Shadow AI: The Hidden Compliance Risk You Cannot Ignore
Shadow AI: The Hidden Compliance Risk You Cannot Ignore
Your developers use ChatGPT to write code. Your sales team uses Grammarly to polish emails. Your HR team uses an AI tool to screen CVs. Your customer support agents use Copilot to draft responses.
In most companies, none of these tools are formally registered, risk-assessed, or approved. Many process personal data from your customers. Some make consequential decisions. And under the EU AI Act, you — the company — are responsible for all of them.
This is Shadow AI: AI tools used in your organisation that are not officially sanctioned, tracked, or assessed.
Why Shadow AI Is a Compliance Problem
The EU AI Act applies to deployers — companies that use AI systems in a professional context. If your employee uses an AI tool to screen job applications, and that tool is not registered, risk-assessed, or disclosed to candidates, you are violating Article 13 (transparency) and potentially Article 14 (human oversight) regardless of who built the tool.
You cannot outsource the compliance obligation to the AI vendor. The vendor is the provider*; you are the *deployer. Your obligations are separate.
Specific risks:
What Shadow AI Looks Like in Practice
These are real categories of Shadow AI found in typical technology companies:
Development tools:
HR and recruitment:
Customer-facing:
Productivity tools:
How to Find Shadow AI in Your Organisation
Step 1: Scan your codebase
Look for AI library imports across all repositories. The packages to flag include:
Guardia AI's Shadow AI Scanner does this automatically across GitHub organisations.
Step 2: Survey your teams
Ask each team to list AI tools they use. Specifically: what data does the tool process? Does it affect decisions about customers or employees?
Step 3: Audit procurement
Check SaaS subscriptions and expense claims for AI tools that bypassed IT/legal review.
Step 4: Check browser extensions
Browser extensions with AI capabilities (Grammarly, ChatGPT web extensions) are particularly invisible to traditional IT monitoring.
What to Do Once You Find It
For each Shadow AI tool found:
1. Classify the risk level — Does it fall under Annex III? Does it affect people?
2. Assess the data it processes — Personal data? Special category data?
3. Either register and document it — Add it to your AI inventory, assess it under the EU AI Act, update disclosures to affected individuals
4. Or prohibit and remove it — If the risk is too high and you cannot properly assess it, block it
Building an AI Governance Policy
The best long-term fix for Shadow AI is an AI Acceptable Use Policy that: