Is shadow AI always bad?

No — and that's part of the problem. Shadow AI usually starts because employees are trying to do their jobs better. The right answer is rarely punishment; it's bringing the use case into approved channels.

How do we find out how much shadow AI exists in our company?

Anonymous staff survey. Ask: which AI tools have you used for work in the last month? Which on company accounts vs. personal? Which with company data?

What's the most common shadow-AI mistake we should worry about?

Pasting PII or PHI into free-tier consumer chatbots. It's silent, frequent, and the data goes into training corpora unless the user manually opts out.

Should we just ban consumer AI tools?

Almost never works. A ban without an approved alternative pushes use further underground. The durable fix is an approved enterprise alternative plus role-specific training.

Does our IT department block these tools?

Many try, with limited success. Employees use personal devices, personal accounts, and home networks. The durable fix isn't network blocking — it's an AI use policy and approved tool list.

AI governance, plainly

What is shadow AI?

When employees use AI tools your company hasn't approved — usually on personal accounts, with company data. Why it happens, why it matters, and how to bring it into the light.

Omaha companies asking the same? See the Omaha view →

Text Rosey · Schedule a call →

Definition

Shadow AI is AI tool use that happens outside the company's sanctioned, governed channels. Most commonly, it's employees using consumer-grade ChatGPT, Claude, or Gemini accounts (often personal accounts) to do work that involves company data — drafting customer emails, summarizing internal documents, drafting code, writing donor letters, formatting policy text.

It's the most common AI deployment pattern in mid-market companies, and it's almost always invisible to leadership until someone asks.

Express-Harris 2026 found that only 36% of U.S. companies provide a list of approved or preferred AI tools, while 38% allow employees to use any AI tools they're familiar with. SHRM 2026 found only 49% of organizations have AI use policies. The gap between those numbers is shadow AI.

In nonprofits the pattern is more extreme: Virtuous's 2026 benchmark found 92% of nonprofits use AI in some capacity, but 81% on an "ad hoc basis" without shared workflows or documentation, and 47% have no formal AI governance policy.

Why it matters for Lincoln companies

Shadow AI creates three specific risks that compound the longer they go unaddressed.

**Data leakage.** Free-tier AI tools typically train on user input by default unless turned off. Pasting a customer's PII, a patient's PHI, a donor's record, an attorney-client communication, or proprietary source code into a consumer chatbot can violate privacy laws, regulatory rules (NAIC IGD-H1, OCC third-party guidance, NITC 8-609 for state contracts), or contractual obligations.

**Audit blindness.** When AI use is invisible, you can't audit it. You don't know whose data went where, when, or for what purpose. If a regulator asks, the answer "we don't know" is itself a finding.

**Quality drift.** Shadow AI tends to produce output that misses internal review standards — brand voice, tone, factual accuracy, citation. By the time anyone notices, the drift has been embedded in client-facing work for months.

The standard wrong response is a blanket ban. That doesn't reduce shadow AI; it pushes it underground. The right response is the inverse: an approved tool list with enterprise-grade alternatives, clear prohibited-data rules, and training that makes safe use easier than risky use.

Common follow-up questions

Is shadow AI always bad?: No — and that's part of the problem. Shadow AI usually starts because employees are trying to do their jobs better. The right answer is rarely punishment; it's bringing the use case into approved channels.
How do we find out how much shadow AI exists in our company?: Anonymous staff survey. Ask: which AI tools have you used for work in the last month? Which on company accounts vs. personal? Which with company data?
What's the most common shadow-AI mistake we should worry about?: Pasting PII or PHI into free-tier consumer chatbots. It's silent, frequent, and the data goes into training corpora unless the user manually opts out.
Should we just ban consumer AI tools?: Almost never works. A ban without an approved alternative pushes use further underground. The durable fix is an approved enterprise alternative plus role-specific training.
Does our IT department block these tools?: Many try, with limited success. Employees use personal devices, personal accounts, and home networks. The durable fix isn't network blocking — it's an AI use policy and approved tool list.

Sources

Only 36% of companies provide a list of approved or preferred AI tools — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
38% of companies allow employees to use any AI tools they're familiar with — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
Only 49% of organizations have AI use policies — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
81% of nonprofits use AI on an ad hoc basis without shared workflows or documentation — The 2026 Nonprofit AI Adoption Report, Virtuous and Fundraising.AI, 2026
47% of nonprofits have no formal AI governance policy — The 2026 Nonprofit AI Adoption Report, Virtuous and Fundraising.AI, 2026

Answer

shadow AI explained

Answer

the plain definition of an AI policy

Answer

AI use policy template walkthrough

Service

approved AI tool list and policy

Concern

when employees won't use AI tools

Concern

the shadow AI problem we found

→ Start here

Text Rosey to begin.

Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.

Text Rosey · Schedule a call →

or call 415 481 2629

What is shadow AI?

Definition

Why it matters for Lincoln companies

Common follow-up questions

Sources

Related

Text Rosey to begin.