BCS MEMBERSHIP

Lady Smiling Nav

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

CITP Logo (1)

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Girl With Braids Nav

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

Man Writing

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

Lady In Green Hijab Nav (1)

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

Group Of People Smiling

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

Man On Tablet

The latest insights, ideas and perspectives.

In focus

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

In focus

AI tools are now woven into everyday work: they’re everywhere, remarkably intuitive, and they solve real pain points that existing systems and processes often ignore. It’s no surprise that people turn to them, especially when they offer a faster route around slow or cumbersome internal processes. Christina Lovelock MBCS explores.

Summary:

  • Shadow AI is employee AI usage which is unmonitored or unauthorised by the organisation, often used to speed processes
  • Unlike shadow IT, shadow AI usage doesn't leave a trail and is therefore difficult to manage
  • Business analysts can help get to the bottom of why employees are using unauthorised AI and what needs they are using it to meet
  • Real understanding of and investment in employee needs and workflows is the best and only way to truly tackle shadow AI

Shadow IT refers to the software, hardware and cloud services used inside an organisation without the knowledge or approval of the ‘IT department’. This use of technology lives in the shadows. It cannot be monitored or managed which potentially opens up many risks — from business continuity to security vulnerabilities. Some people who introduce ‘unauthorised systems’ do it knowing they are subverting rules and procedures, others do it unthinkingly. From individuals plugging in local printers, to employee subscriptions to a wide range of SaaS products, it means procurement rules, financial controls and IT policies are all circumvented.

Partnerships

Shadow IT often leaves a paper trail: invoices, recurring payments on company credit cards, or direct contact from a supplier suggesting the organisation should move to an enterprise licence rather than ‘multiple individual accounts’. IT departments can use digital trails alongside paper trails to detect and prevent unauthorised technology use. By working in partnership with procurement, finance, HR and L&D teams, many IT departments have reduced both the opportunity to do the wrong thing and the possibility that anyone can say they didn’t know it was wrong.

Shadow AI

Unlike shadow IT, shadow AI often leaves no financial or technical footprint — it’s primarily a behavioural and workflow phenomenon. Employees are using personal devices and personal accounts. They are willing to spend their own money to access the perceived benefits of their preferred AI tool. Shadow AI includes any situation where people use AI tools, prompts or outputs in ways the organisation cannot see, control, or assess for risk.

The risks of Shadow AI are immediate, invisible and often irreversible:

  • Data leakage into external models
  • Loss of control over where information is stored or used
  • Model training risks (such as data becoming part of future outputs)
  • Inconsistent or unverified decision making
  • Regulatory and contractual breaches (including GDPR, IP and copyright)
  • Erosion of trust between teams and IT/security
  • Inability to audit or explain decisions influenced by AI

Some employees are not aware of these risks, others underestimate the risk against the immediate short-term benefit.

Shadow AI isn’t a technology problem

People use unauthorised AI tools because:

They are under pressure

  • They want to be more efficient
  • They don’t understand the risks
  • They have already built skills and familiarity
  • The organisation hasn’t provided safe, usable alternatives
  • Policies are unclear, unrealistic, written in a way no one can actually follow or focus on prohibiting activities rather than enabling employees to work in a safe and suitable way

This provides a clear opportunity for business analysis to make a significant contribution. BAs have the skills and tools to build trust, ask the right questions and get to the heart of business needs. 

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Policy is not protection

An AI usage policy is a useful starting point, but it is nowhere near sufficient protection for most organisations. Policies can set expectations, but they can’t keep pace with how quickly people discover new tools or new shortcuts.

Real assurance comes from understanding how people actually work. When organisations listen to staff, invest in learning and encourage open knowledge sharing, they build confidence and capability rather than fear and avoidance. This creates a culture where people feel able to ask questions, raise concerns and use AI responsibly not because a policy tells them to, but because they understand the risks and feel supported to make good decisions.

Conclusion

Rather than treating shadow AI as compliance failure, organisations can choose to see it as a signal: a clear indication of where business and user needs aren’t being met. Business analysts have a crucial role here; they can surface the underlying problems driving shadow AI, map the real workflows people are trying to optimise and work with IT, security and leadership to design safe, sanctioned solutions that genuinely support how work gets done.

About the author

Christina Lovelock is a digital leader, coach and author. She is active in the Business Analysis professional community and champions entry level roles. She is the author of the BCS books Careers in Tech, Data and Digital and Delivering Business Analysis: The BA Service Handbook

Take it further

Interested in this and similar topics? Explore BCS' books and courses:

Topics

Artificial Intelligence Security / data / privacy

Related

Article

Securing the Age of AI: an interview with GCHQ

7 days ago
Article
UK digital map

Government launches new consortium to build trust in AI and grow UK assurance market

15 days ago
Article

New legal questions: agentic pen testing

20 days ago