Employees across every department are experimenting with generative AI tools to write emails, analyze data, summarize documents, and debug code. According to IBM’s 2025 Cost of a Data Breach Report, one in five organizations experienced a breach tied to shadow AI, and 63% of breached organizations either lacked an AI governance policy or were still building one. Meanwhile, research shows that roughly 80% of office workers now use some form of public AI, often without their IT department’s knowledge or approval.
This gap between adoption and governance is creating an unmanaged attack surface that traditional security tools may overlook.
What Is Shadow AI, and How Is it Different from Shadow IT?
Shadow AI is the use of unauthorized AI tools, models, or autonomous agents without IT oversight. Shadow IT involves unapproved hardware or software, things like personal Dropbox accounts or unauthorized project management apps. In those cases, data moves from one place to another. But shadow AI introduces something fundamentally different: unapproved data processing.
When an employee pastes proprietary source code, internal strategy documents, or customer records into a public AI model, that data can be absorbed into the model’s training data, making the leakage effectively irreversible. Company-approved AI tools with proper enterprise licenses typically do not use input data for training, but the free consumer versions that employees gravitate toward often do.
Shadow AI Attack Surfaces
Shadow AI doesn’t enter an organization through a single channel. It infiltrates through several vectors, each with its own risk profile.
- Public LLMs: The most common vector is employees using tools like ChatGPT, Claude, or Gemini through personal accounts to summarize meeting notes, draft reports, or troubleshoot code. These interactions happen in the browser, outside any enterprise monitoring, and can include sensitive data pasted directly into prompts.
- Browser Plugins and Extensions: AI-powered browser extensions often request broad permissions to read data across all open tabs. They promise productivity gains such as auto-summarization or grammar checking, but they may silently capture and transmit data from internal applications, email, and document management systems.
- Low-Code and No-Code Bots: Non-technical staff increasingly use platforms like Zapier or Make to connect AI APIs directly to sensitive internal systems such as HR databases, finance tools, or CRM platforms. These automations can move and process data without any security review, creating unmonitored data flows between internal systems and external AI services.
- Autonomous Agents: The newest and potentially most dangerous vector involves AI agents that can make decisions, chain multiple actions together, and, in some cases, escalate their own privileges. These agents create complex data flows that are nearly impossible to trace after the fact.
The Impact of Unvetted AI and LLMs
The financial consequences of unmanaged AI use are severe and well-documented. IBM’s Breach Report found that organizations with high levels of shadow AI saw breach costs roughly $670,000 higher than organizations with little or no shadow AI. These breaches also compromised customer personally identifiable information at a rate of 65%, compared to the 53% global average for all breaches.
Legacy security tools make this problem worse by failing to detect the risk. Traditional DLP systems and firewalls are designed to look for static file patterns and known data signatures. Shadow AI exfiltration, however, occurs semantically over prompts and conversations. This makes it largely invisible to conventional monitoring.
Beyond data exfiltration, shadow AI also exposes organizations to model-native attacks that most security teams are not equipped to handle.
- Prompt Injection: Attackers craft inputs that trick an AI model into bypassing its safety guardrails, potentially extracting sensitive data or performing unauthorized actions. When employees use unvetted models, there is no organizational control over the model’s vulnerability to these attacks.
- System Prompt Leakage: Sophisticated prompting techniques can force a model to reveal its system-level instructions, including backend credentials, API keys, or architectural details of connected systems. If an employee has connected an unsanctioned AI tool to internal APIs, this exposure can cascade quickly.
- Model Poisoning: When organizations use unmonitored models trained on corrupted or biased data, the models’ outputs become unreliable. Decisions based on poisoned model outputs can lead to operational errors, flawed analysis, and reputational damage.
Frameworks and Federal Mandates Addressing the AI Challenge
Shadow AI doesn’t just create security risks. It creates compliance risks that can generate fines, audit failures, and loss of authorization. Several major frameworks and federal mandates are directly relevant.
NIST AI Risk Management Framework (AI RMF)
The NIST AI RMF provides a voluntary framework built around four core functions: Govern, Map, Measure, and Manage. For shadow AI governance, the Map function is particularly critical. It asks organizations to identify and contextualize AI systems within their environment, including classifying tools by the level of data risk they introduce, from critical to low. Organizations that have not mapped their AI landscape cannot meaningfully measure or manage AI risk.
Gartner AI TRiSM
Gartner’s AI Trust, Risk, and Security Management (AI TRiSM) framework provides a technical control model for real-time enforcement of AI governance. It operates across four layers:
- AI Governance, which establishes organizational policies and accountability
- Runtime Inspection, which monitors AI behavior in production
- Information Governance, which controls data flows to and from AI systems, and
- Infrastructure, which secures the underlying compute and network resources.
AI TRiSM is especially relevant because it addresses the runtime enforcement gap many organizations face: they can write AI policies but lack the technical controls to enforce them.
GDPR
For organizations handling data subject to the EU’s General Data Protection Regulation, shadow AI poses a particularly acute compliance risk. Article 28 of the GDPR requires documented data processing agreements with any third party that handles personal data. When employees use unsanctioned AI tools, those agreements don’t exist. Equally problematic is the “Right to be Forgotten” under Article 17. Once personal data has been ingested into a model’s training weights, honoring a deletion request becomes practically impossible. The data subject’s information is embedded in the model itself, beyond the reach of any simple deletion mechanism.
CMMC
For defense manufacturers and their supply chains, CMMC compliance requires audit-ready documentation that demonstrates consistent control over systems handling CUI. Shadow AI creates “evidence gaps” that are difficult to explain to assessors. If employees process CUI using unapproved AI tools, the organization cannot demonstrate the chain of custody, access controls, or data flow documentation that CMMC assessors expect. At higher maturity levels, where organizations must demonstrate protection against advanced persistent threats, unmonitored AI tools represent exactly the kind of uncontrolled data path that CMMC is designed to eliminate.
FedRAMP
FedRAMP governs cloud security for federal systems and relies on NIST SP 800-53 as its control baseline. Shadow AI introduces unauthorized cloud services into the environment, potentially outside the defined authorization boundary. NIST’s COSAiS (Control Overlays for Securing AI Systems) project is building directly on SP 800-53 to create implementation-focused security guidelines for AI systems, covering everything from training data integrity to model configuration security. For FedRAMP-authorized environments, COSAiS signals that regulators expect AI components to be treated with the same rigor as any other system component, and shadow AI fundamentally undermines that expectation.
Making AI Visibility Part of Your Compliance Strategy
Addressing shadow AI requires a deliberate, phased approach that prioritizes visibility before enforcement. Blanket bans on AI tools have been shown to drive usage further underground, making the problem worse rather than better. Instead, organizations should follow a visibility-first roadmap.
- Discovery. Begin by understanding what AI tools are actually in use across the organization. Query DNS and web proxy logs for traffic to known AI domains. Review OAuth consent grants to identify which third-party AI services employees have authorized to access corporate data. Audit browser extension inventories for AI-powered plugins.
- Role-Based Policy. Once you have visibility, develop AI policies tailored to team functions rather than applying organization-wide restrictions. This can include code-completion or content-generation tools or models used to access financial data. The key is to align permissions with actual workflow needs so employees don’t have to work around the policy.
- Establish an AI Center of Excellence (CoE). Create a cross-functional body that includes representatives from IT, security, legal, compliance, and business operations. This CoE should lead AI literacy training, conduct vendor vetting and risk assessments for new AI tools, and serve as the organizational authority for approving or denying AI tool requests.
- Sanctioned Alternatives. Provide employees with approved walled-garden versions of the AI tools they already use. Enterprise offerings such as Microsoft 365 Copilot, enterprise ChatGPT plans, or internally hosted models provide employees with the productivity benefits they want while ensuring data remains within organizational controls.
Step Into the New Frontier of AI Governance in Compliance with Lazarus Alliance
Shadow AI is not a problem that can be solved by pretending it doesn’t exist or by issuing a blanket ban. Employees use these tools because they deliver real value, and that value isn’t going away. It’s up to tech leaders to thread the needle between risk and value.
To learn more about how Lazarus Alliance can help, contact us.
- FedRAMP
- GovRAMP
- NIST 800-53
- DFARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- ENS
- C5
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- CJIS
- LA DMF
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
[wpforms id=”137574″]