Shadow AI is a term that describes the unsanctioned or ad-hoc use of generative AI within an organization, which is outside of IT governance. This can occur when AI applications are developed or used without being officially sanctioned or monitored by an organization’s IT department.

In many ways Shadow AI is the next generation of Shadow IT. Likewise Shadow IT also refers to employees using desktop applications that are outside the control of an organization’s IT department. However, the rapid pace of the deployment of AI is unprecedented. Thus, the potential for business users to build and develop AI apps that compromise an organization’s ability to detect, risk assess, and mitigate AI risk is equally unprecedented.

In the near-term it is inevitable that Shadow AI will become a governance nightmare for IT as it struggles to decide what AI usage it must restrict to keep the business safe while also be seen to support the workforce and it’s need to deploy AI applications that create immediate productivity gains.

As a result, the Shadow AI environment will remain unchecked and continue to grow.

The good news, however, is that this is not a new problem! It’s essentially the same challenge companies have faced since the first spreadsheets became available over 30 years ago. Specifically, an organization’s requirement to develop policies and procedures, supported by the appropriate technology, to discover and manage its End User Computing (EUC) environment, its Shadow IT!

Given that the AI apps developed by the business end users are EUCs, the question then becomes, why not update the policies, procedures, controls, and technology already in place to identify and manage the AI EUC risk associated with Shadow AI?

It’s a good question and, in part, the answer is, not surprisingly ‘yes and no’. While your policies and procedures can be updated, your existing technology solution may not be built for these risks and may need to be upgraded to manage the threats posed by Shadow AI. However, this is a project that must start without delay. End User development of AI applications has arrived and therefore so has Shadow AI.

Why the urgency? What is it about the risks of End User AI applications that are sufficiently different to require a company’s immediate attention. The most obvious answer is the potential impact on the quality and accuracy of the decisions that AI helps an organization to answer and to act upon. Underlying all the results / predictions that AI apps are capable of generating are an entirely new set of risks. Risks that must be addressed in an organization’s assessment and revision of its End User Computing policies and procedures including its EUC Management Technology.

These vulnerabilities are common to all AI EUCs and can best be summarized as follows:

1. Injection of Bias - Without a sophisticated understanding of data science and statistics, it's easy to inject bias and risk into AI Applications.

2. Lack of Internal Architectural Governance - Can result in issues with system integration and data consistency.

3. Skipping Important Production Checks - will lead to the deployment of flawed applications.

4. Reliance on Third Parties for Critical Functions - will lead to issues if the vendor experiences problems.

5. Data Privacy and Security - Without the knowledge of data privacy law and the appropriate oversight and safeguards, data privacy breaches can and will occur.

6. Limited Customization - End User AI Applications, may have limited capability to customize their AI Models and provide the often required fine-grained control.

7. Complexity of Advanced AI Algorithms - can be a challenge for end users without a deeper understanding of AI and the languages and libraries required to support AI development.

It is clear therefore that Shadow AI will present a far more complex environment than its Shadow IT predecessor and one that will require detailed revisions of policy and procedures resulting in new risk assessment algorithms and risk management controls.

However, as mentioned earlier this is not a new problem! Organizations have already had to address the threats posed by EUCs within their Shadow IT environments and are therefore familiar with the process and resources required to define what their EUC Management ‘Future State’ should look like.

To meet this challenge CIMCON Software has already developed the necessary tools and controls that will be required to discover, risk assess, and manage the AI EUCs that are currently resident or are soon to become a part of an organization’s rapidly growing Shadow AI environment.