Article | 28. May 2026
Shadow AI in the workplace
Risks, causes and what really helps
Shadow IT has long been an issue relating to software licences and personal USB sticks. Since 2023, it has taken on a new dimension: employees are using personal AI accounts for work tasks. ChatGPT, Claude, Gemini and Copilot via personal Microsoft accounts. Draft contracts, patient data, design documents and personnel files end up in services over which the company has no control.
According to the Bitkom AI Study 2025, 25% of German companies with 20 or more employees report active use of personal AI tools in day-to-day work. The actual figure is likely higher; nobody voluntarily reports what they use in secret.
Reading time: approx. 9 minutes | Last updated: May 2026
What sets shadow AI apart from traditional shadow IT #
Traditional shadow IT (an unauthorised SaaS tool, a private Dropbox account) was a data transfer issue. The damage was limited: data was moved or copied, but not analysed.
Shadow AI is a disclosure issue on a whole new scale.
Prompts are compressed trade secrets. A single query to a cloud AI can reveal more about ongoing projects, strategies and internal structures than months of monitoring internet traffic. The prompt contains context: which contractual partners are currently negotiating, which project is at what stage, and which vulnerability needs to be fixed in which product. The response contains the company’s reaction to this.
Training data risk is real, but not the biggest problem. Well-known services generally do not use company-generated prompts to train their models, at least according to their terms and conditions, and at least when corporate accounts with the appropriate settings are used. The real problem lies elsewhere: the data is stored on servers subject to the US CLOUD Act and FISA 702. US authorities can access data held by US companies worldwide, regardless of the server’s location and without the company being informed.
The EU AI Act imposes documentation requirements. Companies must be able to demonstrate which AI systems they use, what data is processed there, and how risks are managed. Shadow AI usage is, by definition, undocumented and therefore unverifiable. This is not a theoretical compliance risk, but a tangible problem during audits.
Why bans don’t work #
The intuitive reaction to shadow AI is a ban. ChatGPT blocked, private accounts prohibited, training on ‘AI use is prohibited’ for all employees. The result is predictable.
Firstly: Employees who are familiar with productive AI tools and use them daily will continue to do so, more cautiously, but no less frequently. Use goes underground, and the willingness to report incidents drops to almost zero.
Secondly: Companies that fail to provide their employees with a vetted AI alternative miss the opportunity to build a productivity advantage internally. According to McKinsey (Superagency in the Workplace, 2025), regular AI users save an average of around 5.4% of their weekly working hours. Those who do not utilise these hours internally will watch as competitors do so.
Thirdly: bans without alternatives merely shift the problem; they do not solve it. The CISO of a medium-sized pharmaceutical company signs a ChatGPT ban, and two weeks later the same thing is running via perplexity.ai, which nobody had on their radar.
The root cause: no verified solution for sensitive data #
Shadow AI does not arise from malice, but from pragmatism. Employees have a real task, an effective tool, and no approved alternative for it. They opt for the tool.
The question compliance officers must ask is not: “How do we ban shadow AI?” but rather: “For which data classes have we not yet provided a verified AI solution?”
In most companies, there are three categories:
Non-critical data and general tasks. Translations, summaries of public texts, image and video editing, general research. Here, cloud-based AI is often the better choice. Many companies already have a solution for this category (Microsoft 365 Copilot, an approved ChatGPT enterprise account) or could set one up.
Internal, non-regulated company data, internal wiki content, process documentation, meeting notes, non-regulated projects. A verified solution is often lacking for this category. Cloud-based AI would be too risky, and a proprietary system has not yet been established.
Sensitive, regulated or confidential data. Contract documents, personnel files, patient data, design data, financial data under /BaFin supervision, regulatory proceedings. Cloud AI is structurally unsuitable here. A locally operated RAG solution is the only architecture that enables compliance.
What actually helps #
Step 1: Define data classes, do not ban AI tools. Create a classification specifying which data may be processed in which AI systems. Class A (public, non-critical) can be processed in cloud AI; Class B (internal, unregulated) only in approved internal systems; Class C (confidential, regulated) exclusively in a locally operated solution.
Step 2: Provide an approved alternative for each class. A ban without an alternative for Classes B and C is ineffective. Rolling out a local AI solution for sensitive data gives employees a legal and productive option, and makes shadow AI structurally less attractive for this data.
Step 3: Complete the processing register and AI policy.
Overview of hidden AI risks #
| Risk | Description | Affected |
|---|---|---|
| Data leaks via prompts | Confidential content in cloud AI prompts | All |
| US CLOUD Act / FISA 702 | US authorities can access data held by US companies | All using US AI providers |
| EU AI Act documentation gap | Undocumented AI use cannot be verified | All |
| GDPR breach | Personal data transferred to third countries without a legal basis | All |
| DORA breach | Unauthorised third-party ICT providers in the financial sector | Financial sector |
| NIS2/KRITIS | Uncontrolled IT components in critical processes | Critical infrastructure |
| Reputational damage | Data breaches resulting from AI use becoming public knowledge | All |
Frequently asked questions #
Can I technically prevent shadow AI use? Not entirely. Employees with mobile devices or personal computers can still use private AI whilst working from home. Network blocks on company devices lower the threshold, but do not eliminate the problem. The only effective strategy is the verified alternative.
Does the EU AI Act also apply to shadow AI use? Yes. Companies are liable for their employees’ use of AI, even if it takes place without authorisation. Responsibility for an AI system lies with the operator, not the end user.
How can I tell if shadow AI is being used in my company? Network monitoring can reveal known AI services. Anonymised employee surveys provide more reliable figures. Indirect indicators: employees suddenly becoming more productive for no apparent reason, documents containing AI-typical phrasing, unusual access patterns to company files.
What about Microsoft Copilot – isn’t that a solution? Copilot is an option for Microsoft data, but with two caveats: firstly, Copilot is also subject to the US CLOUD Act. Secondly, Copilot only respects authorisation structures to a limited extent, a well-known problem in corporate environments with poorly maintained SharePoint permissions. For regulated data and full enforcement of permissions, a locally operated solution is required.
Conclusion #
Shadow AI cannot be solved by bans. Nor can it be completely eliminated; as long as cloud AI is legitimate and useful for general tasks, employees will use it. The task for compliance and IT managers is a different one: to define clear data classes, provide a verified alternative for each class, and document usage.
For sensitive, regulated and confidential data, a locally operated RAG solution is the only architecture that enables both compliance and productivity.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.