Shadow AI
The use of AI tools by staff without IT or management knowledge or approval, often involving personal data sent to consumer AI products.
In detail
Shadow AI is the organisational equivalent of shadow IT, where employees adopt AI tools independently of sanctioned processes. Typical examples include staff pasting customer data, financial information or confidential documents into ChatGPT, using personal Copilot accounts for work tasks, or building automation workflows in consumer AI tools that connect to company systems. Shadow AI creates data exposure risk (personal data sent to third-party training pipelines), compliance gaps (no APP 8 cross-border assessment), security gaps (no credential management, no audit trail) and operational risk (business-critical workflows built on unsanctioned tools that staff leave when they resign).
Why it matters for Australian business
Shadow AI is widespread in Australian workplaces and growing faster than most IT teams are aware of. The Privacy Act and Australian Privacy Principle 11 require reasonable steps to protect personal information, and sending it to a consumer AI tool without review is unlikely to satisfy that threshold. We identify shadow AI exposure in our AI Usage Review engagements and help businesses establish an approved tool register and acceptable-use policy that channels demand into sanctioned options.