As the use of generative artificial intelligence accelerates, organizations are increasingly facing the challenge of shadow AI: unauthorized tools and applications adopted by employees without formal oversight. In this session at RIMS 2025, experts explored the significant cyber security, privacy, legal, and operational risks that shadow AI presents. Ianne Appelt, Head of ERM at Salesforce, and Steve Taylor, Director at BDO, offered practical strategies to help organizations identify hidden AI use and strengthen governance frameworks to mitigate emerging threats.

What is Shadow AI?

• Unapproved or unsanctioned AI models, tools, and agents.
• Used commonly to improve productivity and expedite manual tasks.
• A emerging source of risk and governance challenges for organizations.

Cybersecurity Risks

• Data Leakage: Unapproved AI applications can lead employees to inadvertently expose sensitive information.
• Unauthorized Access: AI models without proper controls may create vulnerabilities and security exposures.
• Secure Supply Chain: External AI tools often rely on third-party services, which may have weaker security.

Compliance and Security Risks

• Data Privacy Violations: Unapproved AI tools may result in non-compliance with industry-specific privacy laws and regulations.
• Intellectual Property (IP): Employees might inadvertently expose IP when using unauthorized AI applications.
• Lack of Auditability: Unsanctioned AI applications may lack logging features, making it challenging to trace decisions.

Operational Risks

• Bias and Inaccuracy: AI-generated content without proper oversight can lead to bias and potential legal liabilities.
• Model Draft and Reliability: Poorly maintained shadow AI models may produce outdated or incorrect outputs.
• Ethical Concerns: AI-generated content lacking oversight can spread misinformation and create legal liabilities.

Governance and Control Challenges

• Lack of Visibility: IT and security teams have no insight into what AI tools employees use for business operations.
• Integration Issues: Shadow AI may misalign with enterprise architecture, causing inefficiences and security gaps.
• Resource Drain: Unoptimized or poorly managed AI models can result in excessive cloud computing costs.

Strategies for Managing Shadow AI

• Implement and enforce AI governance policies
• Increase user education and awareness in safe AI usage
• Strengthen AI detection and enforce security measures
• Provide approved alternative or discourage shadow AI adoption

Detection and Monitoring Tools

• Cloud and SaaS Monitoring
  • Cloud access security brokers(CASB)
  • SaaS discovery and management tools
• Network and Endpoint Security
  • Next-gen firewalls and secure access gateways
  • Endpoint/extended detection and response (EDR/XDR)
• DLP and AI-Specific Monitoring
  • Data loss prevention (DLP)
  • Large language model (LLM) monitoring tools
• Log and Behavioral Analysis
  • Security incident and event management (SIEM)
  • Use behavioral analysis tools
• Shadow AI and API security
  • Shadow IT and asset discovery tools
  • API monitoring tools