Employers are moving quickly to capture the productivity benefits of artificial intelligence-powered tools, but unauthorized use by employees is creating a new category of insider risk. Shadow Artificial Intelligence refers to workers using unsanctioned Artificial Intelligence platforms or software for business tasks, often with good intentions and without malicious conduct. The risk becomes acute when employees enter confidential company or customer information into public tools available through free personal accounts, including ChatGPT, Claude, and Gemini.
A recent Community Bank disclosure to the US Securities and Exchange Commission illustrates the potential consequences. The bank reported that nonpublic customer information was processed internally through an unauthorized Artificial Intelligence-based software application. The customer information at issue included customer names, Social Security numbers, and dates of birth. The bank said the incident did not disrupt operations, payment systems, core information technology infrastructure, or customer access to accounts and services, yet the sensitivity and volume of the data still prompted public reporting and remediation.
Shadow Artificial Intelligence can trigger obligations under cybersecurity, privacy, financial services, healthcare, education, children’s privacy, and consumer privacy rules. Incidents may implicate the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, the California Consumer Privacy Act, state privacy laws, the US Department of Justice’s Data Security Program, the EU’s General Data Protection Regulation, and the UK’s GDPR. Companies may also face customer notice duties, insurance reporting requirements, regulatory inquiries, private lawsuits, tort claims, and class action exposure.
The security risks are not theoretical. ChatGPT conversations have been found publicly accessible through Google after shared conversations were indexed, and chat logs were later reported as available through a common Google analytics tool. Courtroom risks also exist: a federal judge allowed prosecutors to access Claude logs found on a seized computer after ruling that a criminal defendant’s communications with the platform about his case were not protected by attorney-client or work product privileges. DeepSeek has also drawn concern from US government and private-sector entities over alleged data and policy-alignment risks tied to China.
Businesses are urged to respond with formal Artificial Intelligence governance rather than relying on informal expectations. Effective controls may include collaboration among information technology, legal, and compliance teams, data mapping and classification, Artificial Intelligence-focused risk analysis, approved enterprise tools, workforce training, vendor review, client coordination, monitoring, technical barriers, and updated incident response plans. Policies should prohibit Shadow Artificial Intelligence, define acceptable use, impose consequences for violations, and account for regulatory disclosure obligations when data exposure occurs.
