Uncontrolled software usage — from personal Dropbox accounts to unapproved AI tools — is one of the fastest-growing cybersecurity threats facing small and midsize businesses today. Known as Shadow IT, these unauthorized tools create blind spots for IT teams, expose sensitive data, and increase the risk of compliance violations.
But as AI becomes woven into nearly every business application, a new and even riskier variant has emerged: Shadow AI — the use of unsanctioned artificial intelligence tools like ChatGPT, Gemini, or Copilot without corporate oversight or data governance.
During IronEdge Group’s recent webinar, “Shadow IT & SaaS Sprawl: Managing Hidden Cyber Risks,” I was able to speak with our panel of experts — Rob Foit (Director of Security, IronEdge Group), Dave Groot (Security Advisor, Galactic Advisors), and Jackson Stevens (Attorney, Galactic Advisors) — and unpacked the growing impact of Shadow IT and Shadow AI, sharing real-world examples and best practices for reducing risk.
What Is Shadow IT — and How Is Shadow AI Different?
Shadow IT refers to any hardware, software, or cloud service used without the knowledge or approval of the IT department. Think of employees sharing files through personal Google Drive accounts, managing projects in unapproved SaaS tools, or using personal laptops for work.
Shadow AI, on the other hand, extends this concept into the realm of artificial intelligence. It’s when employees feed sensitive data into public AI models — like ChatGPT or Copilot — to “speed up” tasks, unaware that their inputs could be stored, shared, or used to train large language models.
As Dave Groot noted, “AI has its tendrils in everything — it’s embedded in browsers, office suites, and mobile apps. If it’s not properly sandboxed or permissioned, you could be exposing sensitive data without realizing it.”
Why Shadow IT and Shadow AI Are Growing Risks for SMBs
- Data Exposure and Compliance Failures Jackson Stevens shared that when employees input private data — contracts, customer information, or even internal strategy notes — into public AI tools, that information can become part of the tool’s broader training model. “This isn’t hypothetical,” he cautioned. “Companies like Samsung have already seen proprietary code and meeting notes exposed publicly after being entered into AI systems.”
The financial risk is equally alarming. According to IMB’s 2025 Cost of a Data Breach Report, organizations using unsanctioned AI tools add an average of $670,000 to the cost of a breach. Worse yet, 63% of organizations have no AI governance in place, and 97% lack basic access controls — conditions that make AI cybersecurity risks particularly severe for SMBs.
- Expanded Attack Surface From a technical standpoint, every unapproved SaaS or AI tool increases your organization’s attack surface — the total number of possible points where unauthorized users could access your systems.
As Rob Foit explained, “If your IT team doesn’t know an app exists, they can’t secure it. A single employee using an unsanctioned file-sharing tool can unintentionally put sensitive business or client data in the wrong hands.”
Unmonitored SaaS tools can also create compliance violations, especially in regulated industries like healthcare or finance. Even something as simple as storing customer records in an unauthorized app can trigger HIPAA or PCI-DSS penalties.
- Human Error and Misconfiguration Most breaches linked to Shadow IT and Shadow AI don’t happen because of sophisticated attacks — they stem from human error and misconfiguration.
Employees who use personal devices or mobile apps for work may unknowingly sync corporate data to personal cloud storage like iCloud or Google Drive. “That’s where private data, even photos, can become exposed during a breach,” said Stevens. “We’ve seen everything from trade secrets to executive payroll details leak this way.”
The Legal and Insurance Fallout of Shadow AI
Shadow AI also presents new legal and regulatory challenges. Stevens highlighted pending updates to the California Consumer Privacy Act (CCPA) that would require mandatory disclosures when businesses use AI-driven decision-making tools. Other industries — from healthcare to finance — are expected to follow with their own AI-specific rules.
Cyber insurance is another area of concern. “We’re already seeing insurers carve out exceptions for AI-related breaches,” Stevens warned. “They’re asking clients to sign addendums stating AI-enabled incidents aren’t covered. That leaves a massive liability gap for businesses.”
How to Regain Visibility and Control
The first step in managing Shadow IT and Shadow AI is visibility. Businesses need to know what apps — and AI platforms — employees are actually using.
Rob Foit explained that modern tools like DNS filtering and application discovery platforms can help IT leaders identify unsanctioned software and websites. “When we ran an internal audit,” Foit said, “we found that 40% of employee devices were accessing AI-based sites. Most organizations are probably seeing similar numbers.”
Best Practices for Managing Shadow IT and Shadow AI
Conduct Regular Application Audits
Use network monitoring or AI discovery tools to detect unauthorized apps or data flow.Establish AI Governance Policies
Define clear guidelines on what data employees can input into AI tools and what platforms are approved.- Create an App Approval Process
Encourage employees to request new tools through IT instead of bypassing them. Educate Employees on Risks
Awareness training should include examples of how AI data leaks occur.Implement Multi-Layered Security
Protect endpoints with MFA, access controls, and encryption.- Offer Secure Alternatives
If you ban certain tools, provide company-approved replacements that meet productivity needs (e.g., Microsoft 365 with Copilot governance).
A Culture Shift: Turning Awareness Into Action
Completely eliminating Shadow IT is unrealistic, but reducing its risks starts with a culture of transparency and accountability.
“Make it easy for employees to ask before they act,” said Dave Groot. “Have a defined process for approving new tools — especially AI — and ensure your security or compliance team is always part of the conversation.”
Rob Foit agreed: “Every time your organization signs up for new software or AI services, ask three questions — Where does the data live? Who has access to it? And how soon will we be notified if there’s a breach?”
The Future of Shadow AI
While Shadow IT has been around for decades, Shadow AI is the next major cybersecurity frontier. Every software vendor now touts AI capabilities — whether you asked for them or not.
From Adobe Acrobat’s embedded AI suggestions to automated meeting transcriptions in Teams or Zoom, “AI is already inside the tools you use every day,” Stevens noted. “If your organization doesn’t know how those features use your data, you’re already exposed.”
Key Takeaways for SMB Leaders
- You can’t manage what you can’t see. Start by identifying all applications — including AI tools — in use across your organization.
- Policies and governance matter. Even simple guardrails dramatically reduce AI cybersecurity risks.
- Don’t ignore the human factor. Train teams to understand why security protocols exist.
- Work with a proactive MSP. A trusted partner like IronEdge Group can provide the visibility, tools, and governance frameworks needed to protect your business.
Ready to Address Shadow IT and Shadow AI?
IronEdge Group helps businesses regain control over their IT environments with proactive monitoring, AI governance, and cybersecurity best practices tailored for SMBs. We are proud to be one of the first managed service providers (MSPs) in the nation to offer a comprehensive, enterprise-grade approach to AI adoption and governance for small and mid-sized business.
Our ManagedAI™ Solution, IronAI™, provides structure, visibility, and security, ensuring businesses can safely harness the power of tools like ChatGPT™, Copilot®, and Gemini™ without exposing sensitive data or undermining compliance while fully leveraging AI across the organization to enhance efficiency, decision making, and strengthen business outcomes.
Schedule a consultation to learn how we can help you uncover hidden risks, strengthen your defenses, and turn technology into a competitive advantage.
Ready to Strengthen Your IT and Cybersecurity Strategy?