Shadow AI

Problem

Employees paste corporate data into personal-account LLMs, run agent tools that call into corporate systems with personal API keys, and connect unsanctioned MCP servers to their workstations. The security team has no visibility into any of it. Corporate data leaves the perimeter as prompts; outputs come back as decisions and code that flow into production. The Atea (Norway) source names the dynamic explicitly: 'employees adopt their own unsecured tools because the company does not offer good enough solutions.' English-language corroboration is overwhelming — Gartner predicts 40% of enterprises will suffer shadow-the model incidents by 2030, IBM's 2025 Cost of a Data Breach report shows shadow-the model breaches average $670k more than standard breaches, and Microsoft research found 71% of UK employees use unapproved the model at work. The failure mode is bilateral: restrictive controls drive the workaround, but permissive access drives the leak.

Solution

Don't ignore the gap. Match the sanctioned offering to user need: a model that is current enough, fast enough, and broad enough that employees do not feel the friction of going outside. Monitor egress and SaaS-discovery traffic for unsanctioned LLM and agent-tool use; treat detection as a security control, not a productivity audit. Provide a fast-track for new the model capabilities (sandboxed agent tools, MCP-server allow-list with quick onboarding) so users have a sanctioned path. Pair this with secrets-handling and session-isolation to bound the blast radius when shadow the model is found. Recognise that purely restrictive controls increase the shadow rate; permissive offerings with monitoring reduce it.

When to use

• Never. Cite when reviewing an enterprise model-governance posture that relies solely on restrictive controls.
• Close the capability gap between sanctioned and consumer offerings as a security control.
• Monitor egress and SaaS-discovery traffic for unsanctioned LLM and agent-tool use.