If you hang out with CISOs like I do, shadow IT has always been a difficult problem. Shadow IT refers to refers to “information technology (IT) systems deployed by departments other than the central IT department, to bypass limitations and restrictions that have been imposed by central information systems. While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.”
Shadow IT has been a longstanding problem as IT professionals can’t implement security measures and guidelines when they are unaware of its use.
Now that artificial intelligence (AI) is widely used for purposes including work, it is imperative that organizations address its governance, as they previously addressed employees’ use of IT assets. Otherwise, employees will use AI tools without the organization’s knowledge and outside of its acceptable use policies, exacerbating the problem of shadow AI in the organization.
A recent TechRadar article concluded that “you almost certainly have a shadow AI problem.” The risks of having shadow AI in the organization include: “the leakage of sensitive or proprietary data, which is a common issue when employees upload documents to an AI service such as ChatGPT, for example, and its contents become available to users outside of the company. But it could also lead to serious data quality problems where incorrect information is retrieved from an unapproved AI source which may then lead to bad business decisions.” And don’t forget about the problem of hallucinations.
Implementing an AI Governance Program is one way to address the shadow AI problem. AI Governance programs differ depending on business needs, but all of them address who owns the program, AI tools usage, what tools are sanctioned, how AI tools can be used, guardrails around the risks of data loss, data integrity and accuracy, and user training and education. Governing the use of AI tools in an organization is similar to governing the use of IT assets. The most important thing is to get started before shadow AI gets out of hand.