Last reviewed:
What is shadow AI? Definition and pitfall to avoid
Shadow AI refers to the use of generative AI models by employees without validation or framing from their company. Widespread in 2025-2026, it creates legal, financial (leakage of business data to public models), and quality (unaudited outputs integrated into client deliverables) risks.
Shadow AI is the AI equivalent of shadow IT, extended in 2024-2025 to nearly all companies. The figures converge: 35.9% of US workers used generative AI by December 2025 (Federal Reserve Bank of St. Louis), a significant portion in shadow mode, without declaration to their employer. A PagerDuty/Wakefield Research survey (fielded April 2026, 1,250 office professionals in non-IT roles at companies with $500M+ revenue) quantifies the scale on the corporate side: 66% have used an AI tool they believed was not permitted, and 88% shared work-related information with it — including 34% customer data and 31% financial or confidential documents. Four mechanisms feed shadow AI. The free nature of consumer tools (ChatGPT, Claude.ai): an employee only needs a personal email address. Perceived performance: public models produce useful results immediately. Slowness of official deployment: between identifying a need and providing a validated tool, several months often pass. Lack of explicit policy: without a written AI policy, employees interpret silence as tacit authorisation. These mechanisms show up in the data: 89% of users first adopted the tool in their personal life, 44% use it to work around the limits of company-approved tools, and 38% have delivered AI-assisted work without disclosing it. Frequent consequences: transmission of confidential documents to external models, use of outputs in deliverables without legal review.
Concrete example
An 80-employee HR consulting firm detects in 2025, during a GDPR audit, that 45 consultants use ChatGPT from their personal account to prepare client assessments. Estimated cumulative volume: 8,000 conversations over 9 months, containing personal data of about 1,200 individuals (candidates, evaluated employees). Company response: formal information to the persons concerned, legal audit, implementation of a written AI policy, deployment of a validated internal tool (Claude Enterprise with European hosting), mandatory training. Total cost of the incident: 95,000 euros, including the audit, client communication, training, and three departures of employees not wanting the new framework.
See also
Further reading
The Rapid Adoption of Generative AI, Federal Reserve Bank of St. Louis, 2025
Sources
- The Rapid Adoption of Generative AI, Bick, Blandin & Deming, Federal Reserve Bank of St. Louis Working Paper 2024-027C, revised 2025. https://www.stlouisfed.org/on-the-economy/2025/feb/impact-generative-ai-work-productivity
- CNIL recommendations on AI and GDPR compliance, 2024 (resource available in French only). https://www.cnil.fr/fr/intelligence-artificielle
- PagerDuty Shadow AI Survey, conducted by Wakefield Research, fielded 9-20 April 2026 (1,250 office professionals in non-IT roles, companies with $500M+ revenue, US/UK/JP/AU, margin of error ±2.8 pts). https://www.pagerduty.com/newsroom/shadow-ai-workplace-survey-2026/