Shadow AI: The Biggest Item Missing From Your Risk Register
Ask a board how AI is used inside the institution and you will get a confident answer about the sanctioned platforms. Ask the employees and you will get a very different answer.
Ask a board how AI is used inside the institution and you will get a confident answer about the sanctioned platforms. Ask the employees and you will get a very different answer.
Ask a board how AI is used inside the institution and you will get a confident answer about the sanctioned platforms. Ask the employees and you will get a very different answer. Shadow AI, the unsanctioned use of consumer AI tools for company work, is now among the fastest-growing enterprise risks in the world, and most boards have no line of sight into it at all.
The numbers should concentrate minds. IBM\'s global breach analysis found that incidents involving shadow AI added hundreds of thousands of dollars to average breach costs, largely because nobody knew the exposure was there until it detonated (IBM, 2025). MIT\'s research into enterprise AI found the overwhelming majority of official corporate pilots delivering no measurable return, even as employees quietly ran their real work through personal accounts (MIT NANDA, 2025). Put those two findings together and the picture is stark. The governed AI is failing while the ungoverned AI is scaling.
For boards, the danger is not primarily data leakage, serious as that is. The deeper threat is epistemic. When analysis flows through tools the institution cannot see, the board loses the ability to know how its own conclusions were formed. Decisions arrive in the boardroom carrying synthetic authority: coherent and confident, yet impossible to trace. In my research across 6,000 executive leaders, this untraceability is the defining feature of the quiet failure. Nothing announces itself. The institution simply loses custody of its own reasoning, one personal login at a time.
I was talking with a senior executive at a large technology firm in New York City who told me, almost proudly, that his best strategic thinking now happened in a consumer chatbot on his personal account at night, away from the friction of the corporate system. He meant it as a story about productivity. I heard it as a story about exposure. His most sensitive strategic reasoning was sitting outside every control his own board believed it had in place, and he had no idea that was a problem. He was not reckless. He was simply doing what every capable, time-poor leader does, which is precisely why prohibition will never work.
The reflex is to ban the tools. That reflex fails, because the tools are too useful and the ban is unenforceable. People do not use shadow AI to break the rules. They use it because the sanctioned path is slower, and no policy has ever beaten convenience over the long run.
The Board AI Index places most boards at level two of five: Alert. Shadow AI is the clearest illustration of what Alert means in practice. The risk is acknowledged in the minutes and unmanaged in the building.
My recommendation is singular. Commission a shadow AI census before your next strategy cycle, anonymised so that people tell the truth, and put the findings in front of the full board rather than the audit committee alone. You cannot govern what you refuse to see, and a board that does not know where its institution actually thinks cannot claim to govern how it decides.
For Board Advisory, Strategic Consulting, Keynote Speaking or Private Executive Advisory enquiries, please write with a short note on the decision, audience or transformation context. Suitable engagements are shaped through an initial private conversation.