Login

Promote Your Company       |     Contact

Independent Cyber News.

Shadow AI Is The Quiet Risk Behind The AI Dramas
While the world is distracted by the Anthropic Fable 5 banning, shadow AI continues to quietly sit as a real risk faced by the majority of Australian businesses.
Artificial Intelligence | Data Security | Leadership | Security Operations
Posted: Thursday, Jun 25

i 3 Table of Contents

Shadow AI Is The Quiet Risk Behind The AI Dramas
From Andrew Lai

Introduction

Go to any get-together with friends and the conversation eventually turns to AI. People talk about the tool they have been using, and more often than not it is not the one their employer has approved. It is the one running on their personal account, on their own phone, signed up with a private email. They are not hiding anything sinister and have found something that genuinely helps them get through the day.

This is what people have started calling ‘shadow AI’, the AI a business is running without knowing that it is running it. It is easy to overlook this seemingly innocuous matter in favour of the latest international AI drama. Thus, while the world is distracted by the Anthropic Fable 5 banning, shadow AI continues to quietly sit as a real risk faced by the majority of Australian businesses.

The numbers back up what you hear around the table. A 2025 study by KPMG and the University of Melbourne found that 57 per cent of workers admit to hiding their use of AI from their managers.

The Change In Use

I spend my weeks encouraging Australian businesses to adopt AI, and plenty of them still hold back. Only around 43 per cent of small and medium firms report using it at all, which just happens to be lower than the reported figure on shadow AI. While the organisation is still deciding whether to begin, its people already have.

And there is not a great deal a business can do to stop it. You cannot police what someone types into their own phone on the train home. You cannot block a personal account you cannot see. The instinct to ban it outright is understandable and almost entirely useless, because the tool is already on every desk and in every pocket.

This might sound harmless, and most of the time it is. The problem is what happens to the words once they are typed. The personal tiers of the major AI tools, the free and personal-paid plans, keep what you put into them and use it to train their models by default. So when an employee pastes a client’s name, a contract or a set of financials into a personal account, that information leaves the business, and it can end up shaping a model that is later used by millions of people around the world.

A Quiet Entry

The sneakiest version of this hides in plain sight. Meeting note-takers, the tools that quietly join a video call and email round a tidy transcript afterwards, are rarely thought of as AI at all, yet they capture the most sensitive conversations a business has. They are almost always signed up by one person on a personal plan, and most store and process that audio overseas by default. A client meeting, a performance review or a board discussion can leave the building before anyone has thought to ask where the recording ends up. If you audit one category of shadow AI first, make it this one.

In some industries that is not just risky, it is unlawful. For example in the health industry, information in the My Health Record system is legally required to stay in Australia, and it is an offence to hold or process it overseas. Penalties range from warnings all the way through to jail terms for serious breaches. An adviser, a nurse or a bookkeeper using a personal account may be breaking a law on the firm’s behalf without the faintest idea they are doing it.

This is not a hypothetical risk. In 2025 a senior Victorian barrister had to apologise to the court after filing submissions in a murder case that quoted cases and judgments an AI tool had simply invented. In a separate matter a Melbourne law firm was ordered to pay costs over fake AI-generated citations, and one solicitor lost the right to practise as a principal. None of them set out to do anything wrong. They leaned on using unauthorised processes and tools, resulting in a fallout which landed on the practice.

There is no single fix for this. It is a mixture of things. You need a clear internal policy that staff will actually read. You need to help people understand that the personal account is the problem, not the tool itself. Most of all, you need to give them a viable alternative. The business and enterprise versions of the same tools do not train on your data and keep it under proper controls. If work has paid for a secured version, there is no longer any reason for someone to reach for a personal one.

While these actions may help to mitigate the risk, they do not entirely solve it. It’s just not possible to monitor employees continuously. However by doing something about it, you have demonstrated to any future investigation that you fulfilled your duty of care to identify and address the risk, which will be in your favour should an incident ever occur.

Conclusion

Shadow AI is one of the biggest hidden risks of the current boom, and it deserves the same attention you would give any other serious risk to the business. The reassuring part is that the answer is not really about technology. It is about giving people a better option than the one they have quietly found for themselves.

You cannot ban shadow AI. But you can replace it.

Andrew Lai
Andrew Lai is managing director of SMEC AI where he works with SMEs to design and deliver AI adoption that lift productivity and build workforce capability. This includes developing practical AI tools and programs that support responsible adoption at scale, improve how work gets done, and help organisations realise measurable returns from AI.

Get Your Cyber News Delivered

Subscribe

Similar Posts

No results found.
Share This