Amid the increasing excitement and use of artificial intelligence, there is a concern about uncontrolled use of AI beyond the authority of IT departments. This is known as shadow AI, which refers to AI usage within a company that happens “in dark corners,” according to Jay Upchurch, CIO of data analytics platform SAS. The issue is more complex and hazardous compared to previous instances of shadow IT. Governance and security are major concerns in shadow AI, including risks such as leakage of confidential intellectual property, infringement of copyright, and inadvertent disclosure of personally identifiable information about customers. Additionally, there are concerns about unintentional assistance to hackers in creating malicious malware based on the code entered into AI tools. Some companies have already experienced sensitive information leaks and security issues as a result of generative AI deployment.
Ameer Karim, executive vice president and general manager of cybersecurity and data protection at ConnectWise, highlighted that smaller companies face even greater risks, such as AI hallucinations and inaccuracies, due to their use of free versions of AI tools. Despite the risks, completely prohibiting shadow AI is not a viable solution, as it may alienate talented employees. Setting boundaries and enabling creativity in controlled environments can be a more effective approach.
Remote users and cloud-based platforms are particularly vulnerable to shadow AI violations. Educating employees on the risks and best practices for obtaining approval is helpful, but the most feasible and scalable solution is the implementation of endpoint security tools. Cloud access security brokers can also address concerns related to remote users and cloud-based AI platforms.
Enabling tools with built-in privacy and security features, and monitoring the flow of data within the organization, are recommended strategies for addressing shadow AI. In certain highly sensitive operations, an outright ban on shadow AI may be necessary, but for the majority of organizations, a combination of policies, education, and offensive and defensive security strategies is more suitable.
Despite the challenges posed by shadow AI, embracing AI is essential. According to Upchurch, failure to do so may result in competitors using AI to gain an advantage.
