Shadow AI : 78 % des salariés utilisent l'IA sans l'accord de l'IT, et le DG l'ignore

Shadow AI : 78 % des salariés utilisent l'IA sans l'accord de l'IT, et le DG l'ignore

7 July 2026 10 min read
Learn how general managers can turn shadow AI from a hidden risk into a controlled performance lever with a one-page governance framework, concrete risk examples, and practical metrics for resilience and compliance.
Shadow AI : 78 % des salariés utilisent l'IA sans l'accord de l'IT, et le DG l'ignore

Shadow AI as the new execution gap for general managers

Shadow AI is now the shadow IT of this decade for every general manager. Recent surveys from Microsoft and Salesforce indicate that roughly three quarters of employees experiment with artificial intelligence tools without formal approval, confirming that the issue is no longer technology but governance and the risks associated with unmanaged decisions. Your role is to turn this invisible usage into a structured asset for your organisation before it erodes control, security and business resilience.

Employees bypass official systems because approval processes are slow, sanctioned platforms feel less user friendly than public generative tools, and no one has translated compliance governance into a one page playbook. In that vacuum, people plug sensitive data into external models, subscribe to third party platforms on corporate cards, and build their own models in spreadsheets or low code tools. Shadow AI emerges in a grey zone where organizations want speed, but infrastructure, regulatory compliance and security frameworks have not caught up.

For a general manager, the core problem is not that shadow tools exist, but that you lack visibility on where they sit in your business units and how they influence decisions. Without governance tools and clear governance best practices, you cannot quantify the risk or the ROI of these generative assistants compared with sanctioned systems. A serious approach to shadow AI enterprise risk governance therefore starts with treating unapproved artificial intelligence usage as a performance management topic, not only as an IT security issue.

That shift allows organizations to connect AI usage directly to KPIs such as cycle time, error rates and margin per client. It also reframes governance from a defensive checklist into a design question about how teams work, which tools they need, and what control mechanisms are acceptable in your organisation. When you approach shadow AI enterprise risk governance through this execution lens, you can align risk appetite, resilience targets and innovation speed instead of trading them off blindly.

Why employees create shadow AI and what it reveals about your systems

Employees rarely wake up wanting to violate governance or security rules. They turn to shadow AI when official systems feel slower, less relevant or more constrained than the generative tools they can access in two clicks on their phones. The spread of user friendly external models is therefore a mirror of gaps in your operating model, not just a failure of IT control.

Three structural drivers appear again and again across organizations and business units. First, approval workflows for new tools are designed for traditional systems and infrastructure, so a simple generative assistant can take months to validate while a free third party chatbot is available instantly. Second, there is often no clear one page policy on acceptable uses, so people improvise with sensitive data and assume that basic anonymisation is enough to manage the risks associated with prompts and uploads.

Third, official AI models and governance tools are sometimes less powerful than public generative platforms, especially when internal data is fragmented across silos and visibility is poor. When a marketing manager sees that an external artificial intelligence assistant writes better copy in minutes than internal tools, shadow AI becomes a rational choice from a productivity perspective. This is why shadow AI enterprise risk governance must integrate performance metrics, not only security and regulatory compliance constraints.

For a general manager, each unapproved subscription or improvised script is a signal about where your organisation under delivers in terms of tools, training or governance best practices. In one European services company, for example, a cluster of unapproved AI subscriptions in the sales team revealed that the official proposal generator was too rigid and slow; redesigning that process cut proposal cycle time by 30% and eliminated most shadow tools. When you treat shadow AI as structured feedback on business needs, you can redesign processes, adjust control levels and prioritise investments where the risk and the upside are both highest.

Concrete risks from shadow AI for data, security and resilience

Shadow AI concentrates several categories of risk that sit directly in the general manager’s accountability. The most visible is the exposure of sensitive data when employees paste client files, pricing models or HR dossiers into generative tools that rely on external models and third party infrastructure. Once these datasets leave your organisation, you lose control over retention, reuse and the security posture of the provider.

A second category of risk concerns decision quality and operational resilience. When teams rely on artificial intelligence systems that hallucinate or misinterpret data, they may take decisions on pricing, recruitment or investments based on flawed outputs without any governance or peer review. In a crisis, such as a supply chain disruption or a cyber incident, unverified AI generated recommendations can amplify errors instead of supporting robust risk management and business continuity.

The third risk cluster is regulatory compliance and contractual exposure. Many sectors now require explicit governance for high risk AI systems, including documentation of models, data sources and control processes. If your teams use shadow tools to screen candidates, score clients or automate decisions in your business unit, you may breach regulatory obligations or client contracts without even knowing that these tools exist.

From a resilience perspective, shadow AI also creates hidden single points of failure in operational systems. A key analyst might maintain a critical prompt library or a custom script on a personal account, and when that person leaves, the capability disappears with no transition plan. In one manufacturing group, a planner’s undocumented AI script for production scheduling failed during a logistics incident, adding hours of manual rework at the worst possible moment. This is why any serious shadow AI enterprise risk governance framework must be integrated into your crisis playbooks and the way you manage the first 48 hours of an operational shock, as discussed in this analysis on operational crisis management in a business unit.

Building a one page governance and control framework that people use

General managers do not need a 50 page policy to regain control over shadow AI. You need a one page framework that clarifies which tools are allowed, which uses are prohibited, and how exceptions are handled quickly without paralysing innovation. This is the operational heart of shadow AI enterprise risk governance for a business unit.

Start by segmenting AI usage into three zones that are easy to explain in your organisation. The green zone covers user friendly generative tools for low risk tasks such as drafting emails, summarising public reports or generating ideas without any sensitive data. The amber zone includes use cases where employees may touch client information, internal financial data or HR topics, and here you require approved governance tools, documented best practices and explicit manager validation.

The red zone is where no shadow usage is tolerated because the risks associated with errors, bias or leakage are structurally high. This includes automated decisions on credit, recruitment, health or safety critical systems, where only validated models and controlled infrastructure are acceptable. For each zone, define simple governance practices, such as mandatory human review, logging of prompts, and clear rules for handling sensitive data.

To make this framework live, you must align incentives, KPIs and reporting with it. A practical one page template for general managers can include: a short purpose statement; a table listing green, amber and red zones with examples; a checklist of do and don’t rules for data handling; a simple approval path for exceptions; and two or three metrics on usage, risk incidents and business impact. When managers are evaluated on how they balance performance, risk and compliance in their teams, shadow AI enterprise risk governance stops being an abstract policy and becomes part of everyday execution.

Operationalising visibility, metrics and business resilience around shadow AI

Once the governance frame is clear, the next challenge is execution at scale. You need practical mechanisms that allow organizations to detect shadow AI usage, measure its impact and adjust control levels without creating a culture of surveillance. The objective is to embed shadow AI enterprise risk governance into normal performance management, not to launch a separate compliance crusade.

Several proxy indicators provide actionable visibility without intrusive monitoring of individuals. Finance can flag recurring third party AI subscriptions in expense reports, procurement can map contracts mentioning external models or generative tools, and IT can analyse API traffic and token consumption on authorised AI platforms. Together, these signals show where business units experiment, where sensitive data might be exposed, and where governance tools or training are missing.

From there, you can run targeted interventions instead of generic awareness campaigns. For example, if one sales team relies heavily on user friendly public tools for pricing, you can co design a sanctioned solution with proper security, infrastructure and controls, then migrate them with clear best practices. If a risk function identifies repeated use of artificial intelligence for credit scoring outside approved systems, you can tighten control, update governance rules and integrate these cases into your regulatory reporting.

Over time, the goal is to treat AI usage like any other strategic capability in your organisation. You define which models and systems are core, which tools remain experimental, and how each contributes to resilience, margin and growth. When shadow AI enterprise risk governance is managed with the same discipline as capital allocation and talent, the general manager stops ignoring the three quarters of employees experimenting with AI and turns that energy into a controlled advantage for the business.

FAQ

How can a general manager quickly assess the level of shadow AI in a business unit ?

Start with three simple diagnostics that do not require new systems. Review expense reports for third party AI subscriptions, ask procurement for any contracts mentioning generative tools or external models, and request from IT a high level view of traffic to major artificial intelligence platforms. These signals, combined with a few structured interviews in key teams, give you a realistic picture of shadow AI usage within days.

What should be strictly prohibited in any shadow AI usage policy ?

Any use of unapproved tools involving sensitive data such as client identities, financial forecasts, HR files or health information should be banned. Automated decisions in high risk domains, including credit, recruitment, safety or regulatory screening, must only run on validated models and controlled infrastructure. Your policy should also prohibit employees from accepting default terms that transfer intellectual property or weaken security protections without legal review.

How do I balance innovation and control without slowing my teams down ?

Define clear green, amber and red zones for AI usage, and give teams wide autonomy in the green zone while tightening governance in the others. Provide a short catalogue of approved, user friendly tools so employees can move fast without resorting to shadow solutions. Finally, commit to fast track reviews for new use cases, with explicit service levels, so that governance is seen as an enabler rather than a blocker.

Which functions should own shadow AI governance in an organisation ?

The general manager should set the risk appetite and performance expectations, while IT, risk, legal and HR co own the detailed governance framework. IT manages systems, infrastructure and technical control, risk and compliance oversee regulatory obligations and risks associated with decisions, and HR integrates AI skills and behaviours into role descriptions. Business units remain accountable for how AI is used in their processes, ensuring that governance is anchored in day to day execution.

How can shadow AI affect business resilience during a crisis ?

In a crisis, undocumented AI scripts, prompts or tools can become single points of failure if the people who created them are unavailable. Unverified outputs from generative tools can also mislead crisis cells, especially when time pressure is high and governance is weak. Integrating AI usage into crisis exercises and documenting critical automations in advance helps protect operational resilience when it matters most.