AI Governance 8 min read

Shadow AI in Professional Practices: What Leaders Don't See

Staff are using AI tools your IT team hasn't approved and leadership doesn't know about. Here's how to find out what's in use, why it matters, and how to govern it without killing productivity.

The problem most practices aren't looking for

Ask a practice director how many AI tools their organisation uses and they'll typically name two or three: Microsoft Copilot if it's been rolled out, maybe ChatGPT for the marketing team. Ask their staff the same question and you'll get a very different answer.

Shadow AI, the use of AI tools without formal organisational approval or oversight, is now endemic in UK professional practices. A 2024 study found that 78% of knowledge workers use AI tools their IT department hasn't approved. In professional services, where the data being processed is often legally privileged, commercially sensitive, or personally identifiable, that number represents a material compliance risk.

What Shadow AI actually looks like

Shadow AI isn't just staff using ChatGPT to draft emails. It manifests in many forms:

  • Browser extensions: AI writing assistants, grammar tools, and meeting summarisers that have access to everything on your screen
  • AI features in standard software: Grammarly, Notion, Canva, Zoom, and dozens of other tools now have AI functionality enabled by default
  • Consumer AI tools used for work: Personal ChatGPT, Claude, or Gemini accounts used to process client information
  • Sector-specific AI: Legal research AI, BIM co-pilots, clinical documentation tools adopted by teams without IT assessment
  • AI embedded in new software: Every new SaaS tool your teams adopt now likely includes AI features, often sharing data with third-party AI providers under their own terms

Why it matters for compliance

Under UK GDPR, you are responsible for how personal data you hold is processed, regardless of which tool processes it. When a member of staff uploads client data to a consumer AI tool, they are initiating a data processing activity that:

  • Likely lacks a legal basis (the client didn't consent to their data being processed by an AI vendor)
  • May involve a transfer to a US-based processor under terms you haven't reviewed
  • Doesn't appear in your Record of Processing Activities (ROPA)
  • Hasn't been subject to a DPIA
  • May result in the vendor using that data to train their models

Any one of these points represents a compliance gap. All five together represent a material exposure that the ICO would view seriously, particularly if a breach resulted.

"The uncomfortable truth for most practice leaders is that their organisation's biggest AI compliance risk isn't from the AI tools they've approved. It's from the ones they haven't."

The three questions to ask

Before you can govern AI use, you need to understand it. These three questions give you the foundation:

1. What AI tools are actually in use?

Don't ask IT, ask staff directly. Survey each department: what tools do you use regularly? What would slow you down if you lost access tomorrow? The answers will be more honest and more complete than any IT audit. Cross-reference with your software licensing records and expense claims for subscriptions.

2. What data is being processed?

For each tool identified, understand what data flows into it. Is it general admin? Client communications? Patient records? Legally privileged advice? This step determines the risk level, and which tools need immediate attention versus medium-term governance work.

3. What are the vendor's data terms?

Read the terms of service and privacy policy for each tool. Specifically: does the vendor use your data to train their models? Where is data stored? What deletion rights do you have? Most consumer AI tools retain data and use it for model improvement, which may be acceptable for internal drafts but not for client data.

How to respond, without becoming the AI police

The wrong response to discovering Shadow AI is a blanket ban. Staff are using these tools because they are genuinely useful, and banning them drives usage underground rather than eliminating it. The better approach:

  • Create a simple AI use policy that defines what's permitted, what requires approval, and what's prohibited, with clear rationale for each category
  • Establish a light-touch approval process for new AI tools, a short assessment checklist that anyone can complete before adoption
  • Create an approved tools list that gives staff a clear set of tools they can use confidently
  • Train staff on AI data risks: not to scare them, but to help them understand why certain data types shouldn't go into certain tools
  • Review vendor contracts for the tools you do approve, and seek enterprise terms (rather than consumer terms) wherever possible

Getting your governance in place

If you don't know where to start, our free AI governance assessment will identify your specific gaps and give you a prioritised action plan. It takes under 5 minutes and is tailored to your sector.

Start the free assessment →

Related articles

More articles coming soon.

Take the assessment →