Shadow AI is the use of AI tools and agents inside an institution without approval, oversight, or a record of what they send. It covers staff pasting work into consumer chatbots on personal accounts, AI features switched on inside software approved for something else, and agents that call providers with no one at the keyboard. For institutions that handle PHI, CJI, or student records, the practical problem is not that shadow AI exists. It is that these unsanctioned AI tools sit outside every control you have, and closing that gap starts with AI usage visibility, not another policy memo.
The population is not small. In IBM’s 2025 Cost of a Data Breach report, one in five organizations reported a breach due to shadow AI, and organizations with high levels of it saw breach costs about $670,000 above those with little or none. Most institutions are behind on paper too: 63 percent of breached organizations had no AI governance policy or were still writing one.
Why shadow AI keeps growing
Three forces drive it, and none of them is going away.
- The tools are genuinely useful. A nurse summarizing a shift, an analyst looking for a pattern across incident reports, a teacher drafting rubrics: each gets real time back. Staff do not adopt these tools out of carelessness. They adopt them because the tools work.
- Staff move faster than procurement. A new model or feature ships in weeks. A security review, a contract, and a BAA take months. Shadow AI lives in the gap between those two clocks, and the gap is widening.
- AI arrives inside software you already approved. The meeting recorder now summarizes. The spreadsheet has an assistant. The browser gained a sidebar. None of these passed an AI review, because none of them was an AI tool when it was approved.
- Agents act with no one at the keyboard. Coding assistants, workflow agents, and automations now issue requests to providers on their own schedule. Nobody pasted anything, and the request still crossed the boundary. That shift changes what oversight has to mean, and we cover it separately in our guide to governing agentic AI.
Why bans fail
The first instinct is to ban consumer AI outright, and it reliably backfires. Block the obvious destinations and usage moves to phones, home laptops, and personal accounts, where the institution has no visibility at all. The work still happens. The record disappears. Staff who would have used a governed tool in the open now use an ungoverned one in private, and your measured usage drops to zero while your actual exposure grows.
The data terms are also weaker exactly where banned usage lands. On the consumer tiers of major assistants, conversation content can be used to improve the provider’s models unless the person opts out; OpenAI documents this default for its consumer plans, while its business offerings are excluded by default. A ban does not keep institutional data away from those defaults. It routes the data there through personal accounts, with no policy applied and nothing retained on your side.
| Approach | What actually happens |
|---|---|
| Block the known AI destinations | Usage shifts to personal devices and newer tools. Visibility goes to zero while exposure continues. |
| Approve one tool and declare the problem solved | The sanctioned tool is governed. Everything else, including the AI inside already approved software, is not. |
| See what is in use, then govern all of it | Usage stays on managed devices, each request is decided by policy, and a record exists. |
What unsanctioned AI tools put at risk, sector by sector
The stakes are concrete, and they differ by sector. We keep fuller detail on our industries page; the short version follows.
Healthcare: protected health information
A clinician pasting chart notes, labs, or a discharge summary into a consumer chatbot can move PHI to an outside provider with no record it happened. Under HIPAA, a breach of unsecured PHI triggers the Breach Notification Rule: affected individuals must be notified, and larger breaches are reported to HHS and can draw enforcement. HIPAA also expects documentation kept for six years. An interaction nobody captured cannot be produced, which turns a single paste into an unanswerable audit question.
Criminal justice: CJI
An analyst pasting case files into an assistant moves criminal justice information outside the boundary. CJIS Security Policy v6.0, published in December 2024 and mapped to NIST SP 800-53 rev 5, places event logging in the AU control family and expects audit logs retained for at least one year. An unsanctioned tool produces no log to retain. The disclosure happens, and the evidence that would explain it never exists.
Education: student records
FERPA gives parents and eligible students rights over education records, including control over the disclosure of personally identifiable information from those records, as the U.S. Department of Education explains. A teacher pasting a roster, grades, or an excerpt from an individualized education program into an ungoverned tool is a disclosure the district cannot see, cannot account for, and cannot notify anyone about.
What good looks like: shadow AI detection first, then one policy
The institutions handling this well do it in a particular order.
- See what is actually in use. Real AI usage visibility means observed activity from endpoints, not an annual survey. Which tools, how often, from which roles. Institutions that measure this usually find more than they expected, and most of it is defensible work rather than recklessness.
- Sort rather than sentence. Some tools graduate to sanctioned status with business terms and a BAA where one is needed. A few are blocked outright. Most of the middle does not need a verdict; it needs a boundary.
- Put every tool under one enforced policy. Instead of maintaining an allowlist and hoping, decide each request as it is made: ALLOW what policy permits, REDACT regulated identifiers before they leave the device, BLOCK what should never cross. Once the policy applies to sanctioned and unsanctioned tools alike, that distinction stops being the load-bearing control. A tool nobody has reviewed yet is still governed, and every captured interaction leaves a record.
You cannot govern what you cannot see. Measure first, then place sanctioned and unsanctioned tools under one enforced policy with a record your institution holds. A ban is not a control; it is a decision to stop looking.
Where Verillian fits
Verillian does both halves of this on the device. A sentinel on each endpoint governs any AI tool or agent that reaches a provider, with nothing to configure per tool, so detection covers the tools you have not heard of yet. Usage analytics show what is in use, how often, and by whom, and policy is built from those observed patterns rather than guesses.
One policy then applies across every endpoint. Requests are decided the moment a tool or agent acts, sensitive types are redacted or blocked before they leave the device, and every captured interaction is signed and hash-chained into a tamper-evident record held under keys only your institution controls. A sentinel with no valid policy stops AI traffic entirely: ungoverned AI is a stop condition, not a degraded mode. Governance is a meeting; enforcement is what Verillian does. See shadow AI detection for the specifics, or how the platform works end to end.