

The shadow AI you approved yourself
Mario Beck
2026-07-21
Ask a security leader about shadow AI and you'll hear about employees pasting code and contracts into ChatGPT. Fair enough. That's real, and it's worth managing.
But it's not the part that's growing fastest. The part that's growing fastest is the AI you approved yourself, without realizing it.
A CISO at a large pharmaceutical company described it to me better than I could. I'll paraphrase to keep him anonymous: when AI capabilities arrive through tools you already run, the CRM, the ERP, the productivity suite, the document environment, the organization deploying them owns the decision to classify, approve, monitor, or restrict them. But they're almost never told early enough. It's pure luck, or someone happens to notice and mentions it to the CISO, if there even is one. There's no process around it.
That sentence has stuck with me, because it names the whole problem. Not "employees are reckless." Something quieter: the decision is yours, and nobody routes it to you.
How the AI gets in without a meeting
Your trusted vendors ship updates. Microsoft, Adobe, Zoom, Notion, SAP, your CRM. One of those updates turns on a generative-AI feature, often by default, and now corporate data is moving through a third party's AI infrastructure. No rollout plan crossed your desk. No risk review happened. The feature just appeared, the way features do.
Microsoft reported 15 million paid Microsoft 365 Copilot seats on its Q2 FY26 earnings call in late January 2026, and it kept getting pushed toward default-install after that. Most of those seats landed in environments nobody had assessed for what Copilot can actually reach. Multiply that across every vendor in your stack and you get the real shape of shadow AI in 2026. It didn't sneak in through a rebellious employee. It came through the front door, signed by a vendor you trust, with an update note you didn't read.
The bit that has teeth
Here's why this isn't just hygiene. Under the EU AI Act, the heavy obligations split between the provider who builds the AI and the deployer who uses it. You are the deployer. Article 26 puts real duties on you: keep a human in the loop, monitor how the system behaves, retain logs, and tell your staff before AI goes live in their workplace.
Now hold that next to the vendor-switches-it-on-by-default reality. You're carrying duties for systems you didn't know went live. You can't oversee what you can't see. You can't log what you didn't know was running. And you certainly can't inform your works council about a tool that activated itself on a Tuesday.
The deadlines have shifted, and they'll probably shift again. The most demanding high-risk obligations now land at the end of 2027 under the Digital Omnibus. Don't let that be a reason to wait. The thing the Act actually asks of you first is the most boring and the most useful: know what AI you have. Every auditor, every enterprise customer's security questionnaire, every board that's paying attention is going to ask for that inventory. "We didn't know it was on" stopped being an acceptable answer.
Why the obvious fix doesn't work
The reflex is to point your data-loss-prevention stack at it. Decrypt the traffic, read what's leaving, block what shouldn't. It doesn't work here, for two reasons that have nothing to do with effort.
The first is cost. Reading content in real time means breaking and re-encrypting TLS inline, which throttles your network and demands hardware budgets that don't survive contact with a CFO.
The second is law. Intercepting your employees' traffic in real time runs straight into GDPR and into your works council, and in the Netherlands that conversation doesn't take weeks, it takes quarters. You'll spend six to twelve months in review for a control that was the wrong shape to begin with.
And it's the wrong shape because you're trying to read the traffic when the question is much simpler. You don't need to know what your people typed. You need to know which of the tools you already pay for quietly turned AI on. That's a catalog question, not a wiretap.
Start with a matrix, not a network tap
The cheapest useful move is a feature matrix. List your approved tools. For each one, answer five things: has it added a generative-AI feature, is it on by default, what data can it reach, where does that data get processed, and who actually approved it. That last column is the uncomfortable one, because for a lot of rows the honest answer is "nobody."
That's it. No agent on anyone's laptop, no decrypted traffic, no personal data, nothing for the works council to review. Just a clear picture of where AI is already living inside software you trust, scored by how much it can reach and whether the data leaves your control.
From there the decisions get easy, because they're finally visible. Turn this one off. Govern that one and write down who owns it. Move that workload, the one quietly feeding regulated data to a provider in another jurisdiction, somewhere you actually control. And, the part the pharma CISO was really asking for, put a small process in place so the next silent rollout lands on someone's desk instead of slipping past everyone.
The honest version of "get ahead of it"
None of this requires a transformation programme. It requires an inventory and an owner, which is the same unglamorous foundation every workable AI governance story rests on. The organizations that look calm about the AI Act and the new cybersecurity rules aren't the ones with the thickest policies. They're the ones who can answer "what AI are you running?" without flinching.
I turned the feature matrix above into a short self-check you can run across your own stack in about an hour, scoring tool by tool and ending with a one-page summary your board would actually read. You can grab it through our newsletter here.
And if you find the column that says "nobody approved this" filling up faster than you'd like, that's worth a conversation. It's usually a quick fix once you can see it.