by Nick LaRosa
St. Louis business owners pride themselves on innovation and efficiency, but a hidden threat may be lurking in their organizations: Shadow AI. As artificial intelligence tools become increasingly accessible, employees across companies are adopting these technologies without IT oversight—creating security vulnerabilities that many decision-makers don’t even know exist.
Understanding Shadow AI
Shadow AI refers to the unauthorized use of artificial intelligence tools and applications by employees without formal approval from IT or security teams. While shadow IT—the broader category of unsanctioned technology use—has challenged businesses for decades, Shadow AI represents a new and more complex frontier. According to recent industry research, while only 40% of companies have purchased official AI subscriptions, employees at over 90% of organizations actively use AI tools, primarily through personal accounts that IT never approved.
The most common example? Employees using ChatGPT, Claude, or other large language models to draft emails, analyze data, write code, or generate reports—all in an effort to boost productivity and meet deadlines. Other manifestations include AI-powered writing assistants like Grammarly, image generators, coding helpers, and even AI features automatically embedded in familiar SaaS platforms like Microsoft 365 or Adobe Acrobat.
How Shadow AI Manifests in SaaS Environments
Shadow AI doesn’t always mean downloading new software. Many SaaS vendors now roll out AI capabilities automatically within their platforms. A marketing team might start using AI features in an approved tool like Canva or HubSpot without realizing these capabilities were never reviewed by IT for security risks. Employees may enable AI-powered features in existing applications, creating new data pathways that bypass organizational security protocols.
According to Grip Security’s 2025 SaaS Security Risks Report, 91% of AI tools in use are unmanaged by security or IT teams, and AI adoption is outpacing security governance by a 4:1 margin. Even more concerning, IBM’s 2025 Cost of Data Breach Report found that companies with high levels of shadow AI faced $670,000 higher breach costs compared to those with minimal unsanctioned AI use.
The Connection to Shadow IT
Shadow AI is an evolution of the longstanding shadow IT problem—the use of any unauthorized hardware, software, or cloud service without IT department knowledge. Think employees sharing files through personal Dropbox accounts, managing projects in unapproved collaboration tools, or using personal devices for work tasks. While shadow IT has always posed security risks, Shadow AI amplifies these concerns because AI models process and learn from data in unpredictable ways, potentially exposing sensitive information to external systems.
What Business Decision-Makers Need to Know
The risks of Shadow AI extend far beyond simple policy violations. When employees input customer data, financial information, or proprietary business intelligence into unsanctioned AI tools, that data may be stored externally, used to train AI models, or inadvertently exposed through data breaches at the AI provider. Organizations face compliance violations, intellectual property exposure, and reputational damage—all from tools that seemed harmless.
The challenge isn’t that employees are acting maliciously; they’re simply trying to work more efficiently. Banning AI tools outright rarely works and often pushes workers toward more obscure alternatives that are even harder to monitor. Instead, small business leaders should take a proactive approach: develop clear AI usage policies, provide approved AI tools that meet productivity needs, educate employees about data security risks, and implement monitoring solutions to detect unsanctioned AI use.
Shadow AI isn’t going away—but with proper awareness and management, St. Louis businesses can harness AI’s benefits while protecting their most valuable assets: their data and their customers’ trust.
Nick LaRosa is a Founding Partner at CMIT Solutions St. Louis, a Managed IT Service Provider. Contact Nick at 314.628.0811 or visit www.cmitstl.com.