Shadow AI is the use of unapproved AI tools — usually free, public chatbots — by employees for work tasks. It leaks company data because anything typed into a public model can be stored, used to train that model, or exposed in a breach. For business leaders, this has become a governance problem, not an IT footnote.
Your staff are already using it. The question is no longer whether to allow AI, but whether the sensitive parts of your business are walking out the door one prompt at a time — and what you give people to use instead.
What is shadow AI?
Shadow AI is any AI tool an employee uses for work without the company’s approval or oversight. It usually starts with good intentions: someone pastes a draft contract, a spreadsheet, or a block of code into a free chatbot to save an hour. The tool helps. The habit spreads. Nobody in IT knows it is happening.
The term echoes “shadow IT,” the older problem of employees using unsanctioned apps like personal cloud drives. The difference is that AI tools invite people to hand over the raw material of the business — customer records, financials, internal strategy — as the price of a useful answer.
How widespread is the problem?
More than most leaders assume. PagerDuty’s 2026 Shadow AI Survey, run by Wakefield Research among 1,250 office professionals at companies earning over $500 million a year, found that two-thirds had used AI at work even though they believed it was against company policy. More than a third had entered customer data into public AI models.
Verizon’s 2026 Data Breach Investigations Report tells the same story from the security side: detections of employees sending data to unsanctioned AI tools rose roughly fourfold in a single year, making it one of the most common non-malicious insider actions companies now see.
Why do employees do it?
Speed. A sanctioned process that takes a week to approve a tool loses to a chatbot that answers in seconds. Workers reach for whatever removes friction from the task in front of them, and most do not picture a data-retention policy on the other end of the text box.
There is also a counterintuitive twist. Some research finds that the employees most confident about AI security are also the most likely to bend the rules, because they trust their own judgment about what is safe to paste. Treating shadow AI purely as a knowledge gap misreads it.
What is actually at risk?
Three things. The first is confidentiality: free and consumer tiers of many chatbots may retain inputs and use them to improve the model, so a one-time paste can persist somewhere you cannot reach. The second is compliance — feeding regulated data into an unapproved tool can breach GDPR, HIPAA, or PCI obligations. The third is intellectual property, including source code and unreleased plans.
The clearest cautionary tale is Samsung. In 2023, engineers reportedly pasted confidential source code and internal notes into ChatGPT while troubleshooting. Once that information leaves on a public model, you cannot pull it back. Samsung restricted generative AI on company devices soon after.
Why blocking and training are not enough
The usual response is to block the tools and run a security-awareness session. Both help at the margins, and neither solves it. Network bans get bypassed with a phone or a proxy, and a banned tool simply moves further into the dark. Training raises awareness but rarely changes behavior when the sanctioned path is still the slow one.
The missing piece in most playbooks is an honest alternative. If you take away the convenient tool without offering one that is both safe and fast, people keep using the convenient one. The fix is to change what “safe” looks like.
The fix most leaders miss: AI that cannot send data out
Almost every shadow-AI guide ends with “provide an approved tool” but never says what that tool should be for sensitive work. The strongest answer is an AI that runs directly on the employee’s device. If the model is local, the prompt never travels to a third-party server — so there is nothing to retain, nothing to train on, and nothing to expose in a vendor breach.
Local AI used to mean a command line and a weekend of setup. That has changed. A growing class of open-source desktop and mobile apps download an open model and run it offline with a normal chat interface.
One free, open-source option is Atomic Chat, which runs models such as Llama, Qwen, DeepSeek, Mistral, and Gemma locally on Mac, Windows, Linux, iPhone, and Android. Because everything runs on the device, no data leaves it, it works without an internet connection, and there is no subscription. For the tasks where employees most want to reach for a public chatbot — rewriting a draft, summarizing a document, cleaning up code — a local app gives them the same help without the exposure.
On-device AI is not the answer to every workload. Heavy reasoning still favors large cloud models. The point is to match the tool to the data: route anything sensitive to something local, and reserve the public tools for work that carries no confidential information.
Public cloud chatbot vs on-device AI
| Factor | Public cloud chatbot | On-device (local) AI |
| Where the prompt goes | A third-party server | Stays on your machine |
| Can your data train the model | Often yes, unless disabled or on a paid tier | No — there is nothing to send |
| Works without internet | No | Yes |
| Exposed in a vendor breach | Possible | Not applicable |
| Ongoing cost | Per-seat subscription for business tiers | Free with open-source options |
Comparison reflects how free and consumer tiers of public chatbots typically handle data versus a locally run model.
A practical playbook for leaders
- Find out the truth. Survey what people already use, anonymously. You cannot govern what you cannot see, and most usage is invisible until you ask.
- Write a one-page rule. List the data types that must never go into any external AI tool — customer records, financials, source code, anything regulated. Keep it short enough that people remember it.
- Give a sanctioned default. Pick a tool for everyday, non-sensitive tasks so the safe path is also the fast one. Speed is what wins adoption.
- Add a local tool for sensitive work. Provide an on-device option so the prompt never leaves the machine. This is the part most policies skip.
- Revisit quarterly. New models and tools appear constantly; a policy written once and forgotten drifts back into shadow use within months.
Frequently asked questions
Is ChatGPT safe for confidential business data?
Not by default on free or consumer tiers, where inputs may be retained and used to improve the model. Business and enterprise tiers add data protections, and on-device AI avoids the question entirely because nothing is sent.
What counts as shadow AI?
Any AI tool used for work without the company’s approval or oversight — most often a free public chatbot an employee uses to save time. It is defined by the lack of governance, not by the specific tool.
Does on-device AI remove the data-leak risk?
For the data itself, largely yes. A model running locally processes prompts on the device, so there is no third-party server to retain, train on, or breach. Normal device security still applies.
Is local AI free?
It can be. Open-source apps such as Atomic.Chat run open models on your own hardware at no cost and without a subscription. Your only real input is the device you already own.
Can you ban your way out of shadow AI?
Rarely. Bans push usage underground rather than ending it, because employees still need the productivity. Offering a fast, safe alternative changes behavior more reliably than blocking does.
