The Coming Wave of Shadow AI

One of the roles HR can play in AI adoption is helping leaders understand human behaviour. One human behaviour you can count on is that if a tool helps people get their work done, then banning that tool is unlikely to be effective. You might tell people not to use a certain Large Language Model (LLM), but if they need it for their work then they are likely to run it on their phone if it’s blocked by the corporate systems.

There is an interesting historical precedent for using technology “in the shadows”.  When minicomputers, like DEC’s famous PDP-8, were launched they cost tens of thousands of dollars rather than the millions a mainframe demanded. They didn't need special air-conditioned rooms either. Departments that couldn't get as much computing power as they wanted from IT were eager to buy them.

IT wasn't so keen.

IT had real expertise and established processes; they didn't want departments buying and running their own machines without oversight. The concerns were legitimate: compatibility, security, support.

The impasse was resolved, if that's the right word, by departments simply buying the minicomputers and not telling IT. We now call this shadow IT, the phenomenon has pros and cons, but it was inevitable.

We will inevitably see the same dynamic in AI. Employees will see the amazing upside, be less concerned about the risks, and will forge ahead. The organization may try to limit the use of AI, that’s not going to work.

How organizations can oversee safe AI

Since telling people not to use AI will just move it into the shadows, the best approach is to provide guidelines and support so that people can use AI with reasonable safety.

First, IT needs to be tasked with a developing a well-informed view of AI risk and how that compares to other risks. It’s not enough to have heard a rumour that information you put in a prompt can be leaked externally. IT needs to know how realistic that kind of breach really is. How often has it happened? How does it compare to the risk of traditional hacking which we know if highly prevalent? If the risk of putting information into a prompt being leaked is small relative to other risks, then you would only forbid it for critical information.

That leads us nicely to the second point. Organizations need to distinguish between high risk, moderate risk, and low risk uses of AI. Giving an AI the ability to delete records in a database is high risk. Asking the AI to edit your report is low risk. For each risk level there should be a simple process. For example, if it is low risk go ahead, if it’s moderate risk then discuss it with your manager first, if it’s high risk don’t do it at all.

The organization should also invest in ways for people to experiment safely. AI Agents are powerful but inherently risky. IT can set up safe environments where employees can try out possible applications. If an application looks promising, then the work can be put in to deploy it in a safe way. Even if few promising applications emerge, the employees are learning about AI Agents and setting the stage for wise use of AI.

Finally, an employee who understands AI is less likely to cause harm than someone who is just dabbling. Send employees on workshops, encourage them to read AI newsletters, and set up coffee gatherings where employees can share their knowledge and experiences. AI is sufficiently important, and changing so fast, that continuous learning is the only way to keep the organization safe.

Shadow AI is Already Here

Your employees are already using AI whether you know it or not. Restrictive policies simply drive AI into the shadows rather than keeping the organization safe. We want to celebrate employees who take the initiative to experiment with AI, and we can do so if we’ve taken the steps to enable safe use of AI.

Shadow AI is a phenomenon we need to understand. Employees experimenting with AI are not breaking the rules; they are showing us where the future of work is emerging. The task for leadership is to guide them.