There is a digital transformation happening at your company that never went through a board meeting, has no approved budget and shows up in no IT report. It's called Shadow AI: the informal, unauthorised, invisible use of artificial intelligence tools by employees — in a personal browser, on a phone, in a free account created with a home email address. And if you think it isn't happening in your organisation, that's probably exactly where it's happening most.
The international numbers are consistent: in recent surveys, more than half of office professionals admit to using generative AI tools at work, and most do so without the company's knowledge. The pattern repeats in every market — we see it every week across clients in all sectors. The question is no longer whether AI has entered your company. It's through which door — and what it took with it.
What Shadow AI is — and why it exploded now
The phenomenon isn't new. We called it Shadow IT when it was USB sticks, personal Dropbox accounts and Excel sheets replicating entire systems outside IT's sight. The difference is scale and speed: a generative AI tool needs no installation, no credit card, and it solves real day-to-day problems in seconds — summarising a report, drafting a difficult email, analysing a table, translating a proposal.

The explosion has a simple explanation: the demand for individual productivity grew faster than the supply of corporate tools. When the company takes 18 months to decide an AI strategy, the employee decides in 18 seconds. And they do it with good intentions: they want to deliver more and better. The problem isn't the motivation — it's the circuit.
Banning doesn't work (and the data proves it)
The first reaction of many organisations was to block: close access to AI sites on the corporate network, forbid by internal policy, threaten disciplinary action. The result was predictable to anyone who understands organisational behaviour: usage didn't disappear — it moved to personal phones, where the company sees absolutely nothing.
When you ban a tool that makes people more productive, you don't eliminate the usage — you eliminate the visibility of the usage. The risk stays; the control disappears.
This is the central paradox of Shadow AI: pure prohibition policies produce exactly the scenario they were meant to avoid. Employees keep pasting text into external tools; the company loses the ability to know who, when, with which data. It's governance in the dark.
The real risk isn't the tools — it's the data
It's worth being precise about what's at stake. The risk of Shadow AI is rarely the tool itself; it's what gets put into it. Three categories deserve immediate attention:
- Personal data of customers and employees — pasting a client list or a contract into an external service without a framework is, in practice, a data transfer with no legal basis. Under GDPR, the fine doesn't care that it was "just for a summary".
- Business secrets — commercial proposals, pricing, source code, strategy. On free accounts, many services reserve the right to use your data to train models.
- Untraceable decisions — when the analysis behind a business decision was produced by a tool nobody validated, with data nobody checked, the company loses the chain of trust over its own numbers.
Note what is not on this list: individual productivity. That's the good part — and it's precisely because real value exists that the phenomenon is unstoppable.
A concrete case: what we found at a 120-person SME
In a recent assessment at a services company (120 employees), the initial survey of "official" AI showed: zero approved tools, zero paid licences. The real survey — anonymous questionnaire plus network traffic analysis — told a different story: 61% of employees used generative AI at least once a week, spread across 14 different tools; 9% admitted having pasted customer data; and the heaviest-using departments were precisely the ones handling the most sensitive information — sales and finance.
The cost of regularising after mapping? Under €40 per user/year on a corporate solution with contractual data protection. The potential cost of a GDPR fine for unlawful transfer of personal data? Up to 4% of annual revenue. The maths does itself — and we haven't even counted the value of bringing that productivity back into a visible circuit.
Governing without braking: the five-step playbook
The mature answer to Shadow AI is neither blocking nor laissez-faire — it's proportional governance. What we recommend, and implement, follows five steps:
- Map without punishing. Anonymous survey + open conversation. The goal is visibility, not a witch hunt. If people fear consequences, the map comes out false.
- Classify the data, not the tools. The right question isn't "which tool is allowed?" but "which data may leave, and to where?". A simple matrix (public / internal / confidential / personal data) resolves 80% of day-to-day doubts.
- Approve a minimal catalogue. One or two corporate tools, with a contract, data protection and company login — at least as good as the ones people already use. The official alternative has to be better than the shadow, or the shadow continues.
- Train for usage, not just for risk. Training that only says "be careful" fails. Training that works teaches people to get value: how to write good prompts, how to validate results, what never to paste.
- Measure and adjust. Usage, success stories, incidents avoided. AI governance is not a document — it's a living process, reviewed every quarter.
From shadow to competitive advantage
There is an optimistic reading of this phenomenon that few boards make: Shadow AI is the largest free internal market study your company will ever get. Every informal use is an employee saying "this process is slow and I found a way to speed it up". Where there is shadow, there is proven demand — and proven demand is gold when deciding where to invest first.
Organisations that treat informal users as pioneers to integrate (rather than offenders to punish) win twice: they regain control of the risk, and they end up with a field-validated map of where AI generates immediate value. It's the difference between an AI strategy designed in PowerPoint and one designed by reality.
In short
- Shadow AI already exists in your company — the only choice is between seeing it or not seeing it.
- Banning eliminates visibility, not usage; the risk stays and the control disappears.
- The critical risk is in the data (GDPR, business secrets), not in the tools.
- The answer is proportional: map, classify data, approved catalogue, practical training, continuous measurement.
- Every informal use is proven demand — a free map of where AI creates value first.
Now what?
The AI Act may have bought time until 2027, but Shadow AI doesn't wait for regulatory calendars: it's happening today, at lunchtime, on someone's phone in your team. The good news is the path is tested — visibility, proportional rules, and official tools better than the shadow ones.
At bConcepts we help companies walk exactly this path: from assessing real usage to governance and team enablement. The question we leave you with is simple: if you ran an anonymous survey at your company today, how much Shadow AI would you uncover — and would you rather find out now, or after the first incident?