# Shadow AI Is Already in Your Org: a 90-day containment plan

> What to find, what to fence off, and what to formalize — before unsanctioned AI shows up as an audit finding.

**Author:** André Queiroz (dezotech) · **Published:** 2026-06-01
**Source:** https://dezotech.com/en/insights/shadow-ai-90-day-containment-plan

---

Every shop I walk into is already running AI it doesn't know about — not the
sanctioned copilot with a procurement trail, but the side tab, the personal
account, the API key someone wired into a script over a weekend. By the time
I'm called in, that invisible use has usually already surfaced — in an incident,
or worse, in an audit finding. The pattern never changes: the AI you can't see
is the AI that fails the audit.

<PullStat value="1 in 5" caption="organizations now report a breach traced to shadow AI — unsanctioned tools used without oversight (IBM, 2025). The ones running it pay about $670K more per breach." />

This isn't a hypothetical. In 2023, Samsung gave its chip engineers access to
ChatGPT; within about twenty days, staff had pasted proprietary semiconductor
source code and the transcript of a confidential internal meeting into the prompt
box — three separate leaks, all from people just trying to work faster. What
Samsung did next is the part worth copying: it didn't only ban the tool, it stood
up a sanctioned in-house alternative, so the productivity didn't walk out the door
alongside the risk.

The model was never the problem. You can't see the use — and what you can't see,
you can't govern, log, or prove when someone asks for it. Surveys put unsanctioned
AI at roughly half the workforce, but the exact figure barely matters next to that.
Banning it just pushes the use one tab deeper into the dark; a trail is what works.
Here's the 90-day plan I run when a team realizes shadow AI is already inside the
building: find it, fence it, formalize it.

## Days 1–30: Find it

You can't contain what you haven't named. The first month is pure discovery, and
the goal is an honest inventory — not a witch hunt. The moment people think the
survey is about blame, the real usage goes quiet and you've made the problem
harder to see.

<Checklist heading="Days 1–30 — Find it" items={[
  'Pull egress and proxy logs for traffic to known AI providers — not just the obvious chatbot.',
  'Run a no-blame survey of every team — amnesty surfaces more than enforcement on the first pass.',
  'Flag the high-consequence uses first: anything touching customer PII, credit, or a regulated decision.',
  'Assume exposure until proven otherwise — 65% of shadow-AI breaches hit customer PII (IBM, 2025).',
  'Record every tool in one register a named human owns — not a wiki nobody reads.'
]} />

By day 30 you should be able to say — without a week of digging — exactly what
AI is running against your data and who's running it. Most teams have never been able
to say that. That sentence alone is most of the audit.

<InlineCTA href="/en/contact" cta="Map your exposure in 30 min" heading="Not sure what's already running?">
Bring one team and one real workflow. In 30 minutes I'll show you where your
shadow AI is and which uses would fail an inspection — no slides, no pitch.
</InlineCTA>

## Days 31–60: Fence it

Now you put up fences. Not the final policy — provisional guardrails that convert
invisible use into visible, logged use while you design the permanent version.
This is the gap that bites: among compromised organizations, **97% had no AI
access controls in place** (IBM, 2025). The exposure isn't exotic; it's the
absence of the basics.

In month two I do four things, in this order. First, stand up an allowlist: the
sanctioned tools get real accounts with logging and SSO, so use becomes
attributable — and that approved alternative goes live the same week you start
fencing, not months later. Samsung learned this in the wrong order, banning first
and building its in-house tool only after the leaks; flip that and you redirect
the demand instead of pushing it back underground. Second, write a data-loss rule
for the classes that matter most —
customer PII, financials, anything regulated — so the worst paste never leaves
the building. Third, require a human-in-the-loop checkpoint for any decision with
legal or financial consequence; the model can draft, but a named person signs.
Fourth, retire the tools with no path to compliance — and say so out loud, because
a clear "no" is itself a control.

You're not chasing perfection here. You're turning every remaining use into one
you can see, log, and stand behind.

## Days 61–90: Formalize it

The last month makes it stick. A fence you rebuild every quarter is just a chore;
governance is the version that survives staff turnover and a re-org. Formalizing
means three durable things: a written
policy people can actually follow, a named owner for each sanctioned tool (a
person, not a team), and an [immutable audit trail](/en/insights/ai-audit-trail-capture-seal-replay) that
records input, model, version, and the human who approved each consequential use.

<Callout heading="Find → Fence → Formalize">
The same spine I run on every engagement: see what's actually running, wrap
controls around the uses that matter, then make it policy with a named human
owner and a trail you can replay. Ninety days — not an eighteen-month program.
</Callout>

This is the difference between the organizations that pass and the ones that
don't. **63% of breached organizations had no AI governance policy, or were still
"developing" one** (IBM, 2025). "Developing" is not a status an auditor accepts on
inspection day.

## Where most shadow-AI advice stops

Almost every shadow-AI playbook treats this as a security problem: detect the
tools, block the risky ones, move on. That's necessary and it isn't enough —
detection-and-blocking pushes the use onto a phone you can't see, trading a
visible risk for an invisible one, and it never produces the thing an inspection
asks for: evidence.

So I run the ninety days *backwards* from the auditor's question — prove who used
what, on which data, and who approved it — instead of forwards from the firewall.
That reorders everything. Find opens with amnesty, not enforcement, because
enforcement-first drives use underground and you lose the inventory. Fence pairs
every block with a sanctioned, logged alternative in the same week, so you
redirect demand instead of denying it. Formalize means the immutable trail that
lets you replay one decision months later — not a policy PDF nobody opens.
Detection tells you what's running; only the evidence layer lets you pass.

## The pushback you'll hear — and the answer

**"This will kill productivity."** Backwards — productivity is *why* the shadow AI is
there. It's a demand signal: in a 2025 survey of healthcare staff, the top reasons for
reaching past sanctioned tools were a faster workflow (45%) and better functionality
than the approved option (24%) (Wolters Kluwer). Take the tool with no governed
substitute and you don't get safety — you get the same use on a personal laptop. Give
people a sanctioned option that's genuinely better, and the demand flows to where you
can see it.

**"Just ban it — we already have a policy."** A policy nobody enforces is theatre, and
"we're still developing one" describes a large share of the companies that just got
breached (IBM, 2025). Prohibition doesn't remove the demand either — it moves it to a
personal device you can't see. The ban-only version is the one that fails.

**"Isn't inventorying everyone's AI just surveillance?"** It's the opposite, and it
has to be. You're not building a list of who to punish — you're building the register
that lets people keep the tools that help, safely. Frame it as policing and the usage
goes quiet; frame it as permission and it comes into the light. That's why the first
pass runs on amnesty.

## Why 90 days, and why now

The regulatory clock is the forcing function, and it's worth getting the dates
right — I see good teams plan around the wrong one. Verified against primary
sources:

- **EU AI Act — transparency (Article 50):** binding **August 2, 2026.** If a
  user interacts with AI, you disclose it. This one was not delayed.
- **EU AI Act — high-risk (Annex III):** **December 2, 2027**, moved back from
  the original 2026 date by the Digital Omnibus agreement. Penalties still reach
  **€15M or 3% of global turnover** — the deadline moving is room to build the
  evidence layer, not permission to skip it.

Shadow AI is the part of your estate with no evidence layer at all. That's why
it's the place to start: ninety days from now, the thing that was invisible is
inventoried, fenced, and on the record — which is exactly what an inspection asks
you to show.

## FAQ

<FAQ items={[
  {
    q: 'What actually counts as shadow AI?',
    a: "Any AI tool or model used for work without approval or oversight — from a public chatbot in a browser tab to an unsanctioned API key wired into a script. If nobody approved it and nothing logs it, it's shadow AI."
  },
  {
    q: "Where do I start if there's no budget for this?",
    a: 'With the logs you already have. Egress and proxy data shows traffic to known AI providers without buying anything, and a no-blame survey does the rest. The expensive path is the other one — a breach involving shadow AI runs about $670K over a normal one (IBM, 2025).'
  },
  {
    q: 'How do I even find it if it is hidden?',
    a: 'Start with egress and proxy logs for traffic to known AI providers, then a no-blame survey of teams. Amnesty on the first pass surfaces far more than enforcement. Prioritize anything touching customer PII or a regulated decision.'
  }
]} />

Shadow AI is the audit question arriving early: can you prove who used what, on
which data, and who signed off? If you can't replay that for one real decision
today, that's where the 90 days start — with the trail, not the model. [The
playbook on adopting AI without failing your next audit](/en/insights/adopt-ai-without-failing-your-next-audit)
is the longer version of the same fight; shadow AI is only where the trail goes
dark first.