Skip to content
Security & Compliance

Shadow AI: your teams already use AI — just not yours

Client contracts, HR data and confidential documents are pasted every day into personal ChatGPT accounts, with no validation and no trace. Here is why banning fails, what you actually risk, and the only answer that works.

Hugo Dorus

Hugo Dorus

Founder of Eridia

July 4, 20265 min read
Share
Shadow AI: your teams already use AI, just not yours

In most companies, the question is no longer "should we adopt AI?". It has already been adopted — through personal ChatGPT accounts, without IT validation, without informing the DPO, without any trace.

This is called shadow AI, and it is currently the biggest compliance blind spot in European companies.

What is shadow AI?

Shadow AI is the use of artificial intelligence tools by employees outside any framework validated by the company: a personal ChatGPT account open in a browser tab, a browser extension that "summarizes PDFs", a mobile transcription app used in a client meeting.

The phenomenon is massive and perfectly rational. A tool that saves two hours a day will never sit unused just because it hasn't been approved. Your best people are usually the first involved: they are the ones trying to move faster.

The problem is not using AI. The problem is what leaves with every prompt.

What actually leaves your company

Every day, in an average company, employees paste into consumer tools:

  • excerpts from client contracts ("rephrase this liability clause"),
  • HR data ("draft a warning letter for this employee, here's the context"),
  • unpublished figures ("summarize this report for the board"),
  • minutes of confidential meetings, transcribed by third-party apps.

This data travels to servers operated by American companies, subject to the Cloud Act regardless of where the datacenter is located. On consumer plans, it can also be used to train the models: your know-how ends up feeding the very tool your competitors use too.

And above all: nobody can say what has left. No logs, no traceability, no perimeter. The day a client, an auditor or a data protection authority asks the question, the honest answer is "we don't know".

The three concrete risks

1. The regulatory risk. GDPR requires knowing where personal data is processed and by whom. HR or client data pasted into a personal account outside the EU is an uncontrolled transfer — exactly the type of breach that supervisory authorities such as the CNIL sanction. With the AI Act, traceability requirements now extend to AI usage itself.

2. The confidentiality risk. The canonical example remains Samsung: confidential data leaked three times in twenty days through ChatGPT, followed by a blanket ban. Attorney-client privilege, trade secrets, M&A files, health data: none of these regimes survives a copy-paste into a consumer tool.

3. The audit risk. More and more RFPs and insurer questionnaires include an AI section. "Which tools do your teams use, and where is the data processed?" Answering "we have a policy" while half the workforce uses personal ChatGPT accounts is a documented non-compliance.

Why banning doesn't work

The classic reflex — blocking chatgpt.com on the network — fails systematically, for a simple reason: you never win against a tool that saves two hours a day.

A ban doesn't remove the usage, it displaces it: to the personal phone, mobile data, the home account. The paradoxical result: a company that bans has less visibility on usage than one that governs it. Shadow AI thrives precisely where no official alternative exists.

It is the same mechanism as the shadow IT of the 2010s (Dropbox, WhatsApp) — with one major difference: a file shared on Dropbox remains a file; a prompt sent to a model can be retained, analyzed, and used for training.

The only answer that works: offer better

Since you cannot win against the tool, you have to replace it with a better one. The answer to shadow AI comes down to three steps, in this order:

1. Measure, without punishing

Start with an honest inventory: which tools are used, by which teams, for which purposes? An anonymous survey yields surprisingly frank results when it is clear this is not a witch hunt. You will generally discover that usage is more widespread — and more useful — than expected.

2. Write a short AI policy, and enforce it in tooling

An effective AI policy comes down to six decisions: which tools are allowed, which data can go into them, who validates new use cases, what traceability is required, who trains the teams, and when the policy is reviewed. Forty pages end up in a folder; six decisions get applied. This also matches the official position of the French data protection authority (CNIL), which recommends defining allowed and prohibited uses, involving the DPO and CISO from the start, and favoring local, secured systems.

The key point: a policy that only lives in a PDF protects nothing. It must be enforced in the tool itself — through access rights, data perimeters, and logs.

3. Deploy an internal alternative that is just as comfortable

This is the condition for everything else: your teams will only abandon their personal ChatGPT account for a tool that is at least as fluid, validated by IT and the DPO, with one decisive advantage — it knows the company's documents.

This is exactly what we built Eridia for: a complete AI platform (multi-model chat, document analysis, meetings, agents) deployed on your servers or on a French cloud, where no data ever leaves your perimeter. The comfort of ChatGPT, with compliance built in — installed in one day.

Where to start

Three questions to ask this week, before any project:

  1. Do you know what your teams are pasting into ChatGPT right now? If the answer is no, you have a visibility problem before you have a tooling problem.
  2. Is your AI policy enforced anywhere other than in a PDF? A rule without a tool is a wish.
  3. Does a genuinely usable internal alternative exist? If not, every ban strengthens shadow AI instead of reducing it.

If you want a structured assessment, we offer a free diagnostic: actual usage, priority risks, and a deployment plan for a sovereign internal AI — usually within a day.

Shadow AI is not a discipline problem. It is the symptom of a legitimate demand the company has not yet answered. Answer it before an audit does it for you.

#Shadow AI#GDPR#Compliance#Sovereignty#AI Governance

Ready to transform your business?

Join companies that have chosen Eridia to secure and optimize their AI usage