Last reviewed:
Shadow AI in the workplace — 2026 Barometer
In 2026, the ungoverned use of generative AI is no longer a blind spot: it is the norm. Two-thirds of professionals use tools at work they believe are banned — and pour emails, customer data and financial documents into them.
This barometer brings together the public data available in late 2025-2026 on shadow AI in the workplace and offers a grid to locate your organisation. The question is no longer "should we allow generative AI" — it is already everywhere — but "how do we govern it before it costs".
PagerDuty / Wakefield Research — 1,250 professionals, April 2026
01The state of play
Adoption is not decided in a committee. It rises from the ground up, by capillary action, faster than any IT department can frame it.
Usage doesn't come from the top. It settles in from the bottom, carried by tools that are free and immediately useful. No ban has ever caught up with free.
02What is actually leaking
The risk is not theoretical. Among professionals who use AI at work, 88% have shared work-related information with it. The breakdown is telling:
And 38% have delivered AI-assisted work without disclosing it.
Every line is data leaving the company for a public model, often with no contractual basis and no legal review. This is the core of the GDPR risk — and it plays out every day.
03Why it happens
Shadow AI is not an individual failing. It is the predictable product of four mechanisms.
Free access
A personal account and an email address are enough. No barrier to entry.
Perceived performance
Public models produce a useful result immediately. 89% started in personal use, won over before any framework existed.
Slow official rollout
Months pass between the need and the validated tool. 44% use AI to work around the limits of company-approved tools.
No clear policy
Without a written rule, silence means permission. 81% even perceive different rules for leadership and the rest of the company.
Banning without offering an alternative doesn't remove usage: it pushes it into the shadows. You then get the worst of both worlds — the risk persists, the visibility disappears.
04The precedent that binds the company
In 2024, a Canadian tribunal ordered Air Canada to honour a discount invented by its own chatbot. The company's defence — "the chatbot is a separate entity, responsible for its own words" — was rejected.
"The company answers for what its AI produces. A hallucination built into a service or a deliverable engages the employer's liability — not the model's."
Moffatt v. Air Canada, Civil Resolution Tribunal (British Columbia), 2024
05The WYP grid: where does your organisation stand?
Locate your maturity in a single read. Most organisations sit at levels 0 or 1 — that is, exposed.
Denial
No policy, no measure. Usage exists, invisible. Maximum exposure.
Ban
Restrictive policy, unsupported. Usage continues, hidden. The worst of both worlds: the risk persists, the visibility disappears.
Framing
Written policy + a validated, properly hosted tool + training. Usage is framed. Risk under control.
Governance
Framing + usage audits + human review on high-stakes outputs + continuous improvement. Shadow AI becomes just AI again.
06The three non-negotiable measures
A written AI policy
Silence means tacit permission. One page changes everything: what is allowed, what is not, and with which tools.
A validated, properly hosted tool
Without a credible alternative — European hosting, data not reused for training — the ban gets bypassed. It's the offer that kills shadow AI, not the rule.
Human review on high-stakes outputs
No client, legal or financial deliverable ships without review. A hallucination is not a bug: it is a structural property of the model.
See also
Further reading
Sources
- PagerDuty Shadow AI Survey, conducted by Wakefield Research, fielded 9-20 April 2026 (1,250 office professionals in non-IT roles, companies with $500M+ revenue, US/UK/JP/AU, margin of error ±2.8 pts). https://www.pagerduty.com/newsroom/shadow-ai-workplace-survey-2026/
- The Rapid Adoption of Generative AI, Bick, Blandin & Deming, Federal Reserve Bank of St. Louis, 2025. https://www.stlouisfed.org/on-the-economy/2025/feb/impact-generative-ai-work-productivity
- Moffatt v. Air Canada, 2024 BCCRT 149, Civil Resolution Tribunal (British Columbia). https://www.canlii.org/en/bc/bccrt/doc/2024/2024bccrt149/2024bccrt149.html
- CNIL recommendations on AI and GDPR compliance, 2024 (resource in French). https://www.cnil.fr/fr/intelligence-artificielle