Shadow IT taught us something. Are we listening for shadow AI?

For a decade, IT teams fought shadow IT, and teams still are. Microsoft Teams, Figma, Adobe, all started in someone's department before central IT got involved. Some companies eventually closed that gap, with single sign-on, centralized purchasing, and integration layers.

Now there's a new version of the same problem, moving faster. Employees are signing up for AI tools the same way they signed up for SaaS tools in 2014: with a credit card, without telling IT, and with the work going through them anyway.

The instinct is to write a policy and lock it down. That didn't work the first time. It will work less well this time, because the productivity gain is bigger and the tools are easier to spin up.

This piece is about what worked the first time, and what to apply now.

1. The shadow AI pattern looks identical to shadow IT, 2014-style

The signals are familiar. AI line items appear in expense reports, employees cite tools nobody approved, and one team's productivity wins reveal a stack the rest of the company doesn't have access to. Something significant is happening and IT isn't quite sure what.

Procurement plays out the same way. AI tools start at $20 a month and fly under purchasing thresholds. By the time the spend is large enough to flag, the tools are embedded in workflows, and rolling them back creates an immediate productivity hit. The window for governance closes fast.

Ownership is the most telling part. Ask any IT or procurement leader who owns AI tool selection in their org. If the answer is "no one specifically" or "it depends on the department," that’s the same answer you’d have heard about SaaS in 2014. The tools are crossing departmental lines faster than ownership is being assigned.

One thing has shifted, though. Shadow SaaS was mostly about productivity workflows. Shadow AI is about productivity and cognitive offload. Employees aren’t just filing expenses faster, they’re drafting analysis, writing code, and making decisions. That changes the risk profile. Data exposure, IP leakage, decision quality, all become governance questions, not just procurement ones.

2. Why governance-first responses won't work

The first instinct, when shadow patterns emerge, is to write policy. "Approved AI tools list. Submit any new tool for legal review. Violations will be tracked." This is exactly what didn't work in 2014.

The reason is structural. When a tool delivers visible productivity gain, employees adopt it whether or not policy allows. Policy without enablement creates two camps: the compliant employees who feel slower and the non-compliant ones who keep moving. The non-compliant camp grows because their work is more visible.

We’re seeing the same pattern with AI. Practitioners in IT communities have been saying for months that policies are lagging adoption by more than a year. Some companies have written policies forbidding tools that a majority of their employees already use daily. The policy and the reality have decoupled.

The brittleness compounds when the work happens through the unsanctioned tools anyway. If an analyst uses ChatGPT to draft a market summary, then puts the summary in the company report, the analysis is in the report regardless of whether ChatGPT was approved. The policy didn't prevent the use of AI, it just prevented IT from seeing it.

When policy outpaces enablement, shadow AI just gets shadow-er. Employees stop expensing the tools (free tier, personal credit card), stop mentioning them in meetings, stop sharing the prompts that work. The imperfect visibility IT had disappears with them.

3. What we learned the first time, applied now

The companies that solved shadow IT well (most of them, eventually) didn't out-govern it. They made the governed path the easier path.

Three lessons translate directly:

1. Defaults beat policies: The companies that closed the SaaS gap didn't ban tools. Instead, they made approved alternatives easier and better. Single sign-on meant no credential sharing. Centralized purchasing meant no individual expensing. The default path became the path of least resistance, and adoption followed.
2. Apply it to AI: Approved tools have to be faster to provision, better integrated, and more capable than the unsanctioned ones. If your sanctioned ChatGPT alternative requires a five-step request flow and the unsanctioned one is a credit card away, you’ve already lost. Lower the friction on the approved path before raising it on the unapproved one.
3. Visibility before control: The early shadow IT efforts that worked focused on observation first, control second. Spend audits, login pattern analysis, integration discovery, these built the picture of what was actually being used. Control came after the picture was clear. 
4. Spend visibility is the easy first step on AI: Subscriptions show up in expense reports, in invoices, and in vendor data. Aggregate them, map them to teams and use cases, and build the picture before writing the policy. Most companies are surprised by what they find. Not just which tools are most-used, but which teams have already standardized on something.
5. Central purchasing as enabler, not gatekeeper: The shadow IT lesson: central procurement worked when it sped tools up, not when it slowed them down. The companies whose IT and procurement teams could turn around a SaaS request in 48 hours stopped having shadow SaaS. The ones that took 6 weeks kept it forever.

For AI, the move is a fast-track approval process. Define the criteria upfront (data residency, IP terms, security review depth), pre-approve a list of vendors that meet them, and process new requests in days rather than weeks. 

Let us set this straight: the goal isn’t to approve everything. It’s to make approval fast enough that nobody has to go around it.

4. The lifecycle frame

Once you treat AI tools as another asset class, not a special case, the playbook becomes legible. They’re one more thing the lifecycle engine has to govern, with a procurement problem, a usage problem, and an end-of-life problem, the same as any other software.

• Provisioning: Who gets which tool, on what budget, through what approval flow. The answer can be permissive (everyone gets ChatGPT Pro by default) or restrictive (named users with documented business cases), but it has to be answered. The teams that haven't answered it are the ones with the largest shadow.
• Active management: Usage tracking, license reclamation when employees stop using a seat, spend control as a tool's pricing scales. AI tools are particularly susceptible to seat sprawl because adoption tends to spike on launch and then stabilize at a much smaller actual-user count. License reclamation matters more for AI than for traditional SaaS.
• End of life: Contract closure when employees leave, when the tool gets superseded, when a budget gets reclaimed. AI tools fail this cleanly because the contracts often get tied to individuals rather than seats: credentials shared in Slack, accounts created in personal email, expense flows that never officially closed. Lifecycle governance has to handle that mess.

The lifecycle frame doesn't make shadow AI less real, but it makes it tractable. A problem that looks like "we have no idea what AI tools we're using" becomes "we have a procurement gap, a visibility gap, and an end-of-life gap," three concrete problems with known shapes.

5. The window is open right now

The lesson from shadow IT only stuck when companies moved while the work was still being defined, before the tools had set roots. Once a workflow lives inside an unsanctioned product, the cost of pulling it back lands on the user, and they remember it.

The same approach works for AI tools, but only if it ships before adoption hits a level that's painful to roll back. Pulling people off tools they've embedded in their workflows is hard. An easier way is putting governance in place before that embedment happens.

The window for getting ahead of shadow AI is open right now in most companies. AI tool adoption is significant but not yet ubiquitous. Spend is visible but not yet locked in. Governance teams have credibility but not yet exhausted attention.

The companies that move in the next two quarters will be governing AI tools the way the SaaS-mature companies govern their stack: as a managed asset class with clear ownership, lifecycle, and budget. The companies that wait will be writing policies in 2027 about tools that 80% of their employees have been using for two years.

The lesson from the first time: the cost of moving early is small, but the cost of moving late is structural.