By Melissa Peneycad, director of public engagement and AI strategy, MDR Strategy Group
Across organizations, AI is being used more extensively than many leaders realize: for drafting and summarizing, scheduling, translation, search, meeting transcription, document review, analytics, and service delivery to registrants and the public. Some of this use comes through AI assistants such as ChatGPT. Some of it is embedded in widely used tools and platforms, including Microsoft 365, Adobe Acrobat, Zoom, Canva, CRM systems, and even browsers such as Chrome. Together, this poses a clear governance challenge as AI use expands rapidly and unevenly, often with limited visibility across the organization.
This is where shadow AI becomes a concern. Shadow AI refers to employees using AI tools, applications, or services without the organization’s approval, oversight, or knowledge. This also applies to commonly used software platforms, such as those listed above, which may be approved at the time of purchase but are later updated with AI features that receive little to no additional review.
The implications are broader than they may seem. When an organization lacks visibility into how AI is being used, it may also lack visibility into where sensitive information is going, how AI outputs influence work, whether decisions are being shaped by unverifiable content, and who is accountable when something goes wrong. For regulators, those blind spots can affect confidentiality, quality, accountability, and the defensibility of decisions and processes, with corresponding implications for fairness, transparency, public trust, and legitimacy.
The shadow AI problem is much bigger and more common than leaders may realize. Gartner reported in late 2025 that 69 percent of organizations suspect or have evidence that employees are using prohibited public generative AI.[i] In 2026, Microsoft reported that 29 percent of employees have turned to unsanctioned AI agents, or AI tools designed to perform tasks with some degree of autonomy, for work tasks, even as only 47 percent of organizations have implemented dedicated security controls for generative AI.[ii]
Similarly, recent research conducted on behalf of cybersecurity firm BlackFog found that 49 percent of workers reported using AI tools without employer approval, often through free versions that may expose sensitive data.[iii] While these findings are not specific to the regulatory sector, they point to a broader workplace pattern in which AI use is outpacing organizational controls, and regulators should not assume they are exempt from the same dynamics.
One of the first mistakes organizations make is assuming that a policy prohibiting the use of AI for work will solve the problem. In practice, that approach often drives AI use further underground, reducing visibility rather than risk.
If leaders want to shine a light on shadow AI; they need to take a more deliberate approach.
The starting point is usually a baseline AI inventory. This does not need to be complex, but it should be structured: discovering and cataloging AI systems already in use, scanning for unsanctioned tools, and mapping existing AI assets. This means identifying what AI tools are being used, by whom, whether they are personal or organization-managed accounts, whether they are free, paid, or enterprise versions, what they are being used for, what information may be entered into them, and what privacy or data settings are enabled.
Self-reporting of AI use is rarely sufficient. Regulators can also use their own systems and records to identify how and where AI is used. Depending on the organization, this may include reviewing software licenses, enabled AI features, administrative dashboards, sign-on records, access logs, browser activity, and other indicators that show which tools, functions, and interactions are active. These methods will not capture every form of personal or off-network AI use. That is why technical discovery works best when paired with clear expectations and an environment where employees feel safe speaking candidly about current use.
This also gives leadership an opportunity to understand whether and how staff need better support and where safer, organization-approved alternatives may be needed. A clear message from the CEO or Registrar that the purpose of the exercise is visibility, risk management, and responsible practice, rather than blame or shame, can make a meaningful difference.
Once an organization has a clearer picture of current AI use, it is in a much stronger position to decide what should be encouraged, restricted, approved, monitored, or prohibited. It can then move toward a more intentional framework that includes policy, staff guidance, approved use cases, training, review expectations, procurement decisions, and, where appropriate, investment in more secure or enterprise-grade tools.
For regulators, the task is to ensure that AI use does not outpace the controls needed to protect confidentiality, defensibility, risk management, and public trust.
The organizations best positioned to manage AI well will not be those that assume they have full visibility into how and where it is being used simply because no one has raised concerns. They will be the ones prepared to ask harder questions, dig deeper to uncover what is already in use, and create a responsible path forward. After all, you cannot govern what you have not yet identified.
[i] Gartner (2025). “Gartner Identifies Critical GenAI Blind Spots That CIOs Must Urgently Address” [Press release]. See link
[ii] Microsoft (2025). “Cyber Pulse: an AI Security Report | Security Insider.” See link
[iii] BusinessWire (2026). “Shadow AI Threat Grows Inside Enterprises as BlackFog Research Finds 60% of Employees Would Take Risks to Meet Deadlines.” See link
