Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

Shadow AI

Shadow AI is the use of artificial intelligence tools by employees without the knowledge, approval or oversight of an organisation’s IT and governance functions.

CASRAI research-methods explainer — Shadow AI

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What shadow AI describes

Shadow AI refers to AI tools and services adopted and used within an organisation outside its formal approval and oversight processes. It is the AI-specific form of shadow IT, where technology enters the workplace through individual initiative rather than a managed procurement and governance route. Common examples include staff pasting work content into a public chatbot, using unapproved AI writing or coding assistants, or embedding third-party AI features without review. The defining characteristic is the absence of visibility: the organisation’s IT and governance functions do not know the tool is in use.

Why it is a governance risk

Shadow AI is described as a governance risk because ungoverned use can undermine controls the organisation relies upon. Sensitive or confidential information may be entered into external services whose data-handling terms have not been vetted, raising confidentiality and data-protection concerns. Outputs may be inaccurate or biased yet acted upon without review, and the use may sit outside record-keeping, security and compliance frameworks. Because the activity is invisible to oversight, the organisation cannot assess or document the associated risks, which is the core of the governance problem.

How organisations respond

Organisations typically address shadow AI through a combination of policy, awareness and provision of sanctioned alternatives. Clear acceptable-use guidance sets out what tools may be used and for what data, while AI-literacy efforts help staff understand the risks of ungoverned use. Offering approved, governed AI tools reduces the incentive to reach for unsanctioned ones. Shadow AI connects to broader AI-governance practice and frameworks such as the NIST AI Risk Management Framework and ISO/IEC 42001, which promote inventorying and overseeing AI use across an organisation.

Key facts

At a glance

  • Definition: Unsanctioned use of AI tools without IT or governance oversight.
  • Related concept: The AI-specific form of shadow IT.
  • Typical examples: Public chatbots, unapproved AI assistants, embedded AI features.
  • Core problem: Lack of visibility prevents risk assessment and documentation.
  • Main risks: Data exposure, unreviewed outputs, bypassed controls.
  • Mitigations: Acceptable-use policy, AI literacy, sanctioned alternatives.

Common misconceptions

What people often get wrong

Often heard: Shadow AI is a specific type of malicious or hacking software.

Actually: Shadow AI is not malware. It refers to ordinary AI tools used by staff outside official oversight. The risk arises from the lack of governance, not from the tools being inherently malicious.

Often heard: Shadow AI only matters for large enterprises.

Actually: Any organisation whose staff can access public AI tools can experience shadow AI. The governance concern about ungoverned data exposure and unreviewed outputs is not limited by organisation size.

Often heard: Banning AI tools entirely eliminates shadow AI.

Actually: Outright bans can drive use further underground. Many governance approaches instead combine policy and awareness with sanctioned, governed alternatives so staff have an approved route.

Going deeper

Related CASRAI guidance

AI literacyAI governanceNIST AI RMFISO 42001Plain-language explainersStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →