Shadow AI Is Already in Your Org: a 90-day containment plan
Every shop I walk into is already running AI it doesn't know about — not the sanctioned copilot with a procurement trail, but the side tab, the personal account, the API key someone wired into a script over a weekend. By the time I'm called in, that invisible use has usually already surfaced — in an incident, or worse, in an audit finding. The pattern never changes: the AI you can't see is the AI that fails the audit.
organizations now report a breach traced to shadow AI — unsanctioned tools used without oversight (IBM, 2025). The ones running it pay about $670K more per breach.
This isn't a hypothetical. In 2023, Samsung gave its chip engineers access to ChatGPT; within about twenty days, staff had pasted proprietary semiconductor source code and the transcript of a confidential internal meeting into the prompt box — three separate leaks, all from people just trying to work faster. What Samsung did next is the part worth copying: it didn't only ban the tool, it stood up a sanctioned in-house alternative, so the productivity didn't walk out the door alongside the risk.
The model was never the problem. You can't see the use — and what you can't see, you can't govern, log, or prove when someone asks for it. Surveys put unsanctioned AI at roughly half the workforce, but the exact figure barely matters next to that. Banning it just pushes the use one tab deeper into the dark; a trail is what works. Here's the 90-day plan I run when a team realizes shadow AI is already inside the building: find it, fence it, formalize it.
Days 1–30: Find it
You can't contain what you haven't named. The first month is pure discovery, and the goal is an honest inventory — not a witch hunt. The moment people think the survey is about blame, the real usage goes quiet and you've made the problem harder to see.
Days 1–30 — Find it
- Pull egress and proxy logs for traffic to known AI providers — not just the obvious chatbot.
- Run a no-blame survey of every team — amnesty surfaces more than enforcement on the first pass.
- Flag the high-consequence uses first: anything touching customer PII, credit, or a regulated decision.
- Assume exposure until proven otherwise — 65% of shadow-AI breaches hit customer PII (IBM, 2025).
- Record every tool in one register a named human owns — not a wiki nobody reads.
By day 30 you should be able to say — without a week of digging — exactly what AI is running against your data and who's running it. Most teams have never been able to say that. That sentence alone is most of the audit.
Not sure what's already running?
Bring one team and one real workflow. In 30 minutes I'll show you where your shadow AI is and which uses would fail an inspection — no slides, no pitch.
Days 31–60: Fence it
Now you put up fences. Not the final policy — provisional guardrails that convert invisible use into visible, logged use while you design the permanent version. This is the gap that bites: among compromised organizations, 97% had no AI access controls in place (IBM, 2025). The exposure isn't exotic; it's the absence of the basics.
In month two I do four things, in this order. First, stand up an allowlist: the sanctioned tools get real accounts with logging and SSO, so use becomes attributable — and that approved alternative goes live the same week you start fencing, not months later. Samsung learned this in the wrong order, banning first and building its in-house tool only after the leaks; flip that and you redirect the demand instead of pushing it back underground. Second, write a data-loss rule for the classes that matter most — customer PII, financials, anything regulated — so the worst paste never leaves the building. Third, require a human-in-the-loop checkpoint for any decision with legal or financial consequence; the model can draft, but a named person signs. Fourth, retire the tools with no path to compliance — and say so out loud, because a clear "no" is itself a control.
You're not chasing perfection here. You're turning every remaining use into one you can see, log, and stand behind.
Days 61–90: Formalize it
The last month makes it stick. A fence you rebuild every quarter is just a chore; governance is the version that survives staff turnover and a re-org. Formalizing means three durable things: a written policy people can actually follow, a named owner for each sanctioned tool (a person, not a team), and an immutable audit trail that records input, model, version, and the human who approved each consequential use.
Find → Fence → Formalize
The same spine I run on every engagement: see what's actually running, wrap controls around the uses that matter, then make it policy with a named human owner and a trail you can replay. Ninety days — not an eighteen-month program.
This is the difference between the organizations that pass and the ones that don't. 63% of breached organizations had no AI governance policy, or were still "developing" one (IBM, 2025). "Developing" is not a status an auditor accepts on inspection day.
Where most shadow-AI advice stops
Almost every shadow-AI playbook treats this as a security problem: detect the tools, block the risky ones, move on. That's necessary and it isn't enough — detection-and-blocking pushes the use onto a phone you can't see, trading a visible risk for an invisible one, and it never produces the thing an inspection asks for: evidence.
So I run the ninety days backwards from the auditor's question — prove who used what, on which data, and who approved it — instead of forwards from the firewall. That reorders everything. Find opens with amnesty, not enforcement, because enforcement-first drives use underground and you lose the inventory. Fence pairs every block with a sanctioned, logged alternative in the same week, so you redirect demand instead of denying it. Formalize means the immutable trail that lets you replay one decision months later — not a policy PDF nobody opens. Detection tells you what's running; only the evidence layer lets you pass.
The pushback you'll hear — and the answer
"This will kill productivity." Backwards — productivity is why the shadow AI is there. It's a demand signal: in a 2025 survey of healthcare staff, the top reasons for reaching past sanctioned tools were a faster workflow (45%) and better functionality than the approved option (24%) (Wolters Kluwer). Take the tool with no governed substitute and you don't get safety — you get the same use on a personal laptop. Give people a sanctioned option that's genuinely better, and the demand flows to where you can see it.
"Just ban it — we already have a policy." A policy nobody enforces is theatre, and "we're still developing one" describes a large share of the companies that just got breached (IBM, 2025). Prohibition doesn't remove the demand either — it moves it to a personal device you can't see. The ban-only version is the one that fails.
"Isn't inventorying everyone's AI just surveillance?" It's the opposite, and it has to be. You're not building a list of who to punish — you're building the register that lets people keep the tools that help, safely. Frame it as policing and the usage goes quiet; frame it as permission and it comes into the light. That's why the first pass runs on amnesty.
Why 90 days, and why now
The regulatory clock is the forcing function, and it's worth getting the dates right — I see good teams plan around the wrong one. Verified against primary sources:
- EU AI Act — transparency (Article 50): binding August 2, 2026. If a user interacts with AI, you disclose it. This one was not delayed.
- EU AI Act — high-risk (Annex III): December 2, 2027, moved back from the original 2026 date by the Digital Omnibus agreement. Penalties still reach €15M or 3% of global turnover — the deadline moving is room to build the evidence layer, not permission to skip it.
Shadow AI is the part of your estate with no evidence layer at all. That's why it's the place to start: ninety days from now, the thing that was invisible is inventoried, fenced, and on the record — which is exactly what an inspection asks you to show.
FAQ
- What actually counts as shadow AI?
- Any AI tool or model used for work without approval or oversight — from a public chatbot in a browser tab to an unsanctioned API key wired into a script. If nobody approved it and nothing logs it, it's shadow AI.
- Where do I start if there's no budget for this?
- With the logs you already have. Egress and proxy data shows traffic to known AI providers without buying anything, and a no-blame survey does the rest. The expensive path is the other one — a breach involving shadow AI runs about $670K over a normal one (IBM, 2025).
- How do I even find it if it is hidden?
- Start with egress and proxy logs for traffic to known AI providers, then a no-blame survey of teams. Amnesty on the first pass surfaces far more than enforcement. Prioritize anything touching customer PII or a regulated decision.
Shadow AI is the audit question arriving early: can you prove who used what, on which data, and who signed off? If you can't replay that for one real decision today, that's where the 90 days start — with the trail, not the model. The playbook on adopting AI without failing your next audit is the longer version of the same fight; shadow AI is only where the trail goes dark first.
One practical playbook every other week.
Automation, legacy modernization & safe AI adoption. Free: the AI-Adoption-Without-Audit-Failure checklist.