Shadow AI

1. What is shadow AI? #

Shadow AI is the use of AI tools in a work context that is not approved by official IT, not covered contractually, and not recorded in a register of processing activities. It takes three forms that often overlap:

Private accounts at work. An employee uses a personal ChatGPT, Claude, or Gemini account to solve a work task. The provider sees the prompt content, the use runs under a private email address, and the organization has neither a contract nor any visibility into it.

Bring-your-own-LLM. A department procures an AI tool on its own: a marketing suite with an AI feature, a coding assistant for developers, a translation tool with an attached AI. The procurement bypasses IT, and terms of service are accepted without review.

Out-of-scope cloud AI. AI assistants built into office and workspace suites are officially procured, but they are used for data classes they were not approved for, such as personnel files, strategy papers, or patient data.

Shadow AI differs from classic shadow IT in one decisive respect. With shadow IT, a data set travels to an uncontrolled location. With shadow AI, data flows into a learning or context-dependent system whose inner workings are opaque to outsiders, and whose outputs sound so plausible that recipients take them for verified facts.

2. How widespread is shadow AI? #

Solid figures have been available since 2025.

According to the Bitkom study ​“AI in the German economy” (September 2025, a representative survey of 604 companies in Germany with 20 or more employees), private AI use at work is widespread in 8% of companies (2024: 4%) and occurs in isolated cases in a further 17% (2024: 13%). Together: one in four German companies has active shadow AI, and the trend is clearly upward. These figures describe the German market; the underlying dynamic is the same across Europe.

At the same time, US hyperscalers dominate the officially procured AI market, with more than two thirds of enterprise usage between them. European providers such as Mistral (0.2%) and Aleph Alpha (0.3%) play virtually no role (Bitkom AI study 2025).

This produces a double asymmetry:

1. The official AI infrastructure of German organizations sits largely with US providers, and therefore within the reach of the US CLOUD Act and FISA 702.
2. Where the official infrastructure is insufficient or perceived as insecure, staff reach for private cloud AI, and the data ends up with US providers under even weaker conditions.

83% of organizations now consider sovereign AI at least moderately strategically important (Deloitte, State of AI in the Enterprise 2026, survey August – September 2025, 3,235 business and IT leaders across 24 countries), and 77% factor the country of origin of an AI solution into vendor selection. Practice and strategy are far apart.

3.1 Data leakage and loss of IP #

Every prompt sent to a cloud AI provider is a data transfer. With US providers, these transfers fall within the reach of the US CLOUD Act (18 U.S.C. § 2713) and FISA 702 (50 U.S.C. § 1881a); US authorities can access this data even without the organization’s knowledge.

Specifically problematic:

Context-rich prompts. Uploading a 30-page draft contract for summarization transmits clauses, amounts, terms, and counterparties. The AI’s answer reveals which points were especially sensitive.

Multi-turn conversations. Follow-up prompts surface strategies, reactions, and internal states of discussion. A single conversation can disclose more about ongoing negotiations than the theft of a backup.

Permission bypass through cloud AI. Many cloud AI services index, by default, all content the service account can technically reach. A misconfigured document store can mean an employee receives quotes from personnel files, M&A documents, or NDA material through an AI query.

3.2 Hallucination #

Generative AI models produce text based on statistical probabilities. When a model has no reliable data basis for a question, it invents content that sounds just as plausible as a correct answer. These inventions are called hallucinations.

In practice, hallucinations hit organizations in three places:

Legal and compliance statements. Invented provisions, misquoted rulings, retention periods that do not exist. Staff who use AI as a research shortcut carry these statements onward into reports and advisory documents.

Technical specifications. Invented product names, wrong configuration parameters, compatibilities that do not exist in reality. Especially critical in procurement decisions and architecture papers.

Statements about people. False biographical details, invented quotes, constructed connections between individuals. When such content is reused internally or externally, it creates GDPR breaches and reputational risk.

3.3 Bias and discrimination #

AI models reproduce the biases in their training data. When shadow AI is used in decisions affecting staff or customers, these biases can take hold unnoticed.

Highly relevant use cases:

Applicant pre-screening. An HR employee has ChatGPT sort 200 résumés, with no documented algorithm and no discrimination check. Under EU anti-discrimination law (the Employment Equality Directive 2000/78/EC and the Racial Equality Directive 2000/43/EC, transposed nationally, for example in Germany’s AGG), once a claimant presents facts suggesting discrimination, the burden of proof shifts to the employer to show that no discrimination occurred. AI use in recruitment is also classified as high-risk in its own right under the EU AI Act (Art. 6 in conjunction with Annex III).

Customer scoring. A sales employee has AI prioritize customer enquiries. If the prioritization systematically disadvantages certain customer groups, claims for damages and reputational harm follow.

Creditworthiness checks for individuals or risk assessment in life and health insurance. Areas where AI use is explicitly classified as high-risk under the EU AI Act (Art. 6 in conjunction with Annex III). Shadow AI in these areas is a direct breach of the regulation. Other insurance lines (property, motor, liability, commercial) do not fall under Annex III on the current classification, but they remain regulated by the GDPR and by sector-specific supervision.

3.4 Copyright and confidentiality #

Two directions need to be distinguished here:

Outbound: what happens to the content you enter? The terms of service of many cloud AI providers allow training use of the data entered, often optional but enabled by default. Submitting text relevant to a trade secret can, under certain circumstances, forfeit its status as a trade secret. Under the EU Trade Secrets Directive (Directive (EU) ²⁰¹⁶⁄₉₄₃, transposed nationally, for example in Germany’s GeschGehG), protection requires that the holder has taken reasonable steps to keep the information secret.

Inbound: do AI-generated outputs infringe third-party copyright? Generative models were in part trained on copyrighted material. Publishing AI outputs unchecked, as a blog post, ad copy, or white paper, can unknowingly reproduce other people’s works. Several ongoing cases in the US and Europe will bring clarity here in the coming years, but the risk exists today.

On top of this comes NDA-relevant content. Submitting contract or negotiation documents to a cloud AI can breach confidentiality obligations toward customers, partners, and staff, even when the provider promises ​“confidentiality.”

4. Regulatory consequences #

Shadow AI touches four bodies of regulation at once, with substantial penalty ranges in some cases.

GDPR. Every prompt containing personal data sent to a US provider is a transfer to a third country under Art. 44 ff., and without an explicit legal basis (standard contractual clauses, the EU – US Data Privacy Framework) it is unlawful. Penalty range: up to EUR 20m or 4% of global annual turnover.

EU AI Act. Regulation (EU) ²⁰²⁴⁄₁₆₈₉ has been in force since August 2024. Article 4 (the AI literacy obligation) has applied since February 2025: organizations must ensure that everyone who operates or uses AI systems on their behalf is sufficiently qualified to do so. Article 99 provides penalties of up to EUR 35m or 7% of annual turnover for prohibited practices (Art. 5), and up to EUR 15m or 3% for other breaches. The penalty provisions are enforced from 2 August 2026.

NIS2. The NIS2 Directive (Directive (EU) ²⁰²²⁄₂₅₅₅) is being transposed into national law across the EU. The transposition deadline was 17 October 2024; several member states were late. In Germany it took effect through the NIS2 implementation act (NIS2UmsuCG) in December 2025. Affected organizations must assess and control IT risks systematically, AI systems included. Shadow AI means a significant part of data processing runs outside that risk assessment.

DORA. The Digital Operational Resilience Act (Regulation (EU) ²⁰²²⁄₂₅₅₄) has applied to the financial sector since 17 January 2025. Third-party risks must be fully documented and controlled. Shadow AI by staff using unapproved cloud AI collides directly with Art. 28 ff. of DORA.

Professional secrecy. In healthcare, the legal profession, and some other fields, disclosing entrusted secrets is a criminal offence. Such professional-secrecy obligations exist in equivalent form across EU member states (in Germany, for example, under §203 of the Criminal Code). Uploading patient records or client files to a cloud AI can meet the elements of that offence.

5. Why bans alone fail #

Many organizations respond to shadow AI with bans: directives, blocks, disciplinary measures. The Bitkom data show that this approach does not work. Despite growing awareness, private AI use in companies rose from 17% to 25% between 2024 and 2025.

Three reasons bans fail:

Productivity pressure. Staff see colleagues or competitors working faster with AI. Anyone forced to do without falls behind, and reaches for it quietly as soon as the pressure rises.

Private access is trivial. ChatGPT, Claude, and Gemini are reachable through any browser, any phone, any private account. A block on the corporate network does not stop shadow AI; it only shifts it to personal devices.

Bans without an alternative breed secrecy. Anyone who uses AI because it helps does not stop; they just tell no one. Shadow AI becomes invisible shadow AI. Audit visibility and risk management become even harder.

The structural solution is an official, vetted alternative for sensitive data, paired with a clear policy on which data class may be processed in which system.

→ Use case: Local AI knowledge management with Silent AI

6. Sector spotlights #

Pharma and life sciences. Research data, clinical trials, patent strategies. A single prompt containing study information can jeopardize the confidentiality status of a research project. Here shadow AI is not only a compliance risk but a loss of competitive position.

Financial services. DORA and national supervisory frameworks largely rule out cloud AI for regulated data. ICT third-party providers must be controlled contractually, technically, and organizationally, and shadow AI is, by definition, none of these. National financial supervisors, such as BaFin in Germany, increasingly examine AI use actively. Where national requirements (for example the German MaRisk and BAIT) once filled the gaps, DORA and the EBA Guidelines on ICT and security risk management now set the binding EU baseline.

Public administration. Case files, personal data, classified information. Professional-secrecy law applies in many public bodies, recognized security baselines such as ISO/IEC 27001 and ENISA guidance call for documented data flows, and NIS2 reaches critical administrations directly. Shadow AI in public bodies is a significant criminal and supervisory risk.

Industry and manufacturing. Design data, supplier contracts, product development. Trade secrets enjoy protection under the EU Trade Secrets Directive only where reasonable steps to keep them secret can be demonstrated, and shadow AI erodes that protection.

Healthcare. Patient data, diagnoses, treatment histories. Professional-secrecy law, the GDPR (including special categories of data under Art. 9), and national healthcare-confidentiality laws all apply. Cloud AI with patient data and no explicit legal basis is not only a compliance breach but a criminal matter.

7. Action plan: 90 days #

Days 1 to 30: take stock

Map where shadow AI is already happening. Run an anonymous staff survey on actual AI use (with an amnesty clause). Analyze network logs: which AI domains are being accessed? Involve the data protection officer; shadow AI is reportable in the record of processing activities when personal data is involved.

Days 31 to 60: policy and classification

Define data classes: which data may go into cloud AI, which into internal AI, which into no AI. Draft the AI policy (outline in section 8). Set up AI literacy training in line with EU AI Act Art. 4. Establish an approval process for AI tools, in the same way as shadow-IT governance.

Days 61 to 90: provide the alternative

Procure or evaluate local AI for sensitive data. Connect the most important knowledge sources (Microsoft 365, SharePoint, Confluence, file servers). Identify a pilot group and put it into production. Communicate to all staff: what is approved, what is not, and why the approved solution is genuinely useful.

8. The AI policy: what belongs in it #

An effective AI policy answers six questions:

1. Which AI tools are approved? A named list, with the data classes they are approved for.
2. Which data may be processed where? Data classification with a clear mapping (public / internal / confidential / strictly confidential).
3. Which tools are explicitly prohibited? A negative list with reasons.
4. How are breaches handled? Disciplinary framework, escalation path, reporting duties.
5. Who is the point of contact? Data protection, IT security, AI officer (if appointed).
6. When is the policy reviewed? At least annually, and on cause when new regulations or tools appear.