# Shadow AI Is Already in Your Org: a 90-day containment plan

> What to find, what to fence off, and what to formalize — before unsanctioned AI shows up as an audit finding.

**Author:** André Queiroz (dezotech) · **Published:** 2026-06-01
**Source:** https://dezotech.com/en/insights/shadow-ai-90-day-containment-plan

---

Every shop I walk into is already running AI it doesn't know about — not the
sanctioned copilot with a procurement trail, but the side tab, the personal
account, the API key someone wired into a script over a weekend. By the time
I'm called in, that invisible use has usually already surfaced — in an incident,
or worse, in an audit finding. The pattern never changes: the AI you can't see
is the AI that fails the audit.

<PullStat value="1 in 5" caption="organizations now report a breach traced to shadow AI — unsanctioned tools used without oversight (IBM, 2025). The ones with the heaviest shadow-AI use pay about $670K more per breach." />

This isn't a hypothetical. In 2023, Samsung gave its chip engineers access to
ChatGPT; within about twenty days, staff had pasted proprietary semiconductor
source code and the transcript of a confidential internal meeting into the prompt
box — three separate leaks, all from people just trying to work faster. What
Samsung did next is the part worth copying: it didn't only ban the tool, it stood
up a sanctioned in-house alternative, so the productivity didn't walk out the door
alongside the risk.

The model was never the problem. You can't see the use — and what you can't see,
you can't govern, log, or prove when someone asks for it. Surveys put unsanctioned
AI at roughly half the workforce, but the exact figure barely matters next to that.
Banning it just pushes the use one tab deeper into the dark; a trail is what works.
Here's the 90-day plan I run when a team realizes shadow AI is already inside the
building: find it, fence it, formalize it.

## Days 1–30: Find it

You can't contain what you haven't named. The first month is pure discovery, and
the goal is an honest inventory — not a witch hunt. The moment people think the
survey is about blame, the real usage goes quiet and you've made the problem
harder to see.

<Checklist heading="Days 1–30 — Find it" items={[
  'Pull egress and proxy logs for traffic to known AI providers — not just the obvious chatbot.',
  'Run a no-blame survey of every team — amnesty surfaces more than enforcement on the first pass.',
  'Flag the high-consequence uses first: anything touching customer PII, credit, or a regulated decision.',
  'Assume exposure until proven otherwise — 65% of shadow-AI breaches hit customer PII (IBM, 2025).',
  'Record every tool in one register a named human owns — not a wiki nobody reads.'
]} />

By day 30 you should be able to say — without a week of digging — exactly what
AI is running against your data and who's running it. Most teams have never been able
to say that. That sentence alone is most of the audit.

<InlineCTA href="/en/contact" cta="Map your exposure in 30 min" heading="Not sure what's already running?">
Bring one team and one real workflow. In 30 minutes I'll show you where your
shadow AI is and which uses would fail an inspection — no slides, no pitch.
</InlineCTA>

## Days 31–60: Fence it

Now you put up fences. Not the final policy — provisional guardrails that convert
invisible use into visible, logged use while you design the permanent version.
This is the gap that bites: among the organizations that were breached *through
their AI*, **97% lacked proper AI access controls** (IBM, 2025). The exposure
isn't exotic; it's the absence of the basics.

In month two I do four things, in this order. First, stand up an allowlist: the
sanctioned tools get real accounts with logging and SSO, so use becomes
attributable — and that approved alternative goes live the same week you start
fencing, not months later. Samsung learned this in the wrong order, banning first
and building its in-house tool only after the leaks; flip that and you redirect
the demand instead of pushing it back underground. Second, write a data-loss rule
for the classes that matter most —
customer PII, financials, anything regulated — so the worst paste never leaves
the building. Third, require a human-in-the-loop checkpoint for any decision with
legal or financial consequence; the model can draft, but a named person signs.
Fourth, retire the tools with no path to compliance — and say so out loud, because
a clear "no" is itself a control.

You're not chasing perfection here. You're turning every remaining use into one
you can see, log, and stand behind.

## Days 61–90: Formalize it

The last month makes it stick. A fence you rebuild every quarter is just a chore;
governance is the version that survives staff turnover and a re-org. Formalizing
means three durable things: a written
policy people can actually follow, a named owner for each sanctioned tool (a
person, not a team), and an [immutable audit trail](/en/insights/ai-audit-trail-capture-seal-replay) that
records input, model, version, and the human who approved each consequential use.

<Callout heading="Find → Fence → Formalize">
The same spine I run on every engagement: see what's actually running, wrap
controls around the uses that matter, then make it policy with a named human
owner and a trail you can replay. Ninety days — not an eighteen-month program.
</Callout>

This is the difference between the organizations that pass and the ones that
don't. **63% of breached organizations had no AI governance policy, or were still
"developing" one** (IBM, 2025). "Developing" is not a status an auditor accepts on
inspection day.

## Where most shadow-AI advice stops

Almost every shadow-AI playbook treats this as a security problem: detect the
tools, block the risky ones, move on. That's necessary and it isn't enough —
detection-and-blocking pushes the use onto a phone you can't see, trading a
visible risk for an invisible one, and it never produces the thing an inspection
asks for: evidence.

So I run the ninety days *backwards* from the auditor's question — prove who used
what, on which data, and who approved it — instead of forwards from the firewall.
That reorders everything. Find opens with amnesty, not enforcement, because
enforcement-first drives use underground and you lose the inventory. Fence pairs
every block with a sanctioned, logged alternative in the same week, so you
redirect demand instead of denying it. Formalize means the immutable trail that
lets you replay one decision months later — not a policy PDF nobody opens.
Detection tells you what's running; only the evidence layer lets you pass.

## The pushback you'll hear — and the answer

**"This will kill productivity."** Backwards — productivity is *why* the shadow AI is
there. It's a demand signal: in a 2025 Wolters Kluwer survey of healthcare staff, 45%
of clinicians reached past sanctioned tools for a faster workflow, and 27% for better
functionality or no approved option at all — administrators ran higher on both. (Wolters Kluwer sells clinical AI, so weigh the source — but the demand
pattern matches what I see in every sector.) Take away the tool with no governed
substitute and you don't get safety; you get the same demand, now invisible. Give
people a sanctioned option that's genuinely better, and it flows to where you can see
it.

**"Just ban it — we already have a policy."** A policy nobody enforces is theatre, and
"we're still developing one" describes a large share of the companies that just got
breached (IBM, 2025). Prohibition doesn't remove the demand; it just hides it. The
ban-only version is the one that fails.

**"Isn't inventorying everyone's AI just surveillance?"** It's the opposite, and it
has to be. You're not building a list of who to punish — you're building the register
that lets people keep the tools that help, safely. Frame it as policing and the usage
goes quiet; frame it as permission and it comes into the light. That's why the first
pass runs on amnesty.

## Why 90 days, and why now

The regulatory clock is the forcing function, and it's worth getting the dates
right — I see good teams plan around the wrong one. As of mid-2026, here's where
they actually stand:

- **EU AI Act — transparency (Article 50):** binding **August 2, 2026** — you
  disclose when someone's interacting with AI, and you mark AI-generated
  synthetic content (Art 50(2)). The Digital Omnibus may hand systems already
  in market a short grace period on the marking duty (to December 2, 2026), but
  only if it's adopted — so plan for August.
- **EU AI Act — high-risk (Annex III):** the Digital Omnibus — a provisional
  political agreement from May 2026, **not yet formally adopted** — would move
  the high-risk obligations from **August 2, 2026** to **December 2, 2027.** Plan
  for the August date until that adoption is real: if the Omnibus goes through
  you've gained runway; if it stalls, you're already compliant. Either way the
  penalty ceiling is unchanged — **€15M or 3% of global turnover** — so this is
  room to build the evidence layer, not permission to skip it.

Shadow AI is the part of your estate with no evidence layer at all. That's why
it's the place to start: ninety days from now, the thing that was invisible is
inventoried, fenced, and on the record — which is exactly what an inspection asks
you to show.

## FAQ

<FAQ items={[
  {
    q: 'What actually counts as shadow AI?',
    a: "Any AI tool or model used for work without approval or oversight — from a public chatbot in a browser tab to an unsanctioned API key wired into a script. If nobody approved it and nothing logs it, it's shadow AI."
  },
  {
    q: "Where do I start if there's no budget for this?",
    a: 'With the logs you already have. Egress and proxy data shows traffic to known AI providers without buying anything, and a no-blame survey does the rest. The expensive path is the other one — a breach at an org heavy on shadow AI runs about $670K over one without (IBM, 2025).'
  },
  {
    q: 'How do I even find it if it is hidden?',
    a: 'Start with egress and proxy logs for traffic to known AI providers, then a no-blame survey of teams. Amnesty on the first pass surfaces far more than enforcement. Prioritize anything touching customer PII or a regulated decision.'
  }
]} />

Shadow AI is the audit question arriving early: can you prove who used what, on
which data, and who signed off? If you can't replay that for one real decision
today, that's where the 90 days start — with the trail, not the model. [The
playbook on adopting AI without failing your next audit](/en/insights/adopt-ai-without-failing-your-next-audit)
is the longer version of the same fight; shadow AI is only where the trail goes
dark first.
