calender
September 30, 2025
account
John Rood

What is Shadow AI, and What Can You Do About It?

If you are running a business in 2025, your employees are using AI – whether you know about it or like it.

Maybe it’s the marketing manager who feeds customer data into a free online chatbot. Or the analyst who pastes sensitive spreadsheets into a generative AI tool to speed up reporting. None of it is malicious – but all of it falls into the bucket of Shadow AI: technology adoption happening outside of management’s oversight.

What is Shadow AI?

Shadow AI is the younger cousin of “Shadow IT,” the software employees downloaded in the early days of SaaS because IT took too long to approve new tools. The difference now is that the risks are bigger and the pace is faster.

Data leakage, regulatory violations, intellectual property loss – these aren’t hypothetical anymore. They are real risks that can land on a CEO’s desk tomorrow.

Proceptual’s AI governance solutions help organizations get ahead of these risks before they spiral.

How to Manage Shadow AI Without Killing Innovation

So what can companies do to control and document shadow AI while still encouraging safe experimentation? Here are four practical steps.

1. Build an AI Registry

An AI registry is a critical first step to managing Shadow AI.

What is an AI registry? Very simply, it’s a list of the AI algorithms in use in an organization. This includes internally developed software, foundational models in use like ChatGPT, and AI systems that come packaged with typical enterprise software (Salesforce, Workday, etc).

In a very small company, this can run on a spreadsheet. But as complexity builds, it makes sense to invest in a purpose-built software for creating an update in AI registry.

A professional AI registry should include, at the very minimum:

  • Systems in use
  • What the system is used for (establishing the proper use of the system)
  • Who specifically is in charge of managing that system
  • What data is used in the training, testing, and deployment of the system

That’s just the beginning. An organization deploying AI in a high-risk industry would collect substantially more information as part of compliance with frameworks such as:

Pro tip: Proceptual’s AI registry tools make it easy to centralize and document all AI usage across your enterprise.

2. Set Clear Guardrails With an AI Use Policy

it’s absolutely critical that organizations of any size develop an AI use policy.

Simply put, an AI use policy is the forward-facing policy towards employees and team members within an organization. At Rood, it outlines the full set of AI algorithms in use by the organization, using a red, yellow, and green taxonomy.

  • Green systems: Fully approved for widespread use
  • Yellow systems: Approved conditionally, with safeguards
  • Red systems: Not approved for use (or not yet evaluated)

This framework makes it clear which AI systems employees can use – and which ones they should avoid.

Learn more: AI policy templates you can adopt for your organization.

3. Train and Communicate

Shadow AI thrives in the absence of communication.

Make training part of the rollout:

  • Explain why guardrails matter
  • Show employees how they can experiment safely
  • Provide resources and approved tools.

The best way to avoid rogue usage is to make the approved path easy and attractive.

4. Create an On-Ramp for Innovation

Don’t suffocate innovation. If employees feel like the only answer to “Can I try this AI tool?” is “No,” they’ll go underground. Instead, create a clear approval process:

  • A simple form to request the evaluation of a tool
  • A quick turnaround from IT or compliance
  • A pilot program if the tool looks promising

That way, employees can experiment—and management can stay in the loop.

Shadow AI is not going away. Employees will continue to explore new AI tools in their day-to-day work. The question is: will your organization have the right oversight in place? By implementing an AI registry, clear use policies, training, and innovation pathways, leaders can minimize risks while still encouraging safe adoption.

🚀 Next step: Talk to Proceptual about how we can help your organization manage shadow AI with confidence.

John Rood

John is a sought-after expert on emerging compliance issues related to AI in hiring and HR. He has spoken at the national SHRM conference, and his writing has appeared in HR Brew, Tech Target, and other publications. Prior to Proceptual, John was founder at Next Step Test Preparation, which became a leader in the pre-medical test preparation industry before selling to private equity. He lives in the Chicago area and is a graduate of Michigan State University and the University of Chicago.

Subscribe to Our Newsletter

Stay updated with the latest in AI training, compliance insights, and new course launches—delivered straight to your inbox.