Shadow AI is the new BYOD. Here’s what you can do about it

July 29, 2025

Shadow AI can create all kinds of compliance and data security nightmares.

(Credits: ImageFlow/Shutterscotk)

Remember the “bring your own device” (BYOD) gold rush, when everyone from the CEO to the new intern toted their own phones, tablets, and laptops into the workplace? Or how about the SaaS apps rogue departments were onboarding without IT approval or even your knowledge? IT teams learned (often the hard way) that freedom came with risk: data leaks, rogue apps, and compliance headaches.

Welcome to the rerun, now starring shadow AI, or “bring your own AI” (BYOAI), where users are leveraging the latest generative AI tools outside company oversight—with potentially disastrous results. Here’s what’s happening, why it’s such a nightmare, and what savvy IT professionals can do to rein in these AI stray cats before they claw up your business.

Shadow AI: The data leak you didn’t see coming

Just when you thought you’d plugged every USB vulnerability and whitelisted every cloud storage app, the rise of generative AI opened a big, shiny new door for sensitive company data to stroll right out. Employees—often with the best of intentions—are pumping confidential information (think: strategy docs, customer data, code, or even full legal contracts) into AI tools like ChatGPT, Copilot, and others. They’re looking for speed, productivity, and a little bit of digital magic. The problem? They’re unwittingly putting intellectual property, trade secrets, and regulated data at the mercy of third-party systemsOpens a new window , none of which you control.

A recent surge hammers home the point: Uploads of data to generative AI tools exploded by 485% globally between March 2023 and March 2024, as reported by CyberhavenOpens a new window . Exposed information isn’t just at risk of accidental leaks. Once that data enters external AI systems, it may be stored, used to train models, or even accessed by malicious actors, vendors, or your competitors.

The compliance nightmare: Regulatory crossfire, privacy landmines

Back in the BYOD days, data compliance meant mobile device management and encrypted apps. Today, it means untangling the legal spaghetti of AI regulations—especially as governments push out new rules faster than your team can say, “Is this GDPR compliant?” For example, the European Union’s new AI ActOpens a new window and regulations like GDPR are forcing companies to classify, safeguard, and audit sensitive data at every touchpoint, including how it’s shuffled, processed, and reused by AI.

Let’s not sugarcoat it: Compliance is now non-negotiable, with the cost of falling short running into the millions. Many risk catastrophic business impacts as regulatory frameworks become enforceable law—with cumulative penalties upwards of hundreds of millions of dollarsOpens a new window on US companies by the EU.

Real security threats: Not just theory, but practice

Stop thinking of AI security threats as futuristic. The hairy problems are already here:

Unintentional exposure: Employees paste “just this once” confidential data into AI tools, sometimes believing it’s ephemeral or private, only to find it retained or even regurgitated by the system later.
Model inversion and data extraction: Attackers can query AI models to reverse-engineer the data used for training, exposing personal, financial, or proprietary information.
Adversarial inputs and prompt injection: Clever inputs can manipulate the AI to leak data, perform restricted tasks, or simply bypass security controls—kind of like tricking a vending machine with a counterfeit coin.
Vendor risk: External AI providers may have their own vulnerabilities—or they may transfer risk back to you with the world’s most confusing service agreements.

Herding the AI cats: What IT pros can (and should) do now

Blocking all AI usage isn’t just impractical, it’s a recipe for mutiny and lost productivity. The answer isn’t a digital bonfire; it’s smart governance, user education, and technical guardrails. Here’s a framework on how to start taming the AI chaos:

Inventory and visibility: Know your loose cats

Map out existing AI workflows: Audit which AI tools are in use, both sanctioned and otherwise, across departments and teams. You can’t protect what you can’t see.
Deploy AI activity monitoring tools: Some solutions can “red-team” AI models to simulate leaks before they occur, identifying oversharing risks and connecting prompts with source content for full traceability.

Policy, access, and segmentation: Lock the right doors

Set up strong access controls: Use multi-factor authentication, role-based permissions, and context-aware access to keep unauthorized users out of your AI environment.
Network segmentation: Like putting the cats in separate rooms, isolating sections of the network limits blast radius if a leak or breach occurs.

Data hygiene: Don’t give AI what it shouldn’t have

Enforce data classification: Tag documents and data with sensitivity levels, and only allow the least amount of data necessary to interact with AI models. Do quarterly permission reviews and continuous policy audits.
Anonymization and pseudonymization: Before anything goes into an external AI, scrub it of individual identifiers or sensitive content whenever possible.

Technical guardrails: Automation is your friend

Automated red-teamingOpens a new window and logging: Use tools that simulate user interactions with AI to spot accidental leaks ahead of time, and keep robust logs for audit and forensic use.
Encryption, validation, and differential privacy controls: Encrypt data at rest and in transit, run input validation routines to block prompt injection, and use privacy-enhancing tech when training models.

Train your people: Culture eats policy for breakfast

User education programs: The majority of AI breaches stem from human error or ignorance, so regular, real-world scenario training is a must. Make it fun—think “cat herding 101,” but with less fur and more compliance checklists.
Clear escalation and response plans: Make sure users know exactly what to do (and who to tell) if they think they’ve shared something they shouldn’t have. Fast, open reporting lessens the blast radius.

Governance and compliance: Don’t play hide and seek with regulators

Appoint AI risk/compliance leads: Blend your technical and legal teams to bridge the knowledge gap between how AI works and what regulations demand.
Regular audits, reporting, and compliance documentation: Document everything—data flows, risk assessments, mitigation steps. You’ll thank yourself during the next audit or incident response.
Stay current with regulations: AI compliance isn’t standing still. Subscribe to industry updates and, if possible, join working groups or consult with organizations already navigating similar challenges.

Herding digital cats is possible—if you learn from BYOD

The hard truth: Shadow AI use is an existential risk for data security and compliance, but it’s also a chance to champion IT as the enabler, not the naysayer. The most successful IT teams borrow a page from the BYOD and SaaS explosions—they build trust through tools, policies, coaching, and ongoing monitoring. Remember: when it comes to data security, users are just trying to solve their daily problems. Give them safe, sanctioned paths to use AI, set clear boundaries, and you’ll not only herd the cats—you’ll make them part of the solution.

Denis Tom

Denis Tom is a coach, futurist and strategic advisor with over 30 years of technology leadership. He enjoys working with organizations and individuals to lead with authentic purpose, yielding optimal performance and creativity. He has led award winning organizations in tech, publishing, entertainment, financial, nonprofit and service industries. Currently, Denis is a committee member for training and development of cybersecurity professionals at the New York Metro Chapter of ISACA.