Shadow AI: the incident class that dominates the real log

You blocked ChatGPT on the corporate network and added an acceptable-use policy. The incident log did not change, because shadow AI is not a discipline problem. It is a workflow problem: people take the faster path you did not give them.

Share
Paper-collage of a company-perimeter rectangle with four documents labelled PASTE, EXTENSION, CODE, and TOOL escaping through its edges, a SHADOW AI slip inside, and a LOG tag left outside.
Shadow AI: the incident class that dominates the real log

Most companies are defending against the wrong shadow-AI problem

The standard response to shadow AI looks the same in almost every company. There is an acceptable-use policy somewhere in the wiki. There is a firewall rule blocking ChatGPT on the corporate network. There is a quarterly security reminder, usually a slide with a red exclamation triangle, that tells employees to think before they paste. And there is a quiet, unmeasured assumption that this is enough.

It is not enough. The incident logs say so.

Companies I talk to that have actually read their own logs notice the same thing. The dominant AI security incident class is not prompt injection. It is not jailbreaks. It is not a clever attacker manipulating a customer-facing model. It is an employee, mid-task, pasting client data or proprietary code into a personal ChatGPT account or a Claude.ai session opened in a private browser tab. The volume is not close. Netskope's 2025 telemetry across enterprise customers put the rate at roughly 223 sensitive-data-to-AI incidents per company per month, more than double the prior year. Production prompt-injection incidents per company per month are not measured at that cadence anywhere, because they do not happen at that cadence anywhere.

This article is about why that gap exists, and why the defenses most companies have built do not close it. Short version: shadow AI is treated as a discipline problem (people are pasting things they should not paste), and it is not a discipline problem. It is a workflow problem. The data leaves because a person in the middle of doing real work needed a faster path than the one the company provided. Until the sanctioned path is faster than the shadow path, the incident class will keep producing the same logs.

What I want to argue here is narrower than a general security framework. Three claims.

First, that acceptable-use policies and firewall blocks fail because they enforce at the wrong unit. They enforce at the employee level or the tool level. The actual leak point is the workflow.

Second, that the four shadow-AI workflows dominating real incident logs are not exotic. They are predictable, repeatable, and each has a different governance lever. Treating them as one category called "people using ChatGPT at work" is part of why the response keeps missing.

Third, that the only response that has worked, in my own experience and in the operator conversations I trust most, is controlled enablement. Not banning. Not stricter policy. A sanctioned internal path designed to be the path of least resistance, with the governance question (what data class can flow through which surface for which task) answered per role and per workflow, by the people accountable for the data.

I will close on the implication for org structure. Spoiler: it is not "buy a shadow-AI tool." It is closer to "redesign the data-flow map."

Acceptable-use policies fail because they enforce at the wrong unit

The acceptable-use policy is the most common defense and the least effective one. It is not useless. It gives legal a footing if something goes wrong, it documents intent, and it tells genuinely uncertain employees what the company thinks the rule is. But it is not the control most companies treat it as.

The mechanism is straightforward. An AUP enforces at the employee level. Someone reads a paragraph, agrees to a rule, signs the policy, and goes back to work. The control surface is the employee's memory and the employee's discipline, refreshed once a year if that. It is asynchronous to the moment of risk.

Data does not leave at the employee level. It leaves at the workflow level. The leak happens not when the employee is thinking about whether they can use ChatGPT in the abstract, but when they are mid-task, with a deadline, in a specific moment where they need to summarize a fifty-page contract, refactor a stubborn function, debug a payment integration that started failing this morning, or draft a customer email that reads less defensively than the one they wrote on the first try. The workflow has a pull. The policy has a push. The pull always wins, because the pull is happening right now and the push happened sometime last March in a slide deck.

Security has dealt with this pattern for two decades in other domains. Password complexity rules do not change behavior unless they are wired into the auth surface itself. Data classification policies do not move data unless they are wired into the storage layer. Acceptable-use policies for AI are no different. A rule that lives only in a document, with no surface-level enforcement at the moment of decision, is not a control. It is a statement of preference.

I am not arguing AUPs should be deleted. I am arguing the people designing the shadow-AI response should stop expecting the AUP to be the control and start treating it as the contract, the statement of intent that sits underneath whatever real control is being built. The real control has to live where the workflow happens.

Blocking ChatGPT at the firewall just relocates the workflow

The second most common defense is to block the major public AI tools at the network egress (ChatGPT, Claude.ai, Gemini, Copilot) through the corporate web filter. The reasoning is straightforward and, in isolation, sound: if employees cannot reach the tool, they cannot leak data into it.

The reasoning breaks the moment the workflow is considered.

What actually happens when a public AI tool is blocked, in the absence of a sanctioned alternative, is that the workflow relocates. The employee who needed to summarize the contract still needs to summarize the contract. The developer who needed help refactoring still needs help refactoring. The PM who wanted a cleaner draft of the customer email still wants a cleaner draft. None of those needs are imaginary, and none of them go away because the firewall said no.

So the work moves. It moves to a personal laptop on home Wi-Fi. It moves to a phone on the cellular network. It moves to a browser extension that proxies the request through a different domain that the filter has not learned about yet. It moves to a downstream tool (a note-taker, a meeting transcriber, a writing assistant) that the employee installed at the user level without IT review, and that quietly sends content to a model the company has no relationship with. It moves to copy-pasting paragraphs into the chat-style help in a SaaS product the company already pays for, where the chat assistant is, underneath, the same kind of model.

In every one of those relocations, two things get worse. First, the data still leaves; the firewall did not stop the workflow, it just made the path more circuitous. Second, the company's visibility into the leak collapses. The sanctioned tool would have at least produced a request log on a sanctioned account. The relocated tool produces no log the company can audit. The control posture is now strictly worse than it was before the block.

I am not saying never block. I am saying a block without a sanctioned alternative is not a control either. It is a redirection. And the redirected workflow is almost always less visible than the original.

The four shadow-AI workflows that dominate the real log

Companies that take their incident logs seriously, meaning they actually read them, classify them, and do not just count them, tend to converge on the same four shadow-AI workflows. Naming them matters, because the response to each is different. Treating them as a single category called "ChatGPT misuse" is part of what has made the defenses generic.

Four distinct workflow tiles labelled paste, a torn tab, CODE, and TOOL in a 2x2 grid, with two arrows pointing in and a FOUR WORKFLOWS label at the center.
Workflow one: personal-account pasting of client or proprietary data. This is the canonical case. An employee, on either a corporate or personal device, opens a personal ChatGPT or Claude.ai account and pastes a chunk of work-relevant content into the prompt window. The content might be a client contract. It might be a vendor proposal. It might be internal financials. It might be a candidate's resume during a hiring screen. It might be the full text of an internal HR document the employee is trying to make less stilted. The shared property is that the data class is sensitive and the destination is an account the company has no governance over: no retention policy, no audit log access, no enterprise data-handling agreement.
Workflow two: unapproved browser extensions with broad page-read permissions. Browser extensions are the dark matter of shadow AI. An employee installs a free Chrome or Edge extension that promises to summarize web pages, rewrite emails, generate replies, or translate documents on the fly. To do that, the extension asks for the right to read and modify data on every page the user visits, which the user grants in a single permission prompt, because the extension would not work without it. From that moment, every page the employee opens (the internal CRM, the candidate ATS, the support ticket queue, the bug tracker, the internal wiki) is being read by a third-party process that the company never reviewed, did not sign a contract with, and cannot audit. The Cyberhaven extension compromise in late 2024 made the magnitude of this surface visible: when one trusted extension is taken over, the data of every employee who installed it is at risk simultaneously.
Workflow three: copy-paste of source code into general-purpose assistants. This is the developer-specific variant of workflow one, and it deserves its own category because the data class (proprietary source code, often including secrets, customer-specific logic, security-sensitive integrations) is high-value and high-velocity. A developer hits a stubborn bug. The fastest path to a fix, in the moment, is to paste the function and the stack trace into the chat window of a general-purpose assistant. The model returns a plausible answer in twenty seconds, the bug gets fixed, the work moves on. The code now lives on a vendor server the company does not have a data-processing agreement with. Repeat across a delivery team of forty engineers, eight hours a day, and the cumulative exposure is meaningful.
Workflow four: downstream-tool integration installed at the user level. This one is the slowest-moving and the easiest to miss. An employee signs up for a meeting note-taker that joins their video calls and produces transcripts and summaries. Or a sales assistant that reads their inbox and drafts replies. Or a writing tool that lives inside their email client. Each of these tools, individually, looks small. None of them was procured by IT. None of them is on the SaaS inventory. Each of them is sending real work content (meeting audio, customer email threads, internal Slack-equivalent messages) to a model the company has not reviewed. The aggregate surface is large. The audit surface is zero.

I name these four because the governance response to each is different. Workflow one is mostly about giving people a sanctioned account with the same speed and a real retention policy. Workflow two is mostly about a managed browser-extension allow-list at the device-management layer. Workflow three is mostly about giving developers a sanctioned coding assistant (GitHub Copilot Business, Cursor Teams, the Claude Team Premium or Enterprise seat that includes Claude Code) with the data-flow policy that goes with it. Workflow four is mostly about discovering the tools (an OAuth-app inventory and a Calendar-integration audit go a long way) and either bringing them inside the sanctioned perimeter or replacing them with a vetted equivalent.

A defense that treats all four workflows as the same problem will get the response wrong for at least three of them. That is most of the defenses I have seen.

The three failed mitigations and why they fail at the operating-model level

The three mitigations companies reach for, in order of how often they appear, are: AUP signatures, ChatGPT firewall blocks, and a single security review per AI product. Each fails at the operating-model layer for a different reason. It is worth being precise about why, because the failure modes tell you what the actual control should look like.

The AUP-signature mitigation fails because policy is not workflow design. I covered the mechanism above. The summary version: the AUP enforces at the employee level once, in the abstract, and the data leaves at the workflow level continuously, in the concrete. The mitigation does not address the asymmetry. Asking employees to remember a rule they signed last March, in the moment they are trying to ship a deliverable today, is asking the slowest-moving control to compete with the fastest-moving workflow. The control loses every time.
The ChatGPT-firewall mitigation fails because demand redirects to less-visible surfaces. I covered this one too. Summary: a block without a sanctioned alternative does not eliminate the workflow; it relocates the workflow. The relocation produces less visibility, not more. The control posture becomes strictly worse.
The single-security-review-per-AI-product mitigation fails because the incidents do not run through procurement. This one is worth a longer look. Most companies that have taken AI security seriously have built a gate around AI product procurement: when a department head wants to bring in an AI vendor, there is a security questionnaire, a privacy review, sometimes a contract negotiation about data handling, and then a single point-in-time approval. Once the vendor is in, the gate closes behind them and no further review happens unless something changes contractually.

Shadow-AI incidents do not run through this gate. They are not products being procured. They are workflows being improvised, by an employee, on a personal account, on a Tuesday afternoon. The procurement gate cannot see them because they are not procurements. The control is sitting in the wrong room.

What this means at the operating-model level is that the AI security function cannot be a procurement-gate function. It has to be a workflow-design function, integrated into how delivery work actually happens. That is a different organizational shape, with a different reporting line and a different cadence, than the procurement-gate version. The companies that get this right tend to move the workflow-design function into a partnership between security, delivery leadership, and the COO's office. Not because security is no longer the owner, but because workflow design is a delivery question, and the design has to be agreed at the level where delivery is run.

Controlled enablement is workflow redesign, not tool banning

The defense that has actually moved the incident class downward, in my experience leading AI transformation across delivery, product, and operations, and in the operator conversations I trust most, has the same shape every time. It is not banning. It is not stricter policy. It is what I will call controlled enablement: the deliberate construction of a sanctioned internal pathway for the use cases that drive the bulk of shadow-AI demand, designed to be the path of least resistance for the people doing the actual work.

The mechanism has three load-bearing parts.

First, the sanctioned pathway has to be sanctioned at the surface the user actually touches. Not "we have an enterprise OpenAI agreement, please use the corporate account when relevant", which still leaves the employee in the position of having to know when they are using it and remembering to switch. The sanctioned pathway is SSO into a corporate AI workspace, with the corporate account loaded by default in the browser, with the data-handling policy attached to that account, with an audit log produced for every prompt and every response, and with retention rules the company controls. The friction of using the sanctioned path is lower than the friction of using a personal account, not higher. If it is higher, the workflow will route around it.

Second, the governance question gets answered at the level of the work, not at the level of the policy. The right question is not "is ChatGPT allowed?" It is "what data class can flow through which surface for which task, performed by which role?" That question is answered per role and per workflow, by the people accountable for the data class, in conversation with the people doing the work, and it produces a matrix that the sanctioned pathway can enforce mechanically. A developer can paste application source into the sanctioned coding assistant; the same developer cannot paste customer PII into the same assistant, because the data class is different. A PM can summarize an internal product brief in the sanctioned writing assistant; the same PM cannot summarize an unredacted customer support ticket, for the same reason. The matrix is the control; the AUP is the contract that documents the matrix.

Third, the company stops pretending people will not use AI for work and starts deciding which work AI will help with. This is the part that requires real leadership weight, because it is the part where the implicit policy ("we'll work it out as it comes up") becomes an explicit policy ("here is what we are sanctioning, here is what we are not"). The implicit policy is the most expensive option, because it produces the shadow-AI logs without any of the benefit. The explicit policy, even when it is restrictive, is cheaper. What that explicit policy contains is its own subject: the AI security policy you ship before any AI tool.

There is a sentence I have used in operator conversations more than any other on this topic, and I will put it here because it is the load-bearing claim. Your team is already using AI. The only real question is whether the company controls the workflow or pretends the workflow is not happening. Pretending is the most expensive choice. Controlled enablement is the cheaper one, and it is the only one that produces an incident curve that bends in the right direction.

Three overlapping pillars: a keyboard with an SSO key, a DATA / ROLE / SURFACE grid, and a WE SANCTION speech bubble, meeting at a central CONTROL circle.

Why shadow AI dominates the real log, not prompt injection

There is a separate question worth addressing directly, because it explains why the security investment most companies are making is mis-allocated. Prompt injection, jailbreak attacks, and model-abuse vectors get most of the conference attention and most of the security-team mindshare. They are interesting. They produce demos that play well at RSA. They show up in vendor pitches. Shadow AI, by contrast, is undramatic: an employee, a paste, a personal account.

The incident logs do not match the attention.

The math is straightforward. Prompt injection is a surface that exists where an AI feature reads attacker-controlled input. That surface is, in most companies, narrow: the AI-product team, a handful of customer-facing AI features, maybe an internal agent or two. The population of people who can be reached by a prompt-injection attack is the population of users of those specific features. If the company has not shipped a customer-facing AI feature yet, the attack surface is effectively empty.

Shadow AI is a surface that exists where any employee has a browser and a workload. The population is the entire workforce. Every employee with a laptop is a potential shadow-AI vector. The volume difference is at least an order of magnitude, before any analysis of which surface is more controllable.

The most common AI security incident in real operating logs today is not prompt injection. It is an employee pasting client data into a personal ChatGPT account because the sanctioned alternative was slower or did not exist. The incident class is undramatic, repetitive, and high-volume. It does not produce conference talks. It produces the bulk of the actual exposure.

I am not arguing prompt-injection defense should be deprioritized. For companies that ship AI features, it is real work and it needs real investment. I am arguing the security budget should be sized to the actual incident curve, not to the conference circuit. For most companies that are not yet shipping AI features at scale, the bulk of the AI security risk is on the workforce side, not the product side. Allocating accordingly tends to produce a different org chart than the one the prompt-injection literature suggests.

What changes when this is treated as an operating-model question

If the argument above lands, the implication for the reader's organization is not "buy a shadow-AI tool" or "schedule a security review." It is a set of org-design choices that look different from what most companies have today.

The shadow-AI workflow-governance map is owned jointly. Not by the CISO alone. Not by IT alone. By a partnership of the CISO, the COO, and the delivery leadership of the functions where the workflows actually happen: engineering, product, sales, marketing, HR. The CISO contributes the data-class taxonomy and the audit posture. The COO contributes the cross-functional authority and the priority among competing workflow redesigns. Delivery leadership contributes the ground truth about what the workflows actually are and where the friction lives. None of those three can do the work alone, and the missing-leg failures are predictable: a CISO-led effort produces a policy nobody routes around because nobody knows it exists; a delivery-led effort produces fast enablement with no audit posture; a COO-led effort produces a steering committee that meets quarterly and ships nothing.
The artifacts that make it real are three. A data-class × surface × role matrix, maintained as a living document, that says which data class can flow through which sanctioned surface for which role's workflow. A sanctioned-pathway catalog, with at minimum SSO and audit and retention specified, that the workforce can actually find without asking. And an audit-and-retention SLA with each AI vendor in the sanctioned catalog, signed by procurement and reviewed annually, that gives the company enforceable rights over its own data flow. Without these three artifacts, the controlled-enablement story is rhetoric. With them, it is operable.
The success signal is the incident curve, not the policy artifact. Most companies measure their AI security posture by the existence of the AUP and the existence of the firewall rule. Neither correlates with the incident class downward-bending. The signal that matters is the ratio between sanctioned-pathway usage and shadow-AI events, measured over a quarter, in the same workforce. A program that produces a one-thousand-page AI security policy and a flat or rising shadow-AI event rate has not worked. A program that produces a short policy and a sanctioned pathway that absorbs sixty or seventy percent of the demand within a quarter, with the shadow rate declining quarter over quarter, has worked.
The regulatory environment makes this an operating-model question, not just an IT question. I will say this briefly because it is context, not the central claim. The EU AI Act assigns obligations to deployers, not only providers, meaning the company using an AI tool, not only the vendor selling it, carries real responsibilities for the data flowing through its workflows. NIS2 raises the operational-resilience bar across most regulated sectors. Sector rules in finance, healthcare, and employment are converging on the same shape. None of these are satisfied by an AUP. All of them require the workflow-governance map to be a living, auditable artifact owned by a named accountable role. The org-design question is upstream of the regulatory question. Companies that build the operating-model layer first tend to absorb the regulatory layer cheaply. Companies that wait for the regulatory layer to force the operating-model layer tend to pay twice.

If I am right about the central claim, the next AI security investment most companies will make is not a tool purchase. It is the explicit construction of the workflow-governance map, the sanctioned-pathway catalog, and the accountable-role partnership that maintains them. That is closer to a redesign of how AI work flows through the org than it is to a procurement decision. It is also the only response I have seen that produces an incident curve that bends in the right direction.

The shadow-AI incident class will keep dominating the real log until the operating model changes. The question is whether the change comes from inside the org, on the company's own timeline, or from an external incident on someone else's.

Frequently Asked Questions

What is shadow AI?

Shadow AI is the use of generative AI tools (public chatbots, browser extensions, embedded assistants in third-party SaaS, downstream meeting note-takers) by employees on company work, outside any sanctioned IT or security review. The defining property is that the company has no governance over the destination: no data-retention policy, no audit log access, and no enterprise data-handling agreement.

In practice, shadow AI shows up in four recurring workflows: personal-account pasting of client or proprietary data into ChatGPT or Claude.ai; unapproved browser extensions with broad page-read permissions; copy-paste of source code into general-purpose assistants by developers; and downstream tools (note-takers, sales assistants, writing helpers) installed at the user level without IT review. Each workflow is sensitive data leaving the company via a path the company cannot see or control.

How common is shadow AI in enterprises?

Shadow AI is now the dominant AI-related security incident class in companies that actually read their logs. Netskope's 2025 telemetry across enterprise customers measured roughly 223 sensitive-data-to-AI incidents per company per month, more than double the prior year. By contrast, production prompt-injection incidents are not measured at that cadence anywhere, because they do not happen at that cadence.

The volume asymmetry is structural, not anecdotal. Shadow AI's exposure surface is the entire workforce: any employee with a browser and a workload is a potential vector. Prompt-injection's exposure surface is narrower, limited to users of a company's customer-facing AI features, which most companies have not yet shipped at scale. The conference-circuit attention given to prompt injection does not match the actual incident curve.

Why don't acceptable-use policies (AUPs) stop shadow AI?

AUPs fail because they enforce at the wrong unit. An acceptable-use policy operates at the employee level: someone reads a paragraph, signs once, and goes back to work; the control surface is the employee's memory, refreshed annually if that. The data, however, does not leave at the employee level. It leaves at the workflow level, when the employee is mid-task, with a deadline, needing to summarize a contract or refactor a function. The workflow has a pull; the policy has a push. The pull always wins because it happens in the moment of decision and the push happened months ago in a slide deck.

This is not an argument to delete AUPs. AUPs are useful as the documented contract of intent: they give legal a footing and tell uncertain employees what the rule is. But they are not the control. The real control has to live at the workflow surface, not in a document.

Does blocking ChatGPT at the firewall solve shadow AI?

No. Blocking ChatGPT without providing a sanctioned alternative does not eliminate the workflow; it relocates it. The employee who needed to summarize the contract still needs to summarize the contract. The work moves to a personal laptop on home Wi-Fi, to a phone on cellular, to a browser extension that proxies through an unfiltered domain, or to a downstream SaaS tool whose embedded chat assistant is, underneath, the same kind of model.

In every relocation, two things get worse. The data still leaves: the firewall did not stop the workflow, only made the path more circuitous. And the company's visibility into the leak collapses, because the relocated tool produces no log the company can audit. The control posture after a firewall block without a sanctioned alternative is strictly worse than it was before the block, not better.

What is controlled enablement, and how is it different from banning AI tools?

Controlled enablement is the deliberate construction of a sanctioned internal pathway (corporate AI workspace, SSO, default-loaded enterprise account, data-handling policy attached, full audit logging, company-controlled retention) designed to be the path of least resistance for the use cases that drive the bulk of shadow-AI demand. Banning, by contrast, blocks the path of least resistance and leaves the workflow to find a new one in the dark.

The mechanism has three load-bearing parts. First, the sanctioned pathway has to be lower-friction than personal accounts, not higher; otherwise the workflow routes around it. Second, governance is answered at the work level via a data-class × surface × role matrix, which specifies what data class can flow through which sanctioned surface for which role's task, and the matrix is enforced mechanically, not by AUP reminder. Third, the company commits to an explicit policy of what AI helps with and what it does not, rather than the implicit "we'll work it out as it comes up" posture that produces the shadow logs without any of the benefit.

Does the EU AI Act apply to shadow AI?

Yes. The EU AI Act assigns obligations to deployers of high-risk AI systems, not only to providers, meaning the company using an AI tool, not only the vendor selling it, carries direct responsibility for the data flowing through its workflows. Article 26 specifies deployer obligations: operating the system per provider instructions, assigning human oversight, ensuring input data is relevant, retaining automatically generated logs for at least six months, and conducting Fundamental Rights Impact Assessments where required. These obligations apply regardless of whether the AI tool was procured through IT or installed by an employee on their own.

NIS2 reinforces the same pattern for cybersecurity: Essential and Important entities across 18 sectors, including digital infrastructure, ICT service management, finance, health, manufacturing, and public administration, must take appropriate technical and organisational measures to manage information-system risks, with penalties up to €10M or 2% of global revenue. None of these regulatory frameworks are satisfied by an AUP alone. All of them require a workflow-governance map that is a living, auditable artifact owned by a named accountable role.

Who should own shadow AI inside the company - the CISO, IT, or someone else?

Shadow AI ownership belongs to a partnership, not a single function. The model that works is the CISO plus the COO plus the delivery leadership of the functions where the workflows actually happen: engineering, product, sales, marketing, HR. The CISO contributes the data-class taxonomy and the audit posture. The COO contributes cross-functional authority and the priority among competing workflow redesigns. Delivery leadership contributes the ground truth about what the workflows actually are and where the friction lives.

The missing-leg failures are predictable. A CISO-led-only effort produces a policy nobody routes around because nobody knows it exists. A delivery-led-only effort produces fast enablement with no audit posture. A COO-led-only effort produces a steering committee that meets quarterly and ships nothing. The artifact that holds the partnership accountable is a data-class × surface × role matrix, a sanctioned-pathway catalog with SSO and audit and retention specified, and an audit-and-retention SLA with each AI vendor in the sanctioned catalog. Without those three artifacts, the controlled-enablement story is rhetoric.