Archos Labs
AI Readiness

Shadow AI Is Already On Your Team

Rob Angeles3 min readPublished
Share
Worker at desk with shadowy duplicate figure behind, headphones glowing blue, split workspace showing control versus chaos.

78% of employees use AI tools their org hasn't approved. Here's how founders find shadow AI on small teams and govern it without killing the momentum.

Open your Google Workspace admin panel and click "Connected apps." If you haven't done this recently, you will find tools you didn't install, haven't heard of, and almost certainly never approved.

Banning it makes the problem invisible, not smaller

The instinct to restrict makes sense on paper. One employee pastes a confidential client brief into a free AI tool. That data leaves your environment, sits on a third-party server, and potentially trains a model you have no agreement with. The output comes back, gets sent to the client without review, and you now have a data leakage problem and an accountability gap in the same incident. For a team of five people with no IT function and no legal counsel on retainer, that incident lands entirely on you.

A reasonable founder reads that and concludes the productivity gains aren't worth it.

Where that logic breaks is at the assumption that a ban stops the behaviour. It doesn't. It stops people telling you about it. Shadow AI adoption sits at 78% across sectors, and that figure includes executives and security professionals who understand exactly what the risks are. Awareness of the danger doesn't change the behaviour because the behaviour isn't reckless — it fills a gap. Employees reach for unapproved tools because sanctioned alternatives are absent or inadequate, not because they missed a memo. A ban without an approved alternative doesn't close that gap. It just removes your visibility into which tools are filling it.

You end up with the same exposure and no information to manage it with.

What you're actually looking at

The specific risks in small teams aren't hypothetical. Client data processed through a free browser extension. AI-generated outputs sent to customers without any human review. Work product created by a tool nobody agreed to use, which means nobody is accountable when it's wrong.

Large companies have compliance departments that absorb these incidents. You don't. One client who discovers their confidential brief was processed through a tool you never approved ends a relationship you spent years building. The asymmetry is severe enough that doing nothing is genuinely not an option — but restriction isn't the alternative.

Finding out where it's happening

Don't start with a survey. Sit down with each person and ask what tools they use to get work done faster. Frame it as curiosity. People who feel audited stop disclosing, and disclosure is the outcome you need.

After those conversations, check the browser extensions on work machines. Both Google Workspace and Microsoft 365 show connected third-party apps in admin settings, and most founders have never opened that page. Ask specifically about writing, summarising, and research tasks. Those are the highest-frequency AI use cases in knowledge work, and they're where client data is most likely to travel somewhere unintended.

(I once skipped this step for three months after a team member joined because I assumed our onboarding doc covered it. It didn't. She'd connected four tools I'd never heard of by week two.)

What lightweight governance looks like

Pick two tools you're willing to approve and tell your team those are the options. ChatGPT Team, Claude for Work, and Gemini for Workspace all offer data processing agreements that keep your data out of training pipelines. The specific tool matters less than having made a decision and communicated it clearly.

Set one rule about data classification. Client names, contract terms, and financial details don't go into any external AI tool without explicit approval. Write it on a single page and share it wherever your team already communicates. Not a policy document. One page.

The goal isn't to stop AI experimentation. It's to make the approved path easier than the unapproved one, and to give yourself a clear line when something goes wrong. Right now, most founders have neither.

Share
Rob Angeles

Written by

Rob Angeles

Most consulting engagements split the thinking from the doing. Rob doesn't. Principal Consultant at Archos Labs, he owns the full stack — assessment, architecture, delivery — across retail, financial services, healthcare, and government.

Search across all essays