Someone in your company is pasting a confidential board deck into ChatGPT right now. Not because they're careless. Because they want to understand it faster and they have six other things due. Someone else found an AI tool on their phone that summarizes long documents. An engineer shipped AI-generated API code to production because it looked right and the deadline was yesterday.
None of it went through IT. None of it went through security. And none of them fully understood what happened to the data after it left their screen.
That's shadow AI. And if your solution is to write a policy and send a company-wide memo, you're going to lose this one.
The old shadow IT playbook doesn't work here
Shadow IT was mostly about where data was stored. Someone used an unapproved Dropbox instead of the IT-approved SharePoint. A team subscribed to a SaaS tool on a personal card because IT procurement took three months. The problem was real, but bounded. You could find the unapproved tool, talk to the team about why it mattered, and move on.
Shadow AI is different because the data doesn't just sit somewhere. It gets used. Incorporated into a model. Combined with other data. Sent somewhere you cannot audit or reverse. The problem isn't that data ended up somewhere you don't control. It's that data is doing something you can't see, and you can't unring that bell.
Shadow AI isn't shadow IT with a new logo. The underlying risk is structurally different. When data sits in an unapproved tool, it's static. When it goes into an AI query, it participates in computation that happens outside your visibility permanently.
Why you can't network-block your way out of this
You can't firewall your way to an AI governance strategy. Not because your firewall is bad, but because AI has become ambient in a way that makes perimeter controls nearly irrelevant. The compose bar in your email client. The code completion engine in your IDE. The meeting tool that summarizes your quarterly all-hands. It's woven into workflows at a depth that you cannot block without making the tools useless.
And the people using these tools? They're not trying to get around policy. They're just trying to get their work done faster. That's what makes this hard. The incentive isn't rebellious, it's practical.
The CISOs making actual progress on this aren't the ones with the most aggressive blocks. They're the ones who figured out three things.
They actually know where sensitive data lives
I've talked to enough FP&A teams to know what's actually happening. That board deck isn't locked in some secure system. People have it open, they're discussing it in Slack, and some of them are pasting sections into AI tools because they need to get through it faster and they have six other things due. That's the actual workflow. If your governance program doesn't account for that, it's a document, not a program.
They made the approved tool actually usable
Most approved AI tools exist for good reasons. Data residency guarantees. Model provider contracts that include audit rights. Logs you can actually retrieve. The problem is those tools are often painful to use compared to whatever someone downloads on their phone in thirty seconds.
If the approved path requires a four-page intake form and the unapproved path requires nothing, you will lose that competition every time, regardless of what your policy says. Fix the product problem first. The security problem gets harder otherwise.
They measure outcomes, not incidents
Every security team wants to count shadow AI incidents. The problem is the denominator is unknowable. You can't count what you can't see. And even if you could, the number tells you almost nothing useful.
What matters is whether things are getting better. Are sensitive data exposures decreasing? Are approved tool adoption rates going up? Are the people who handle your most sensitive data using the approved tooling at a higher rate than the general population? Those are hard questions. They're also the only ones that matter.
The part nobody wants to talk about
Most security architectures are built on the assumption that you can draw a boundary around your data. Firewalls, CASB, DLP, network segmentation. All of it assumes the data stays somewhere you control. AI doesn't break that assumption everywhere, but it breaks it at the edges, in ways that matter, and in ways that most existing architectures weren't designed to handle.
The CISOs figuring this out aren't the ones writing the best policies. They're the ones who actually understand where their data is going and why people reach for AI tools when they're moving fast. That's a different skill than the one that got most of us into this field, and it's one we're going to have to develop whether we want to or not.