Shadow AI Isn’t the Problem—Your Response Might Be
Bas van Kaam
Principal Technical Trainer 🎓 & Content Creation / Field CTO at Nerdio. Tech Whisperer. Trainer of Mortals. Professional Overexplainer.
When generative AI tools like ChatGPT, Microsoft Copilot, and DALL·E first started popping up in daily workflows, most IT departments had the same reaction (and maybe still do) they once had to Dropbox, Trello, and WhatsApp in the enterprise: surprise, followed by concern. Once again, users had found something useful, and once again, they started using it before IT even had a chance to vet it.
Sound familiar?
That’s because it is. This isn’t a new problem, it’s an old one. In my upcoming book (available in Dutch, soon in English), I explore the gap between business and IT. A gap that, if left unaddressed, leads to one of the most persistent phenomena in modern organizations: Shadow IT.
What we’re seeing today is that same dynamic, only now applied to AI tools. Welcome to the era of Shadow AI.
What Is Shadow AI?
Shadow AI is the unofficial, unmanaged, and often invisible use of generative AI tools in the workplace. Think of it as the successor to Shadow IT, but even harder to track and much faster to spread.
It doesn’t show up as installed software or rogue SaaS subscriptions. Instead, it lives in browser tabs, Microsoft 365 integrations, Outlook sidebars, Power Automate scripts, and AI bots stitched into day-to-day workflows.
But here’s the thing: it’s not the enemy. Like Shadow IT before it, Shadow AI is a signal—a symptom of a deeper need that IT hasn’t yet addressed. And if we stop long enough to listen to what it’s really telling us, we’ll uncover a powerful opportunity to realign IT and the business.
Shadow AI Is a Symptom, Not the Root Problem
Whenever people start reaching outside the walls of “managed” IT, it’s tempting to react with control. Shut it down. Block the site. Lock the feature. Send a policy reminder.
But that’s a short-term fix that misses the bigger picture.
People turn to Shadow AI tools for a reason: they’re under pressure. They’re trying to be more productive, get answers faster, automate repetitive tasks, or find creative ways around inefficient systems. And the tools they’ve discovered? They work. At least well enough to justify the risk.
This is why I argue that Shadow AI, like Shadow IT, should be treated as early-stage feedback, not rebellion. It's insight into what your users need right now, before you've delivered it.
Framework to Shadow AI
In my book, I lay out several strategies for closing the gap between business and IT. These strategies aren’t just abstract theory—they’re based on real-world enterprise and cloud transformation projects across industries. And now, can apply more than ever to Shadow AI as well.
Let’s explore them—updated for the world we’re in today.
Start with Dialogue, Not Directives
Most failed IT initiatives have one thing in common: they were done to the business, not with the business.
One of the biggest mistakes IT leaders make when reacting to Shadow AI is jumping straight to enforcement. Block ChatGPT. Disable Copilot. Add new monitoring policies. And while governance matters (we’ll get there), it’s not where you begin.
You start by talking. Not just with execs or compliance teams, but with the users actually experimenting with AI.
Ask: Why did you start using these tools? What were you trying to simplify or solve? What’s working well? What isn’t? What would a secure, supported version of this workflow look like?
However, don’t treat these conversations as interrogations. Treat them as co-design sessions. If you listen with intent and follow up with action, people will start trusting IT as a partner—not a blocker. The utopia, the ultimate goal.
Involve your Employees in Shaping the AI Strategy
Too often, strategies are developed in isolation and then “rolled out” with top-down training. But the best way to gain adoption is to give people ownership from day one.
Shadow AI users are already your pioneers. Turn them into AI Ambassadors: - Involve them in early Copilot or Azure OpenAI pilots. Better yet, make sure to start these pilots as soon as you can, Ai is here to stay and you will have to deal with it sooner or later, that is an absolute fact. It’s worth the money and effort. Have them build prompt templates or AI workflows that others can use. Let them co-create the "AI usage playbook" with IT and compliance.
Important: Spotlight their success stories to build internal momentum.
If the first time people hear about the new policy is when it's emailed to them, you’ve already lost. But if they help build the policy, they’ll help enforce it too.
Build a Continuous Feedback Loop
AI isn’t static. Tools evolve. Risks emerge. Organizational needs shift. So if your strategy is built on a one-time survey or launch plan, it’s already outdated.
You need a living feedback loop.
Consider: A monthly “AI Pulse” update shared across departments—highlighting usage stats, wins, blockers, and upcoming changes. Embedding feedback forms or a Teams chatbot where users can ask questions, share concerns, or report success stories in real-time. What’s better than having Ai answering questions about Ai? Hosting quarterly “AI Show & Tell” sessions across departments, where users demo how they’re using generative AI to solve real problems.
And above all: close the loop. Show what feedback was received, what action was taken, and how people’s input is shaping the strategy. It builds trust and keeps everyone moving in sync.
Build Guardrails, Not Walls
Let’s be clear: AI use in the enterprise must be governed. But governance doesn’t mean shutting it down, it means guiding it safely.
The best way to do that is by providing clear, visible, and flexible guardrails. And today, those guardrails are not theoretical, they’re fully supported by Microsoft tooling and other solutions, like Nerdio (hey how did that make it in here :). Here are a couple of, relatively simple examples to start with.
When combined, these tools let you say: Yes, you can use AI, but here’s how to do it safely, responsibly, and in alignment with company goals.
Don’t Just Block AI, Discover It
Many organizations are surprised when they realize how much AI use is already happening under the radar. That’s why governance isn’t just about control, it’s also about visibility.
Before you decide what to allow or block, you need to know what’s actually being used today.
Several tools already in your Microsoft stack can help you discover Shadow AI usage, even if no policy has been applied yet:
By using these tools in discovery mode first, you can build a policy around real behavior, not assumptions.
Recognize Shadow AI as a Strategic Signal
If you discover that Shadow AI use is happening in your organization, don’t panic. Don’t punish. Pay attention.
Because what you’re seeing isn’t rule-breaking—it’s resourcefulness.
Shadow AI shows that your teams are:
This is exactly where innovation happens, not in steering committees or rollout meetings, but quietly, behind the firewall. In the hands of people solving real problems, using whatever tools they can find.
Instead of starting your AI strategy from scratch, start from what’s already working:
This data becomes the foundation of your enterprise AI policy. Real input. Real context. Real value. It’s already there, use it wisely.
This Is the Moment to Bridge the Gap, Again
We’ve been here before. Shadow IT was our first wake-up call (and we still run into it, daily). Shadow AI is our second, get a head start.
If you approach Shadow AI with empathy, curiosity, and structure, you don’t just close the gap, you turn it into a strategic advantage.
Because AI isn’t just another technology. It’s a shift in how we think, create, and work. And the faster we respond together, the stronger we move forward.
After all, some of the most important innovation in your organization is already happening. right now, behind the firewall.