Shadow AI Risks – The Impact on IT Teams

Shadow AI Risks
Read with ChatGPTRead with ClaudeRead with Perplexity

Let’s talk about Shadow AI risks and its impact on IT service management (ITSM). A year ago, IT departments could easily dismiss generative artificial intelligence (AI) tools as a “marketing experiment” because there were only a handful of AI writing tools that were gaining popularity. Today, every department is trying a new AI tool (cough, OpenAI wrapper, cough) that promises to double their productivity, increase their quality of work, and secure them a promotion.

Consider these common scenarios:

  • Sales is drafting prospect emails with a Chrome extension that promises to increase response rates by 5x.
  • Finance is feeding last quarter’s ledger into a public ChatGPT session for a “quick forecast.”
  • HR is using a new résumé-screening plug-in to rank candidates, aiming to find the perfect hire more quickly.
  • Engineering, chasing deadlines, is pasting proprietary code snippets into various “AI assistants” to debug and refactor.

None of these tools are integrated with your central identity provider. Why should they be? Any new AI tool creator is not going to waste time supporting single sign-on (SSO) or System for Cross-domain Identity Management (SCIM) provisioning. They’re focused on building features that increase revenue. Security is likely an afterthought. We need to worry about Shadow AI risks.

This explosion in AI adoption, combined with AI tool vendors not prioritizing security, has created a significant IT challenge. We could debate about what to call it – disconnected applications, unmanaged apps, AI sprawl, Shadow AI risks, or something else – but IT can no longer ignore it.

You don’t have to take my word for it:

  • Generative AI adoption has doubled in just one year (2023–2024), reaching 65% of companies. (https://www.amplifai.com/blog/generative-ai-statistics)
  • Between March 2023 and March 2024, the amount of corporate data being fed into AI tools surged by 485%, and the share of sensitive data within those inputs nearly tripled, from 10.7% to 27.4% (TechAhead, May 13, 2025).
  • Exploding Topics notes that 92% of Fortune 500 firms have adopted generative AI, and 85% of business leaders expect to use generative AI for low-value tasks by the end of 2024.

Shadow AI risks are not tomorrow’s problem

The Shadow AI risks are here now, and they are compounding daily with each new AI enthusiast employee and world-promising AI tool.

  1. Offboarding and deprovisioning risk – every new AI app adopted by a team creates a new, permanent gap in your offboarding and deprovisioning processes. Given that most of these apps don’t support SCIM, your perfectly crafted workflows won’t be able to automatically de-provision users from these AI apps.
  2. Sensitive data exposure – confidential information, such as customer lists, financial projections, unreleased source code, and legal contracts, may flow freely into these unsanctioned AI apps. This data is often used to train the vendor’s models and can be permanently archived on their servers, far beyond IT’s control.
  3. Audit and compliance gaps – AI apps that don’t connect to your IDP create blind spots in auditability and compliance. This fragmentation results in incomplete audit trails, complicates incident investigations, and hinders the ability to demonstrate regulatory compliance.
  4. Financial waste and budget inefficiency – without centralized visibility, organizations often pay for unused or duplicate AI tools because they struggle to track actual usage. Beyond this, they could also be forced into auto-renewals because these tools were purchased without IT approval.

IT must adopt proactive AI governance

There’s no point fighting AI adoption (and Shadow AI risks) and the speed at which it’s happening. But this also doesn’t mean IT has to be a bystander, as it’s a major stakeholder. IT has to balance organizational security and efficiency while respecting the need for these AI tools.

If you’re an IT leader in an organization that’s rapidly adopting AI tools, here’s a 5-step approach that you can try today:

  1. Map your AI inventory – cliched, but true – you can’t manage what you don’t measure. Start with an inventory of AI tools by analyzing credit card expense reports, auditing OAuth permissions and browser extensions, and checking DNS logs.
    Actionable tip: You don’t need to invest in a Shadow IT tool just for this. Stitchflow’s free Shadow IT scanner can be used to discover all the tools your employees are using.
  2. Prioritize apps based on risk – identify which apps handle the most sensitive data and which ones have widespread access with weak privileges. For example, don’t worry too much about the 20 different tools that marketing uses, but definitely take a closer look at the one tool finance uses.
    Actionable tip: Start with a simple classification matrix to score applications based on parameters that are most important to you.
  3. Remediate critical issues instantly – once you’ve done the first two steps, you will have an action plan. It typically involves deprovisioning users who no longer need access to the tools (e.g. ex-employees, contractors, and service accounts) or removing access from apps that pose a high risk to your IT environment.
    Actionable tip: Before removing apps with active usage, consult with the team that uses it to ensure they’ve backed up the necessary information from the tool.
  4. Set up continuous discovery mechanisms – new Shadow AI tools will pop up every week. Set up alerts to detect when new AI tools are being expensed or when new OAuth grants appear.
    Actionable tip: Establish internal processes to vet new vendors before onboarding, but remember that teams may bypass IT.
  5. Educate and empower users – train employees to recognize risky AI tools and establish a straightforward process for them to engage with IT before adopting a new tool.
    Actionable tip: Encourage users to share the new tools they’re using and discovering with everyone. It gives organization-wide visibility and, more importantly, gives you visibility as well 😉

IT’s usually perceived as a gatekeeper when it comes to innovation and adoption of new tools, and for good reason. But IT likely cannot stop employees from signing up for new tools. The strategy for IT should be to manage the risks associated with these tools while employees unlock benefits and increased productivity.

Ultimately, Shadow AI risks cannot be stopped; it’s foolish to even try. They can only be managed.

Sanjeev NC
Independent Content Creator at Freelance

Sanjeev NC started his career in IT service desk and moved to ITSM process consulting, where he has led award-winning ITSM tool implementations. Sanjeev was also a highly commended finalist for Young ITSM Professional of the Year in itSMF UK’s annual awards. Sanjeev is currently creating IT content for Stitchflow, a platform that takes a visibility-first approach to IT automation.

Want ITSM best practice and advice delivered directly to your inbox? Why not sign up for our newsletter? This way you won't miss any of the latest ITSM tips and tricks.

Sign Up Now!
nl subscribe strip imgage

More Topics to Explore

How ITSM Supports Compliance Management and Audit Readiness

Shadow AI in IT Support: When Employees Fix Problems Outside the Service Desk

Designing Security into the Product & Service Lifecycle with Security Stories (ITIL (Version 5) & Agile)

ITSM Maturity: Why SMBs Struggle to Mature Their ITSM Practices and What to Do About It

The State of AI in ITSM (Mid-2025)

Winning an IBM Licensing Audit: A Practical Guide for ITAM and ITSM Leaders

Leave a Reply

Your email address will not be published. Required fields are marked *