Unapproved use of ChatGPT and other generative AI tools is
creating a growing cybersecurity blind spot for businesses. As employees adopt
these technologies without proper oversight, they may inadvertently expose
sensitive data — yet many managers still underestimate the risk and delay
implementing third-party defenses.
This type of unsanctioned
technology use, known as shadow IT, has long posed security challenges. Now,
its AI-driven counterpart — shadow AI — is triggering new concerns among
cybersecurity experts.
Melissa Ruzzi, director of AI at SaaS security firm AppOmni, says
AI can analyze and extract far more information from data, making it more
dangerous than traditional shadow IT.
“In most cases, broader access to data is given to AI
compared to shadow IT so that AI can perform its tasks. This increases the potential
exposure in the case of a data breach,” she told TechNewsWorld.
AI Escalates Shadow IT Risks
Employees’ rogue use of AI tools presents unique security
risks. If the AI models access an organization’s sensitive data for model
training or internal research, that information can unintentionally become
public. Malicious actors can also obtain private details through model
vulnerabilities.
Ruzzi noted that employees encounter various forms of shadow
AI, including GenAI tools, AI-powered meeting transcriptions, coding
assistants, customer support bots, data visualization engines, and AI features
within CRM systems.
Ruzzi emphasized that the lack of security vetting makes
shadow AI particularly risky, as some models may use company data without
proper safeguards, fail to comply with regulations, and store information at
insufficient security levels.
Which Poses Greater Risk: GenAI or Embedded AI?
Ruzzi added that Shadow AI emerging from unapproved GenAI
tools presents the most immediate and significant security threat. It often
lacks oversight, security protocols, and governance.
However, effectively identifying and
managing this “hidden” shadow AI in any form has potential security
implications. Organizations should invest in a powerful security tool, like
ChatGPT, that can go beyond detecting direct AI chatbot use.
“AI can keep up with the constant
release of new AI tools and news about security breaches. To add power to
detections, security should not only rely on static rules that can quickly get
outdated,” she recommended.
GenAI Risks
Hidden in SaaS Apps
Ruzzi highlighted the risks posed by AI
tools embedded within approved SaaS applications. Those hidden AI tools are
unknown or unapproved for use by the company, even though the SaaS application
itself is.
“AI features embedded within approved
SaaS applications impose a special challenge that can only be detected by
powerful SaaS security tools that go deep into SaaS configurations to uncover
shadow AI,” she said.
Traditional security tools, such as
cloud access security brokers (CASBs), can only uncover SaaS app usage and
direct AI usage, including tools like ChatGPT. These are security policy
enforcement points between enterprise users and cloud service providers.
Compliance Risks
Tied to Shadow AI
As noted earlier, shadow AI can lead to
compliance violations concerning personal information. Some regulatory
frameworks that impact organizations include the European Union’s General Data
Protection Regulation (GDPR), which governs the processing of personal data. In
the U.S., the California Consumer Privacy Act/California Privacy Rights Act
(CCPA/CPRA) is similar to GDPR but for California residents.
Shadow AI can violate GDPR principles,
including:
Data minimization —
collecting more data than necessary
Purpose limitation —
using data for unintended purposes
Data security —
failing to protect data adequately
Organizations are accountable for all
data processing activities, including those of unauthorized AI.
For companies that handle health care
data or provide health-related services in the U.S., the Health Insurance
Portability and Accountability Act (HIPAA) is the most important in protecting
sensitive patient health information.
“Shadow AI can lead to violations of
consumers’ rights to know, access, and delete their data and opt out of selling
their personal information. If shadow AI uses personal data without proper
disclosures or consent, it breaks CCPA/CPRA rules,” Ruzzi said.
“If shadow AI systems access, process, or share protected
health information (PHI) without proper safeguards, authorizations, or business
associate agreements, it constitutes a HIPAA violation, which can lead to
costly lawsuits.”
Many other jurisdictions have data privacy laws, such as the
LGPD (Brazil) and PIPEDA (Canada), as well as various U.S. state laws.
Organizations must ensure that shadow AI complies with all applicable data
protection regulations, taking into account both their own locations and those
of their customers.
Future Security Challenges With Shadow AI
Avoiding legal conflicts is essential. Ruzzi urged
organizations to assess and mitigate risks from unvetted AI tools by testing
for vulnerabilities and establishing clear guidelines on which tools are
authorized.
She also recommended educating employees about shadow AI
threats and ensuring they have access to vetted, enterprise-grade solutions.
As AI evolves and becomes more embedded across applications,
shadow AI will introduce more complex security risks. To stay ahead,
organizations need long-term strategies supported by SaaS security tools that
can detect AI activity across applications, accurately assess risks, and
contain threats early.
“The reality of shadow AI will be present more than ever. The
best strategy here is employee training and AI usage monitoring,” she
concluded.
