Unsanctioned AI tool use that leadership does not know about.
Shadow AI refers to the use of AI tools by employees without explicit organizational approval, governance, or oversight. It is the AI equivalent of shadow IT — the unofficial technology layer that exists in most organizations whether leadership is aware of it or not.
In most cases it starts the same way. An employee discovers that an AI tool makes a time-consuming task significantly faster. They start using it. They do not report it because they are concerned the tool will be restricted. The behavior spreads informally to colleagues. Within weeks or months, a meaningful portion of the team is using a tool that has never been reviewed, approved, or governed.
In a general business context this is a productivity and IT governance issue. In a regulated industry context it is a compliance exposure problem.
Source: Salesforce State of AI 2024 · IBM Institute for Business Value 2024 · PEX Report 2025
Restriction drives adoption underground. It does not stop it.
A common organizational response to AI risk is restriction. Block the tools. Issue a policy prohibiting unapproved AI use. Communicate that violation of the policy has consequences.
This approach has a consistent outcome. It does not stop AI adoption. It makes it quieter. Employees continue using tools they find useful. They become less likely to disclose their usage. The organization loses even the informal visibility it previously had.
The compliance posture does not improve. The documentation posture gets worse. And the organization now has a policy on file that its own team is violating, which complicates any future enforcement conversation.
The goal is not to eliminate AI use. The goal is to make compliant AI use the easiest path available.
That requires infrastructure, not just policy.
The stakes are different when the data is protected.
In a general business context, shadow AI creates operational and security risk. In a regulated industry context, it creates potential regulatory liability that does not require a breach to trigger.
HIPAA requires a Business Associate Agreement with any vendor that handles protected health information. Most consumer AI tools do not have a BAA available on standard plans. An employee using an uncovered tool on protected client data is potentially creating a violation with each interaction, regardless of intent.
The organization is responsible for its team's data handling behavior. The absence of a policy does not eliminate that responsibility. The presence of a policy that is not being followed does not either.
What changes the compliance posture is documented governance — evidence that the organization assessed the risk, implemented controls, and maintained oversight on an ongoing basis.
Source: HHS Office for Civil Rights · HIPAA Enforcement Guidance
Visibility first. Controls second. Documentation throughout.
Addressing shadow AI in a regulated environment requires three things in sequence.
First, visibility into what tools are actually being used and on what data. Most organizations discover the scope of shadow AI adoption is larger than expected once they look deliberately.
Second, a compliant path that is easier to use than the unsanctioned alternatives. If the approved workflow is significantly more friction than ChatGPT, employees will use ChatGPT. The approved path needs to be genuinely usable.
Third, documentation that the governance program exists and is being operated. This is what matters in an enforcement context — not perfection, but evidence of reasonable ongoing effort.
MMC Signal works with regulated organizations to implement and operate this infrastructure inside Microsoft 365. We do not provide legal advice or compliance certification. Organizations should consult qualified legal counsel regarding their specific obligations.