Insights · Foundations
Shadow AI: how to find and govern the AI your staff are already using.
Staff adopted AI before your organization did. That isn't a discipline problem — it's a visibility problem, and it's solvable without banning anything.
By the ETTE AI practice team · Published July 6, 2026
Ask a leadership team whether their organization uses AI and you'll often hear "not yet — we're still evaluating." Ask their staff the same question anonymously and a different picture emerges: meeting summaries pasted from a browser assistant, donor letters drafted in a personal ChatGPT account, spreadsheet formulas fixed by Copilot, a translation run through whatever tool came up first in a search.
That gap between what leadership believes and what staff actually do is shadow AI — AI use that happens outside any approved tool, policy, or data boundary. In our advisory work, it is the single most common starting condition. It is also, counterintuitively, good news: your staff have already told you where AI is useful. The problem isn't demand. It's that no one owns the risk.
Where shadow AI actually hides
Shadow AI is rarely one rogue power user. It accumulates in ordinary places:
- Personal accounts on public tools. Free-tier ChatGPT, Gemini, or Claude accounts, signed up with personal emails, used for work content. Data pasted there is governed by consumer terms, not your organization's agreements.
- Features that turned on by themselves. AI assistants embedded in Zoom, Teams, Canva, Grammarly, Notion, and browser extensions — often enabled by default, often recording or summarizing content nobody classified.
- Meeting notetakers invited by outsiders. A partner's AI notetaker joins your call, transcribes it, and stores the transcript in someone else's tenant.
- Workarounds under deadline pressure. The grant deadline is Friday; the draft goes into whatever tool is fastest. Urgency always beats an unclear policy.
Why the ban reflex backfires
The instinctive response — block the tools, prohibit the use — reliably produces the worst outcome: usage continues, but on personal devices and personal accounts, where you have no visibility at all. The organization keeps every unit of risk and gives up every unit of insight. A prohibition you can't enforce isn't a control; it's a blindfold.
The first step isn't shutting anything down. It's finding out, without blame, where AI is already in the building.
Discovery first: how to surface it without a witch hunt
The approach we use inside AI Foundations engagements is deliberately non-punitive, because honest answers are the entire point:
- Declare an amnesty. Leadership states plainly: nothing disclosed in discovery will be used against anyone. You're mapping, not auditing.
- Survey for tasks, not tools. Don't ask "do you use ChatGPT?" Ask "what work do you use AI for, and what did you paste into it?" The task list becomes your first use-case register; the paste list becomes your first risk register.
- Check what the tenant already knows. Microsoft 365 and Google Workspace admin logs, browser-extension inventories, and expense reports (personal AI subscriptions filed as software) fill in what surveys miss.
- Classify what you find by data sensitivity, not by tool. Drafting a public blog post in a free tool is a different risk than pasting donor records into one. Your response should distinguish them — one gets a green light, one gets an immediate boundary.
Then govern it: the smallest set of rules that works
Discovery without follow-through curdles into cynicism. Within a few weeks of surfacing shadow AI, staff should have three things in hand:
- An approved-tools list — which AI tools are cleared, for what kinds of work, on which accounts. Give people a sanctioned path and most shadow use migrates to it voluntarily.
- Plain data boundaries — what may never go into AI (regulated data, donor and client PII, anything under NDA), what needs review, and what's fair game. Our free AI Acceptable Use Policy template gives you the structure.
- A named owner — one person who answers "can I use this for that?" within a day. Ambiguity is what created shadow AI; a fast answer is what prevents its return.
Do this well and shadow AI stops being a liability and becomes what it always secretly was: a free, organization-wide pilot study showing exactly where AI creates value for your team.
Next Step