found yet. The only viable move is to surface what’s already happening — and work from there.

Pick three leaders. One from IT. One from security. One from HR. Make them the sponsors of a 30-day amnesty. Use a simple form or feedback channel. Invite employees to list the AI tools they’ve tried. Keep it voluntary. No penalties, no HR reviews — just a starting point for visibility.

At the end, publish a heat map. Not for audit. For planning. You’ll know which departments are sprinting and where risk lives. That’s your foundation. That’s what turns governance theory into action.

Shadow AI isn’t a threat on the horizon. It’s already embedded across your business — logged into accounts you’ve never approved.

Share
Rob Angeles

Written by

Rob Angeles

Most consulting engagements split the thinking from the doing. Rob doesn't. Principal Consultant at Archos Labs, he owns the full stack — assessment, architecture, delivery — across retail, financial services, healthcare, and government.

Read next