The rise of artificial intelligence over the past few years has shaken up the entire tech industry, and the enterprise cybersecurity industry is no exception: They’re suddenly dealing with shadow AI.
The term “Shadow AI” refers to any unauthorized use of AI within an organization. Since the IT department doesn’t know about it, they have no way to track or control the use of AI.
This leaves the company open to potential exploitation or other issues. Here’s why shadow AI could be a growing problem, and what your company can do about it.
What Is Shadow AI?
Shadow AI describes employees using AI to help them with tasks without company knowledge or consent. When employees don’t explain this use to their company, that company is unaware of the shadow AI use that is going on within its ranks. Get it? Because the AI use is happening… in the shadows.
Tasks may get done faster, but without visibility and guidelines surrounding AI use, it’s impossible to fully control the results. And for any business manager, that lack of control is a red flag for the continued success of the business.
This just in! View
the top business tech deals for 2024 👨💻
There’s plenty of evidence to suggest that shadow AI is already a big problem across many industries, even if it hasn’t led to any catastrophic security failures just yet. At least, none that we’ve heard about: After all, a sizeable minority of tech companies fail to report hacks after the fact.
Here’s one big additional fact that lends extra context around the potential threat of shadow AI.
Only 4.39% of companies have fully integrated AI tools throughout their organization
That’s just 1 in 25 companies that have firm AI guidelines, according to data from Tech.co’s 2024 report on the Impact of Technology on the Workplace.
In contrast, 44% of respondents to another survey said they used AIs in professional settings as well as personal settings. That survey, which looked at French companies specifically, estimated that 28% of employees were using AI without company supervision.
In other words, despite the buzz surrounding generative text and image tools over the past few years, businesses have been slow to come up with regulations for AI.
Why Shadow AI Is Dangerous
It’s a challenge to nail down the dangers of a practice that, by definition, isn’t monitored or fully understood. Here are the biggest areas of concern.
Internal or external misinformation
Our report found that 49% of senior leadership are concerned about the risk of large language AI models generating false information. We’ve already seen reports of faulty AI-powered legal briefs, as well as other blunders, so it’s easy to imagine the same happening with an internal business report or an email to an important client.
Cybersecurity risk
Deploying AI for coding purposes is one popular use case, but if used by an IT support team, that code might contain AI-generated bugs or openings for hackers to slip a malware logic bomb past your security protocols.
Exposed data
Plus, many AI users are unaware that their prompts will be recorded by the company behind their free AI tool. If private company data is used for a prompt, it will be exposed. That’s why you should never share sensitive company data with an AI platform, among other things.
Compliance failures
Governments around the globe are rolling out AI restrictions and guidelines of their own. Without a representative to track federal or state regulation within your company, you can’t be sure that employees aren’t opening your business up to an investigation from a regulatory watchdog down the road.
How Your Company Can Combat Shadow AI Use
Ultimately, shadow AI’s threat is caused by non-existent or limited business policies surrounding AI use within the workplace. So, the answer is relatively simple: You’ll need to create guidelines that limit AI use to specific tasks within specific roles.
And, with 50% of U.S. companies saying that they are currently “updating their internal policies to govern the use of ChatGPT and end Shadow GPT,” this solution appears to be rolling out already, albeit slowly.
The safest option is a total ban on AI use: Apple, Amazon, Samsung, and Goldman Sachs are among a few companies that have banned at least some versions of AI from on-the-clock use. However, this also means you can’t benefit from the tech tools, either.
You’ll likely want to include a caveat about future AI use within your guidelines: Pending approval, workers should be able to expand AI use outside of your initial guidelines, since AI tools will continue evolving in the future.
Best Practices for Company AI Use
AI use within your company doesn’t have to be all bad. Tech.co’s 2024 report on tech in the workplace found that those who used more collaboration tools and AI self-reported higher productivity, while an impressive 59% of AI users have greater job satisfaction.
Here are some tips for getting the most from AI:
- Check out training courses. Many AI training materials are available free online.
- Don’t try to replace jobs. AI has a long way to go before it can fully replace a human being. Our report found that 63% of senior leadership professionals whose organizations use AI for writing tasks state that AI tools have had no impact on removing job roles.
- Limit AI to specific bots and specific tasks. ChatGPT or Claude 3 may be the best options currently.
- Read up on prompts. The best prompts get the best results, so we put together a guide to suggesting how to think about prompt writing.
ChatGPT was the most popular AI tool used within businesses in our 2024 survey, but others may work just as well or better: One of our recent tests found that Claude 3 wrote better, easier-to-parse text results when compared with ChatGPT.
Finally, it’s important to remember that generative text or image bots aren’t actually “intelligent” — you’ll always want a human guide to double-check for hallucinations or other lies before you rubber stamp anything an AI has to offer.
