In May 2023, Samsung Electronics banned generative AI tools on company networks. The decision followed incidents in which engineers had pasted sensitive source code and internal meeting notes into ChatGPT to ask for help.1 The story is usually told as a cautionary tale about reckless employees. It is the wrong moral.

The actual story is that Samsung — a company with mature security operations and a 250,000-person workforce — discovered after the fact that its own engineers were using a consumer AI tool to do their jobs, and that no policy, audit trail, or sanctioned alternative existed until the incidents forced its hand. The ban that followed was less a security decision than an admission that the security model in place had been silently bypassed for months.

Microsoft’s 2024 Work Trend Index, conducted with LinkedIn, found that 75% of knowledge workers were using AI at work. Of those, 78% reported bringing their own AI tools — what Microsoft, without apparent irony, abbreviated as BYOAI.2 By the time a CISO is writing a policy about employee AI use, three out of four employees are already using it, and most of them are using something the security team has not sanctioned.

Shadow AI is not a coming problem. It is the current state of most enterprise environments. It is also the cleanest example I know of governance and engineering reality drifting apart while everyone pretends they have not.

What shadow AI actually looks like

The term gets used loosely. Operationally, it means three things, often overlapping.

The first is consumer AI tools used on work content. An employee pastes a customer contract into ChatGPT to ask for a summary. An engineer asks a public LLM to autocomplete a function inside a proprietary codebase. A marketing lead uploads a customer list to draft segmentation copy. Cyberhaven, a data-security firm, has been instrumenting corporate endpoints to measure exactly this. Their early-2023 baseline, updated through that year, reported that 11% of the data employees pasted into ChatGPT was classified as confidential, with 4.7% of workers having pasted confidential data into the tool at least once.3 By Cyberhaven’s May 2024 follow-up, the share of corporate data flowing into AI tools that was classified as sensitive had reached 27.4% — up from 10.7% the year before — and the total volume of corporate data going to AI tools had risen 485% year-over-year.4

The second is sanctioned AI tools used in ways nobody approved. An organization buys Microsoft Copilot enterprise licenses, sets up retention policies, and considers the problem solved. Six months later it discovers that employees have been using Copilot to summarize HR investigation files, customer-support transcripts, or board meeting notes — all of which Copilot happens to have access to because nobody configured the data boundaries when the tenant was provisioned. This is, technically, sanctioned. It is not, in any practical sense, governed.

The third is AI features quietly added to tools already in use. Slack updated its privacy policy in May 2024 to clarify that customer messages were used to train its machine learning models. The clarification, it turned out, was of a policy that had been in place since the prior year.5 Slack walked back the wording after public backlash, but the underlying pattern — vendor-side AI features added to existing SaaS without an explicit opt-in flow — is now the default across the SaaS market. Most workplace surveys you have ever taken, most Notion pages you have ever shared, most support tickets your team has touched, are either currently feeding a model or available to feed one as soon as the vendor decides.

None of these are exotic. They are what happens when the gap between sanctioned tools and consumer tools is large enough that motivated employees route around it.

Why most policies are theater

The reflexive response is to ban consumer AI tools on corporate networks. Samsung did this in May 2023.6 Italy’s data protection regulator went further and banned ChatGPT entirely; the block lasted roughly a month and was lifted only after OpenAI agreed to additional transparency and user-control measures.7 Several Fortune 500 financial firms followed with internal bans during the same period.

A ban without observability is a policy that says we have decided not to know.

Bans without observability are a policy that says we have decided not to know. They reduce the volume of traffic that takes the easy route — the corporate-network request to a known LLM domain — while doing essentially nothing about the same traffic on a personal device, a personal account at home, or any of the dozen LLM apps that do not run on a sanctioned domain. The 78% BYOAI rate Microsoft measured in 2024 was, in part, a measurement of how many of these bans had effectively redirected traffic to less visible channels.8

The deeper problem is that policy without three things is theater. The first is a sanctioned alternative that is actually as good as the consumer tool for the use case at hand. The second is an observability layer — telemetry, audit, network egress monitoring — that tells the security team what is happening rather than what was promised. The third is a clear data-handling rule that an individual contributor can apply without calling legal. Most organizations have at most one of these.

Cisco’s 2024 AI Readiness Index, which surveyed 7,985 senior business leaders across 30 markets, found that only 31% of organizations described their AI policies and protocols as “highly comprehensive.” The remaining two-thirds, by their own assessment, were not.9 That is the structural picture under the anecdotes.

OpenAI’s own data policies illustrate the issue from the vendor side. Before March 2023, ChatGPT’s free and consumer tiers used user inputs to improve their models by default; only the API was a carve-out. After the Samsung incident, the Italian ban, and a string of internal incidents reported across financial services, OpenAI updated its API data policies to make no-training the default and introduced enterprise tiers with stronger guarantees.10 The change was real and material. It also took the company most of a quarter to make, and most users never read the terms in either direction.

This is the structural pattern. Vendors evolve their data policies on their own schedule. Enterprises sign procurement agreements at a different cadence. Employees use the tool today.

What governance shape actually works

I think the next eighteen months will reward organizations that stop trying to make shadow AI go away and start trying to make it observable and bounded. The reasoning here is straightforward: shadow AI is a symptom of unmet user needs combined with frictionless alternatives. You can address the friction, the alternatives, or the needs; you cannot durably address none of them with policy alone.

The closest thing to a usable framework is NIST’s AI Risk Management Framework, published in January 2023.11 It is not a regulation; it is a set of four functions — Govern, Map, Measure, Manage — that prompt the right questions without prescribing a specific technology stack. The Govern function in particular asks who is accountable for AI risk, where the policies live, how they are enforced, and how exceptions are tracked. Most organizations cannot answer those questions for shadow AI right now.

The EU AI Act, published in the Official Journal of the EU on July 12, 2024 and entering into force August 1 of that year, sets the legal floor for general-purpose AI systems in the EU market and addresses workplace use through both data protection and worker protection provisions.12 It is going to make policy-without-enforcement a more expensive posture for any company doing business in the EU. The compliance work it requires — risk classification, documentation, post-market monitoring — is also the work that produces observability over shadow AI as a side effect. That is a feature, not a coincidence.

The practical shape of governance that survives, in my view, has four parts. One: a sanctioned AI surface that is actually as good as the consumer alternative for the most common use cases — usually an enterprise license to a frontier-model provider, integrated where employees already work. Two: a data loss prevention layer that understands AI tool patterns specifically. Clipboard exfiltration to LLM-shaped domains is a known signature now, and the DLP vendors have caught up to it. Three: an audit trail that links specific prompts and outputs to specific accounts and surfaces — not “an employee used Copilot today,” but “this prompt about this customer ran on this date, from this account.” Four: training that explains the rules in terms employees can actually apply. The successful version is not “do not paste confidential information into ChatGPT.” It is “here is the sanctioned tool, here is what counts as confidential, here is what to do if you cannot tell.”

IBM’s 2024 Cost of a Data Breach report found that organizations using security AI and automation extensively across prevention workflows had average breach costs roughly $2.2 million lower than those that did not.13 The same report did not separate “AI used for defense” from “AI being defended against,” which is the bind every security team is now in. The toolset is the same.

What I think survives

The companies that ride out the next two years of shadow AI incidents are not the ones with the strictest bans. They are the ones who admit that some shadow use will continue, build the observability and sanctioned alternatives that make the volume small and the consequences visible, and write policies their own engineers can actually follow.

The Samsung lesson, properly read, is not “ban consumer AI.” It is that the absence of a sanctioned alternative is itself a security decision, and not the one you thought you were making. Every organization that does not have an answer to the question — what should an engineer do when an LLM would actually help them ship — is making that decision daily, by default, in favor of the consumer tool.

Shadow AI is your governance problem now. It was your governance problem six months ago. It will keep being your governance problem until somebody at the policy level decides what the sanctioned answer looks like, and somebody at the engineering level builds the observability to know when employees route around it.

Bans are how you tell yourself you have handled it. Observability and sanctioned tools are how you actually do.

Notes

Footnotes

  1. Kate Park, “Samsung bans use of generative AI tools like ChatGPT after April internal data leak,” TechCrunch, May 2, 2023. https://techcrunch.com/2023/05/02/samsung-bans-use-of-generative-ai-tools-like-chatgpt-after-april-internal-data-leak/

  2. Microsoft and LinkedIn, “AI at Work Is Here. Now Comes the Hard Part.” 2024 Work Trend Index Annual Report, May 8, 2024. https://www.microsoft.com/en-us/worklab/work-trend-index/ai-at-work-is-here-now-comes-the-hard-part

  3. Cyberhaven Labs, “11% of data employees paste into ChatGPT is confidential,” Cyberhaven blog, originally February 2023 with figures updated through mid-2023. https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt

  4. Cyberhaven Labs, “Shadow AI: how employees are leading the charge in AI adoption and putting company data at risk,” Cyberhaven blog, May 21, 2024. https://www.cyberhaven.com/blog/shadow-ai-how-employees-are-leading-the-charge-in-ai-adoption-and-putting-company-data-at-risk

  5. Ivan Mehta and Ingrid Lunden, “Slack under attack over sneaky AI training policy,” TechCrunch, May 17, 2024. https://techcrunch.com/2024/05/17/slack-under-attack-over-sneaky-ai-training-policy/

  6. Kate Park, “Samsung bans use of generative AI tools like ChatGPT after April internal data leak,” TechCrunch, May 2, 2023. https://techcrunch.com/2023/05/02/samsung-bans-use-of-generative-ai-tools-like-chatgpt-after-april-internal-data-leak/

  7. Kelvin Chan / Associated Press, “ChatGPT is back in Italy after OpenAI met regulator demands,” Fortune, April 28, 2023. https://fortune.com/2023/04/28/chatgpt-back-italy-met-regulator-demands-openai/

  8. Microsoft and LinkedIn, “AI at Work Is Here. Now Comes the Hard Part.” 2024 Work Trend Index Annual Report, May 8, 2024. https://www.microsoft.com/en-us/worklab/work-trend-index/ai-at-work-is-here-now-comes-the-hard-part

  9. “Cisco’s 2024 AI Readiness Index: Urgency Rises, Readiness Falls,” Cisco Newsroom, November 19, 2024. https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m11/cisco-2024-ai-readiness-index-urgency-rises-readiness-falls.html

  10. Kyle Wiggers, “Addressing criticism, OpenAI will no longer use customer data to train its models by default,” TechCrunch, March 1, 2023. https://techcrunch.com/2023/03/01/addressing-criticism-openai-will-no-longer-use-customer-data-to-train-its-models-by-default/

  11. National Institute of Standards and Technology, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” January 26, 2023. https://www.nist.gov/itl/ai-risk-management-framework

  12. “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act),” Official Journal of the European Union L series, published July 12, 2024. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

  13. IBM, “IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs,” IBM Newsroom press release, July 30, 2024. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs