Unsanctioned AI - the new Shadow IT risk

Artificial Intelligence is moving at such a pace that many organisations are now using it - without even realising it. In some cases, AI is embedded quietly within productivity tools, customer platforms or SaaS. In others, staff knowingly explore AI technologies, but outside of official strategies, policy and oversight. This phenomenon, which we can refer to as unsanctioned AI, bears a striking resemblance to the early challenges of shadow IT and unmanaged cloud usage.

What is unsanctioned AI?

Unsanctioned AI arises in two main scenarios:

Unrecognised AI usage - Modern software often includes AI-powered features, from predictive text and auto-summarisation in office tools to intelligent search inside collaboration platforms. These functions may be seen as "just part of the app," but they are often powered by external AI services processing corporate data in opaque ways.

Uncontrolled AI adoption - Business units, departments or individual users often create their own AI-powered processes. For example, they might build custom models locally, run AI scripts within data-rich environments, or trial external chatbot services to streamline workflows. While these innovative approaches can provide significant value, they frequently do so without adhering to governance, compliance and security safeguards.

Why it matters

Like shadow IT before it, unsanctioned AI has broad implications for businesses:

• Data risk - Sensitive internal data may be processed by unauthorised models or services, raising concerns about compliance, privacy, and data leakage.

• IT Resource consumption - With users experimenting using AI models, this can strain GPU, CPU and storage resources that are either already in place or, due the nature of cloud, used on demand impacting shared IT budgets and operational priorities.

• Governance - Policies designed for traditional IT and cloud services may not be sufficient to cover AI usage, leaving a blind spot in risk frameworks.

• Inconsistent outcomes - Without controls, outputs from unsanctioned AI may conflict with those from sanctioned systems, resulting in duplication, errors, or misleading results.

Lessons from shadow IT

The shadow IT era demonstrated that banning innovation rarely works; customers I worked with often tried the heavy hand, only for these efforts to fail, as businesses sought to move forward, seeing it as the handcuffs that slowed them down. Many cloud services that began as unmanaged experiments eventually became core enterprise tools once risk, compliance, and security controls were established. AI is not different - it carries risks, but also vast opportunities. The organisations that succeed will be those who channel unsanctioned AI into structured, transparent, and compliant adoption.

Addressing the challenge

Organisations can mitigate the risks of unsanctioned AI by:

• Creating AI awareness - Educating employees about where AI might already be embedded in the tools they use and the implications for data handling.

• Establishing clear policies - Building on existing IT governance frameworks to include AI-specific risks and guidance.

• Providing safe alternatives - Giving staff approved, well-governed AI solutions that meet business needs reduces the temptation to experiment unsafely.

• Monitoring and adapting - Just as cloud governance evolved, AI oversight must remain flexible, adapting to new technologies and emerging business use cases.

The path forward

AI will not be confined to controlled pilots and labs, and its reach is embedded, pervasive, and increasingly invisible. The question is not whether unsanctioned AI is being used, it already is, but how organisations choose to recognise, manage and channel it. As with cloud computing before it, the challenge for leadership is to turn a potential liability into a managed advantage.

Contact us

Whether you have a request, a query, or want to work with us, use the form below to get in touch with our team.