Shadow AI and the governed path

By Erika Fille T. Legara

IN 2023, Samsung learned a difficult lesson about generative AI. Engineers reportedly used ChatGPT to help debug code, optimize work, and summarize meeting content. The tools were useful, fast, and readily available, but some of the information entered into the system included sensitive company material. Once that information had been entered into an external AI system, Samsung could no longer treat it as fully within its control. The company later restricted the use of generative AI tools across parts of the organization while it worked on internal alternatives for tasks such as translation, summarization, and code assistance.

Earlier this year, I learned about another case involving a diplomat at a foreign ministry who used a public large language model to draft a cable — a formal message used to brief the home ministry on sensitive bilateral issues. A junior staff member caught it during a routine review, not because the content was inaccurate, but because it read as if it had barely been touched after being generated.

What unsettled the team was not simply that AI had been used. It was that sensitive national work had gone into a public system, and no one knew whether a paid subscription changed what the vendor could do with it. It was also apparent that the person using the tool had never been trained to understand the risks, the limits, or the right way to use generative AI in that setting — a separate problem, and one worth its own column.

They were very different organizations, but they had run into the same AI risk.

This is Shadow AI. It is what happens when people use AI tools without formal approval, visibility, risk review, or governance. That can mean public models, apps, agents, browser extensions, or AI features built into software they already use.

Employees use what gets the work done. They don’t wait for procurement. By the time legal or IT sees it, the habit is already baked in.

The term borrows from “Shadow IT,” the decades-old pattern of employees using unauthorized tools outside IT’s visibility. Shadow AI follows the same logic, but the risk profile is different. Shadow IT was a data location problem: someone used a personal cloud storage service instead of the company file server because it was faster. That was serious, but usually containable. You could audit it, block the domain, and migrate the files.

Shadow AI is harder to unwind. When someone pastes a contract, client e-mail, source code, board paper, employee record, or financial model into a public AI tool to get a quick summary, that data has already left the building. Vendor data retention policies are buried in terms of service that no one reads. Unlike a misplaced file, there is no straightforward way to retrieve what has already been submitted to an external system.

For Philippine companies, especially those handling customer data, regulated decisions, financial workflows, employee records, or cross-border vendors, the question is no longer whether AI has entered the organization. It almost certainly has. The question is whether management can see it.

Employees are not trying to circumvent governance. Most do not realize they are doing it. Many companies cannot see the tools being used, cannot classify the data being entered, and cannot tell which business processes now depend on AI. The reflex response is often a ban.

I’ve seen this many times, especially between 2024 and 2025. Block the URLs, restrict the downloads, issue a policy memo. In practice, bans without approved alternatives move the behavior out of sight without removing it.

The Samsung engineers were using a tool that helped them do their work inside a policy framework that had not yet caught up to the technology. The diplomat reached for what was available. Both needed a sanctioned alternative that was as fast and useful as the one they reached for. Neither had one.

The more dangerous version of this mistake is the reversal. One organization I advise had given staff access to a managed AI platform. At some point, leadership decided to turn it off. By then, AI had already become part of how people worked: workflows had been built around it, habits had formed, time had been saved. Cutting access did not undo any of that. It just removed the governed environment. Staff who had personal subscriptions continued on those. Staff who did not began improvising on free consumer tools with no data controls, no audit trail, and no visibility for the company. Leadership had created exactly the problem they thought they were solving. When you give people access to a capable tool and then take it away, you do not return to the baseline. You push them underground.

In another client discussion I observed recently, management reported that the company had not yet “rolled out AI.” The questions came quickly. Were employees using ChatGPT? AI meeting note-takers? AI features embedded in the CRM, HR platform, productivity suite, or financial tools? No one in the room could say no to all of it. They had not looked.

That last category — AI features embedded in existing platforms — is the one organizations most consistently miss. When a SaaS (Software as a Service) vendor enables a new AI feature, it does not always feel like a new technology deployment. A vendor updates its terms, ships a feature, and data starts flowing through a capability that procurement and legal may never have reviewed. The original contract may have been signed years ago. The addendum may sit unread. This is how customer data, employee records, and financial information can enter AI pipelines without a deliberate management decision. The company is running AI it does not know it’s running.

A useful early test is to ask management to produce a baseline inventory of approved AI tools, detected unapproved tools, AI features enabled by vendors in existing platforms, and AI use cases already known to the organization. Thirty days is a reasonable window, not because a full inventory is achievable in that time, but because the attempt itself is diagnostic.

Organizations with functioning IT governance and SaaS visibility tooling will produce a working draft. Organizations without that infrastructure will struggle to produce anything at all, and that gap is the first finding. Each entry should identify a business owner, a risk owner, the data involved, the vendor, and whether the use case touches customers, regulated decisions, or financial outcomes.

From inventory, a short usable policy follows. It can be as brief as five questions answered in plain language: Which tools may I use? What data may I enter? Which uses require review before I proceed? When must a human verify the output? How do I get a new tool approved?

Employees do not need 50 pages. They need rules they can remember on a Tuesday afternoon when a deadline is two hours away.

The fast approval path matters as much as the policy itself. Shadow AI grows when the official channel is slower than the workaround. A risk-tiered structure — pre-approved categories for low-risk uses, standard review for internal data and customer workflows, documented sign-off for employment, legal, pricing, or safety-critical decisions — works only if the low-risk track is genuinely fast. That is harder than it sounds. Legal, InfoSec, and vendor review queues move at their own pace, and AI governance does not automatically jump the line. The tiering has to be designed around those bottlenecks, not assume they will clear. If the pre-approved track still routes through a three-month procurement queue, the policy has a fast lane in name only, and Shadow AI remains the path of least resistance.

For boards, the near-term ask should be narrow: a working AI inventory, a short policy that employees can actually understand, a tiered approval process, and quarterly reporting on a few practical indicators. These may include detected unapproved tools, adoption of approved tools, vendor AI features enabled in existing platforms, pending AI use-case reviews, and incidents involving sensitive data uploads.

The goal is not to stop employees from using AI. That is neither realistic nor desirable. The goal is to make the governed path the obvious one.

The organizations that get this right will not be the ones that ban the fastest. They will be the ones that built a sanctioned environment before improvisation filled the gap, and kept it useful enough that employees had no reason to go elsewhere.

Erika Fille T. Legara, Ph.D. is a physicist, educator, and data science and AI practitioner working across government, academia, and industry. She is the inaugural Managing Director and Chief AI and Data Officer of the Education Center for AI Research, and an associate professor and Aboitiz Chair in Data Science at the Asian Institute of Management. She serves on corporate boards, is a fellow of the Institute of Corporate Directors, an IAPP Certified AI Governance Professional, and a co-founder of CorteX Innovations, Corp.