Shadow AI is the AI your company is paying for that nobody in leadership knows about.
What Is Shadow AI?
It's the ChatGPT Plus subscription your marketing director expensed. The Copilot license a team lead bought without IT approval. The Claude Pro account three engineers signed up for individually. Each one is $20-$40/month. Multiply by 15-30 employees doing the same thing across departments, and you're looking at $5,000-$15,000/year in AI spend that doesn't appear in any budget.
Why Is Shadow AI Dangerous?
It's not just cost. It's risk. An employee using free ChatGPT on client data is sending that data to OpenAI's servers. A lawyer drafting briefs in an unvetted AI tool may be violating client confidentiality. A recruiter pasting resumes into an AI summarizer may be creating a compliance liability.
You can't govern what you can't see.
How Do You Find Shadow AI in Your Organization?
Three approaches, in order of difficulty:
- Expense report audit — search for charges from OpenAI, Anthropic, Google, Jasper, Midjourney, Cursor, Copilot. This catches credit card purchases but misses free-tier usage.
- Browser-level detection — tools like the Proof Sensor passively detect which AI tools employees visit, capturing metadata without content. This finds everything, including free tools.
- Employee survey — ask directly. Fast but unreliable — people underreport because they don't think of AI tools as "AI tools."
What Should You Do About Shadow AI?
Don't ban it. Govern it. Create an approved tools list. Standardize on 2-3 AI tools instead of 15. Write a usage policy. And audit quarterly — because shadow AI grows every month you don't look.
Based on patterns observed across Coriven Proof audits. [estimated]