Shadow AI at work: how to inventory your undeclared AI tools.
Employees are using ChatGPT, Gemini and other AI tools without declaring them to IT or the DPO. This phenomenon, known as shadow AI, undermines EU AI Act compliance and exposes organisations to legal and operational risk.
What is shadow AI?
Shadow AI refers to the use of artificial intelligence tools by employees without validation or oversight from IT or the Data Protection Officer.
These tools include chatbots such as ChatGPT, writing assistants, image generators and coding solutions such as GitHub Copilot. They are accessible in a few clicks, via personal accounts or freemium tiers. Studies suggest that between 41% and 78% of companies are affected, with higher prevalence in larger organisations.
Shadow AI is not a marginal phenomenon. It reflects a broader trend: the rapid adoption of technology by business units, outside traditional IT channels. This practice poses major challenges for data governance and regulatory compliance.
Why shadow AI spreads across organisations
Consumer AI tools are designed for immediate adoption. A single email address is enough to create an account and start using services such as ChatGPT or Gemini. Freemium tiers, with no financial commitment, reduce the barriers to entry even further.
Productivity pressure pushes employees to find quick solutions. AI appears as a lever to save time, whether drafting an email, analysing data or generating code. Business units, often ahead of IT departments, adopt these tools without waiting for internal approval.
Finally, the lack of approved alternatives encourages shadow AI. If the organisation does not offer compliant, easy-to-use AI tools, employees turn to external solutions. This is particularly pronounced in sectors where AI needs are emerging, such as legal or communications.
Concrete compliance risks under the EU AI Act
The AI Act imposes strict obligations regarding transparency, documentation and supervision. An undeclared tool cannot be assessed, documented or audited. Article 26 of the Regulation requires a register and logs for high-risk systems - impossible to satisfy if the system has not been identified beforehand.
Operational risks are equally concerning. Consumer AI tools are not designed for professional use. They may process sensitive data - customer information, trade secrets - without any confidentiality guarantee. Prompts sent to external APIs may contain personal data, exposing the organisation to GDPR violations.
Shadow AI also introduces undocumented biases into business processes. A text generation or data analysis tool may produce biased outputs without the organisation being aware. These biases can have legal consequences in areas such as recruitment or risk assessment.
5-step inventory method
Identifying undeclared AI tools requires a structured approach combining collaborative inquiry and technical analysis. No single method is sufficient - combining all five steps ensures a complete and reliable inventory.
- Employee survey: send an anonymous questionnaire to identify tools in use. Sample questions: "Which AI tools do you use in your work?", "For which tasks?", "Did you create a personal account to access them?".
- IT expenditure analysis: review corporate card statements and invoices to identify subscriptions to AI tools. Paid versions of ChatGPT, Midjourney or similar services are often purchased directly by business units, outside IT procurement.
- Network and log scanning: use monitoring tools to detect connections to AI APIs or services. Firewall and proxy logs can reveal undeclared usage, particularly towards endpoints such as api.openai.com or generativelanguage.googleapis.com.
- Business unit interviews: run workshops with teams to understand their real needs and usage patterns. These exchanges surface tools unknown to IT and gather feedback on perceived effectiveness.
- Voluntary declaration form: set up a simple channel for employees to declare their AI usage. The form must be accessible, non-judgmental and accompanied by clear communication about its purpose.
AI tool declaration form template
A simple, accessible form encourages employees to declare their AI usage without fear of sanction. Deploy it via Google Forms, Microsoft Forms or any equivalent internal tool. What matters most: simple fields and a neutral tone.
Fields to include:
- Name of the AI tool: free text field (e.g. ChatGPT, Copilot, Midjourney, Perplexity).
- Primary use: dropdown - writing, data analysis, code generation, image generation, other.
- Frequency of use: daily, weekly, occasional.
- Types of data processed: no sensitive data, customer data, employee data, financial data, other.
- Account type used: corporate account, personal account or freemium tier.
- Open comments: free text area for any additional information.
Stick vs carrot: which approach to adopt?
Banning shadow AI without offering alternatives is ineffective. The needs remain; the tools change. A sustainable strategy combines awareness, approved solutions and a clear governance framework.
The repressive approach: why it fails
Blocking access to consumer AI tools or sanctioning employees caught using them does not solve the underlying problem. Employees find workarounds: mobile access, personal VPNs or undetected alternative tools. Repression breeds mistrust and makes invisible what was merely discreet. Shadow AI does not disappear - it simply hides better.
The collaborative approach: three levers
An effective strategy rests on three complementary levers:
- Awareness: train employees on concrete risks - data leakage, GDPR violations, personal liability. Short e-learning modules are more effective than long, unread policy documents. Article 4 of the AI Act also imposes an AI literacy obligation on all operators, applicable since 2 February 2025.
- Approved solutions: offer vetted and compliant alternatives. Corporate access to certified tools, with appropriate contractual terms, significantly reduces recourse to shadow AI. The market now offers professional versions of most consumer tools.
- Clear framework: publish a simple, operational AI usage policy. It must specify which tools are permitted, for which uses and with which data. The aiacto.eu obligations tool can help structure this framework according to your sector and size.
The goal is not to eliminate AI use by employees, but to channel it. Well-governed AI usage is a competitive asset. Undocumented usage is a regulatory risk the organisation carries alone.
Legal framework: key articles to know
Are all your AI tools declared and compliant?
In 3 minutes, the aiacto.eu diagnostic identifies your AI Act obligations based on your sector, size and the tools you deploy. Free, no sign-up required.
Frequently asked questions
Answers to the most common questions about shadow AI and AI Act compliance.
Shadow AI refers to the use of AI tools by employees without validation from IT or the DPO. It includes chatbots, writing assistants and code generators freely available online. Studies published between 2024 and 2025 indicate that between 41% and 78% of companies are affected.
The AI Act does not directly prohibit shadow AI, but it imposes documentation, supervision and traceability obligations that undeclared AI usage makes impossible to fulfil. High-risk systems require a register and logs, which cannot be maintained without a prior inventory of the tools in use.
Detection relies on several complementary approaches: anonymous employee surveys, network log analysis, IT expenditure review and business unit interviews. No single method is sufficient. Combining all five steps described in this article ensures a complete and reliable inventory.
Any data entered into an external AI tool may be transmitted to servers outside the EU, without confidentiality guarantees. Customer data, financial information and internal communications are particularly at risk. Every prompt containing a name, email address or any identifying information constitutes processing of personal data under the GDPR.
Transparency about the purpose is essential: the declaration process is about securing usage, not sanctioning employees. An anonymous form, non-judgmental communication and the prompt availability of approved alternatives significantly increase the response rate. The key message: declaring protects both the organisation and the individual.
Shadow IT refers to all IT systems used without IT validation, of which shadow AI is a subcategory. Shadow AI is now the most common form of shadow IT, due to the accessibility of consumer AI tools. It carries specific risks related to data processing, algorithmic bias and the new obligations introduced by the AI Act.
Liability is shared between the employer and the employee. The organisation remains responsible for data processing carried out in its name, even without IT's knowledge. The employee may be held liable for breach of internal policy. The existence of a published and accessible AI usage policy constitutes a protective factor for the organisation.