Back to Blog
Technical

Shadow AI: The Hidden Compliance Risk You Cannot Ignore

April 8, 20266 min read

Shadow AI: The Hidden Compliance Risk You Cannot Ignore

Your developers use ChatGPT to write code. Your sales team uses Grammarly to polish emails. Your HR team uses an AI tool to screen CVs. Your customer support agents use Copilot to draft responses.

In most companies, none of these tools are formally registered, risk-assessed, or approved. Many process personal data from your customers. Some make consequential decisions. And under the EU AI Act, you — the company — are responsible for all of them.

This is Shadow AI: AI tools used in your organisation that are not officially sanctioned, tracked, or assessed.

Why Shadow AI Is a Compliance Problem

The EU AI Act applies to deployers — companies that use AI systems in a professional context. If your employee uses an AI tool to screen job applications, and that tool is not registered, risk-assessed, or disclosed to candidates, you are violating Article 13 (transparency) and potentially Article 14 (human oversight) regardless of who built the tool.

You cannot outsource the compliance obligation to the AI vendor. The vendor is the provider*; you are the *deployer. Your obligations are separate.

Specific risks:

  • Annex III exposure — An employee using an AI tool for a high-risk purpose (HR decisions, customer scoring) creates unregistered high-risk AI use
  • Article 13 violations — Candidates and customers must be told when AI affects decisions about them
  • Article 14 violations — High-risk AI decisions require documented human oversight
  • GDPR intersection — Most Shadow AI tools process personal data without a proper DPA
  • What Shadow AI Looks Like in Practice

    These are real categories of Shadow AI found in typical technology companies:

    Development tools:

  • GitHub Copilot, Cursor, Tabnine, CodeWhisperer
  • ChatGPT/Claude for code generation and debugging
  • AI-powered code review tools
  • HR and recruitment:

  • AI CV screening tools (HireVue, Pymetrics, Workday AI)
  • LinkedIn Recruiter AI suggestions
  • AI note-taking in interviews (Otter.ai, Fireflies)
  • Customer-facing:

  • AI chatbots added by individual teams without procurement approval
  • AI-powered email personalisation
  • Sentiment analysis tools
  • Productivity tools:

  • Grammarly (processes all communications)
  • Notion AI, Microsoft Copilot, Google Duet
  • AI-powered translation tools processing customer data
  • How to Find Shadow AI in Your Organisation

    Step 1: Scan your codebase

    Look for AI library imports across all repositories. The packages to flag include:

  • OpenAI: openai, langchain, openai-python
  • Hugging Face: transformers, diffusers, datasets
  • ML frameworks: tensorflow, torch, sklearn, keras
  • Specialised AI: face_recognition, deepface, whisper
  • Guardia AI's Shadow AI Scanner does this automatically across GitHub organisations.

    Step 2: Survey your teams

    Ask each team to list AI tools they use. Specifically: what data does the tool process? Does it affect decisions about customers or employees?

    Step 3: Audit procurement

    Check SaaS subscriptions and expense claims for AI tools that bypassed IT/legal review.

    Step 4: Check browser extensions

    Browser extensions with AI capabilities (Grammarly, ChatGPT web extensions) are particularly invisible to traditional IT monitoring.

    What to Do Once You Find It

    For each Shadow AI tool found:

    1. Classify the risk level — Does it fall under Annex III? Does it affect people?

    2. Assess the data it processes — Personal data? Special category data?

    3. Either register and document it — Add it to your AI inventory, assess it under the EU AI Act, update disclosures to affected individuals

    4. Or prohibit and remove it — If the risk is too high and you cannot properly assess it, block it

    Building an AI Governance Policy

    The best long-term fix for Shadow AI is an AI Acceptable Use Policy that:

  • Defines which AI tools are approved for each use case
  • Requires registration of new AI tools before use
  • Specifies which data types can be processed by AI tools
  • Creates a clear approval process for new AI tools
  • Scan your codebase for Shadow AI →