What is Shadow AI? The Hidden Risk in Every UK Business

Shadow AI is the use of AI tools by employees without IT approval or oversight. 32% of UK workers already use AI without their employer's knowledge. Learn the risks and how to detect it.

·7 min read
Shadow AI is the use of artificial intelligence tools by employees without their organisation's knowledge, approval or oversight. It happens when staff sign up for AI tools using work email, grant OAuth access to company data, install browser extensions, or paste sensitive information into consumer AI platforms. Research shows 32% of UK workers already use AI tools without their employer's knowledge, creating risks including data leakage, regulatory non-compliance, intellectual property exposure and security vulnerabilities. Unlike traditional shadow IT, shadow AI tools often have broad data access through OAuth grants — meaning a single unauthorised tool can read, modify and export company files.

How shadow AI happens

Shadow AI doesn't require malicious intent. It usually starts with a well-meaning employee trying to work faster:

  • OAuth grants: an employee clicks "Sign in with Google" on an AI writing assistant. The tool requests access to read their emails and Drive files. One click grants it — no IT approval needed.
  • Browser extensions: AI-powered grammar checkers, summarisers, and meeting assistants that read everything displayed in the browser — including confidential documents and internal chats.
  • Personal accounts on work devices: employees use their personal ChatGPT, Claude, or Gemini accounts to process company information. The data enters a system with no organisational controls.
  • Embedded AI in existing SaaS: tools your business already uses (Notion, Canva, Grammarly) are adding AI features that process company data by default. No new sign-up required — the AI is already there.

The scale of the problem

The numbers are concerning — and they're growing rapidly:

32%
of UK workers use AI without employer knowledge
4–12
undiscovered AI tools in a typical SME
54.5%
of workers lack a clear AI policy
93%
of UK organisations now use AI

Sources: Red Eagle Tech/Pollfish 2026, Trustmarque UK AI Index 2025. The typical OAuth audit of a 50-person UK business reveals 4–12 AI tools with active access to company data that IT didn't know about.

Real risks of shadow AI

Data leakage

When an employee pastes a client contract into ChatGPT or uploads a financial spreadsheet to an AI analysis tool, that data enters a system your organisation doesn't control. Some AI tools use customer data to train their models — meaning your confidential information could influence outputs for other users.

Regulatory non-compliance

Under the UK GDPR, your organisation is the data controller. If personal data is processed by an AI tool without a lawful basis, without a data processing agreement, and without the data subject's knowledge — that's a potential breach. The EU AI Actadds further requirements for AI tools that process EU citizens' data.

Intellectual property exposure

AI-generated content may not be protectable by copyright. If employees use AI tools to produce work that's presented as original, the organisation risks IP disputes, professional liability claims, and reputational damage.

Security vulnerabilities

OAuth grants from shadow AI tools can be exploited if the tool is compromised. An attacker who breaches a minor AI startup suddenly has read access to your Google Drive through the OAuth token your employee granted six months ago.

How to detect shadow AI

Traditional security tools don't catch shadow AI because the tools are accessed through legitimate OAuth flows, not malware or network intrusions. Detection requires a different approach:

  • OAuth audit: review the third-party applications authorised in your Google Workspace Admin Console or Microsoft 365 Enterprise Apps. Look for AI-related names and broad data access scopes.
  • Integration scanning: automated tools that cross-reference your OAuth grants against a database of known AI applications, flagging undiscovered tools and assessing their risk.
  • Employee surveys: ask your team directly which AI tools they use for work. Anonymous surveys often reveal tools that technical audits miss.

How Governably scans for shadow AI

Governably connects to your Google Workspace or Microsoft 365 admin environment and audits every OAuth grant in your organisation. We cross-reference each application against our catalogue of 164 known AI tools across 14 categories — from LLM chatbots and code assistants to meeting AI and data analysis tools.

For each discovered tool, Governably shows you: which employees granted access, what data scopes were authorised, when access was granted, and a risk score based on the tool's data practices, EU AI Act classification, and GDPR compliance status.

From there, you can approve, flag, or block each tool with three clicks — building your AI governance framework as you go.

Sources

  1. Red Eagle Tech / Pollfish. The AI Brain Drain: How Unclear Rules Are Costing UK Businesses Their Best Talent (2026). pressat.co.uk
  2. Trustmarque. AI Governance Index 2025. trustmarque.com
  3. UK Parliament. Data Protection Act 2018 (UK GDPR). legislation.gov.uk
  4. European Parliament. Regulation (EU) 2024/1689 — Artificial Intelligence Act. artificialintelligenceact.eu

Frequently asked questions

What is shadow AI?

Shadow AI is the use of AI tools by employees without their organisation's knowledge, approval or oversight. It includes signing up for AI services with a work email, granting OAuth access to company data, installing AI browser extensions, or pasting sensitive information into consumer AI platforms.

How common is shadow AI in UK businesses?

Very common. Research shows 32% of UK workers use AI tools without their employer's knowledge. The typical UK SME has 4–12 undiscovered AI tools with OAuth access to company data.

Is shadow AI illegal?

Shadow AI itself isn't illegal, but it can create legal liability. If an employee pastes personal data into an AI tool without proper safeguards, that's a potential UK GDPR violation. If AI-generated content is presented as original work, that raises IP and professional liability issues.

How do I detect shadow AI?

Audit your Google Workspace or Microsoft 365 OAuth grants to see which third-party apps employees have authorised. Governably automates this — scanning your cloud environment and matching apps against a catalogue of 164 known AI tools.

What's the difference between shadow AI and shadow IT?

Shadow IT is any technology used without IT approval. Shadow AI is a subset specifically covering AI tools. The key difference: shadow AI tools often have broad data access through OAuth grants, meaning they can read, modify and export company files — more dangerous than a typical unapproved SaaS tool.