Shadow AI

also known as Unsanctioned AI Tooling, Parallel-Economy AI Use

Anti-pattern: leave the corporate the model offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool calls that security cannot see.

Context

An organisation has rolled out a sanctioned the model tool — a corporate chat assistant, an internal agent platform — but the offering is constrained by data-residency policies, model-version lag, narrow scope, or slow procurement. Employees have personal accounts on consumer LLM services and access to free agent tools, and they have everyday work that the corporate offering cannot do. The security team's threat model assumes the corporate offering is the only the model surface in the organisation.

Problem

Employees paste corporate data into personal-account LLMs, run agent tools that call into corporate systems with personal API keys, and connect unsanctioned MCP servers to their workstations. The security team has no visibility into any of it. Corporate data leaves the perimeter as prompts; outputs come back as decisions and code that flow into production. The Atea (Norway) source names the dynamic explicitly: 'employees adopt their own unsecured tools because the company does not offer good enough solutions.' English-language corroboration is overwhelming — Gartner predicts 40% of enterprises will suffer shadow-the model incidents by 2030, IBM's 2025 Cost of a Data Breach report shows shadow-the model breaches average $670k more than standard breaches, and Microsoft research found 71% of UK employees use unapproved the model at work. The failure mode is bilateral: restrictive controls drive the workaround, but permissive access drives the leak.

Forces

Sanctioned the model offerings lag the consumer frontier by 6-18 months on capability and model version.
Procurement and data-residency policies legitimately restrict corporate the model but also legitimately frustrate users.
Shadow the model is invisible to the security team by design — the corporate logging surface does not see personal accounts.

Example

A regulated firm rolls out a corporate the model chat tool restricted to one older model with strict data-residency rules. Within three months, security egress logs show traffic spikes to a consumer LLM provider during business hours, originating from finance, legal, and engineering. An internal survey finds 60% of those teams routinely paste corporate data into personal-account chats because the sanctioned tool 'cannot handle real work.' Two months later, a sensitive M&A document appears in an unrelated consumer-LLM training-data investigation. Postmortem: the gap between sanctioned capability and user need was a security exposure that the team had been treating as a productivity complaint. The fix is to upgrade the sanctioned offering to current-frontier capability, add SaaS-discovery monitoring, and provide a fast-track sanctioning path for new tools.

Diagram

Solution

Therefore:

Don't ignore the gap. Match the sanctioned offering to user need: a model that is current enough, fast enough, and broad enough that employees do not feel the friction of going outside. Monitor egress and SaaS-discovery traffic for unsanctioned LLM and agent-tool use; treat detection as a security control, not a productivity audit. Provide a fast-track for new the model capabilities (sandboxed agent tools, MCP-server allow-list with quick onboarding) so users have a sanctioned path. Pair this with secrets-handling and session-isolation to bound the blast radius when shadow the model is found. Recognise that purely restrictive controls increase the shadow rate; permissive offerings with monitoring reduce it.

What this pattern forbids. No useful constraint; the missing constraint is a sanctioned offering that closes the capability gap, paired with egress monitoring.

And the patterns that stand alongside it, or against it —

complementsSecrets Handling★— Ensure the model never receives secrets in plaintext; tools resolve credentials from references at runtime.
complementsSession Isolation★★— Keep one user's session state and memory unreachable from another user's agent.
complementsAgentic Supply Chain Compromise✕— Anti-pattern: compose agent capabilities at runtime from third-party tools, RAG sources, model providers, plugin marketplaces, and tool definitions, with no integrity check on what loaded.
alternative-toSovereign Inference Stack★— Run the entire agent stack (model weights, inference, tool layer, vector stores, logs) inside a jurisdictional and operational boundary the operator controls, so no request, prompt, or output crosses into a third-party API.
complementsVibe-Coding Without Security Review✕— Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without explicit security prompts.