Shadow AI is not a workforce going rogue; it is a trust and visibility signal. Why approved alternatives, not bans, are what bring AI use back into the light, and the three moves that restore clear governance across your teams.
- Shadow AI is not mainly a security failure; it is a trust and visibility signal. When people reach for unapproved tools, they are telling you the approved path is slower or does not exist yet.
- The gap is measurable. Around 90% of executives feel confident they can see their organisation's AI use, while 52% of knowledge workers quietly use unapproved tools, according to an Okta-commissioned study reported in 2026.
- Prohibition moves the activity further out of sight. Governance restores visibility by giving people an approved alternative that is at least as good as the tool they reached for first.
- Start with three moves: name what good use looks like, offer a sanctioned tool people actually want, and make disclosure safe rather than punishable.
- The bottleneck is no longer the technology. It is whether your people trust you enough to tell you what they are already doing.
"My team is using AI and I really do not know what they are putting into it, and I am not sure I want to find out." You have had some version of that thought, probably in the past fortnight. Underneath it sits a quieter sentence you would rather not say out loud: finding out means acting, and acting means a policy, and a policy means a fight you have no appetite to start. So the cursor blinks, the work ships faster than it used to, and you let the question sit.
Here is the way through that stalemate. The fastest way to bring shadow AI back into view is to make the official path better than the unofficial one, then make it safe to tell you the truth. Bans push the activity somewhere beyond your sight. An approved alternative, offered well, pulls it back into the light where you can actually steward it. Treat what your people are doing quietly as information rather than betrayal, and the whole problem changes shape.
What is shadow AI actually telling me about my organisation?
It is telling you the work moved faster than your guardrails did. That is the honest reading, and it is more common than the executive view admits. McKinsey's 2025 Superagency in the Workplace study (McKinsey, the global management consultancy), drawn from 3,613 employees and 238 C-level executives across six countries, found that leaders estimate only 4% of employees use generative AI for at least 30% of their daily work, when the real figure is closer to 13%. Your people are roughly three times more likely to be using AI than you would guess. McKinsey's own framing of the bottleneck is blunt: it is leaders not steering quickly enough, not employees holding back.
So the picture inverts. The instinct is to imagine a reckless workforce that needs reining in. The data describes something gentler and more awkward: capable people solving real problems with the best tool to hand, while the org chart catches up. An Okta-commissioned study by Apprize360 in 2026 (Okta is an enterprise identity and security company) put numbers on the blind spot. Around 90% of executives expressed confidence in their visibility into AI tool use, while 52% of knowledge workers admitted using unapproved tools and 24% used unauthorised ones regularly. In the UK the gap was widest of all, with 96% of executives confident they could see clearly. As Okta's Harish Peri framed it, security teams cannot govern the usage of tools they do not know exist.
Why does banning the tools make the problem harder to see?
Because the demand does not vanish. It relocates. When the sanctioned answer is "no", the work still has to ship, so it ships through a personal account, a phone, a free tier nobody flagged. UpGuard's surveys (UpGuard is a cyber-risk research firm) of 1,500 security leaders and employees found that more than 80% of workers use unapproved AI tools, including nearly 90% of security professionals, the very people meant to model the rules. Fewer than half of employees even understand their company's AI policy. You cannot follow a line you cannot find.
And the leak is real, which is exactly why hiding it becomes the dangerous part. A TELUS Digital Experience survey of 1,000 enterprise employees in January 2025 found 57% had entered confidential information into public platforms such as ChatGPT, Gemini and Copilot: personal details, project data, customer records, financials. Cyberhaven Labs (a data-security research group), watching 1.6 million workers, found 11% of the data pasted into ChatGPT was confidential, and confidential-data incidents rose around 60% across a six-week window in early 2023. A ban does not touch any of that. It simply guarantees you will be the last to learn when something goes wrong.
| The visibility gap | What the research shows |
|---|---|
| What leaders believe | ~90% of executives feel confident in their visibility into AI use; 96% in the UK (Okta / Apprize360, 2026) |
| What is actually happening | 52% of knowledge workers use unapproved tools; 24% regularly (Okta / Apprize360, 2026) |
| How widespread | 78% of employees use AI tools their employer did not provide (WalkMe, 2025) |
| What is being shared | 57% have entered confidential data into public AI platforms (TELUS, 2025) |
| Who leads the behaviour | 69% of presidents and C-suite, 66% of directors and senior VPs accept unapproved AI use (BlackFog, 2026) |
That last line deserves a pause. BlackFog's 2026 survey (BlackFog is a data-security vendor) of 2,000 workers found that shadow AI is led from the top: 69% of presidents and C-suite, and 66% of directors and senior VPs, accept unapproved use, and 49% of all workers adopt tools without approval. The people most likely to be doing it quietly are often the most senior. Which is why the avoidance feels so familiar. It is easier to look away than to admit you are part of the pattern you would have to police.
Turn the blind spot into a clear line of sight
If you can feel the gap between what your team is doing and what you can see, that is the most useful signal you have. A focused session maps where shadow AI is showing up, why, and the approved path that brings it back into the open.
Book your Strategy SessionWhat does governing AI across teams actually look like?
It looks far more like product design than policing. The category of intervention here is governance-over-prohibition: you compete with the unofficial tool by offering an official one people prefer, and you make the truth safe to speak. The evidence says most organisations are starving the human side of exactly that work. Deloitte's State of AI in the Enterprise 2026 report (Deloitte, one of the big four professional-services firms) found that workforce access to sanctioned AI tools grew by 50% in a single year, climbing from under 40% to around 60% of workers, yet only one in five companies, 21%, has a mature model for governing it. Access raced ahead; the governing caught none of that pace. The WalkMe AI in the Workplace survey of 1,000 US workers in 2025 (WalkMe is a workplace software-adoption company) shows where the human gap bites: 78% use AI their employer never provided, 51% report conflicting guidance on when to use it, and only 7.5% have had extensive training, with another 23% trained not at all. Buy the tool, skip the human work, and your best people will route around you.
Three moves restore visibility, in order.
- Name what good looks like. Write one page, not forty, that a busy person will actually read: which tools are sanctioned, what data is fine to use, what stays inside the building. Fewer than half of employees understand the current policy, so clarity alone closes part of the gap.
- Offer a tool people want. Provision a sanctioned, enterprise-grade option that is at least as fast and pleasant as the free tier someone reached for first. People route around friction, not around rules. Remove the friction and the routing stops.
- Make disclosure safe. Replace the threat of punishment with an invitation to show you. When nearly half of workers hide their AI use to avoid judgement, per WalkMe, the information you need is sitting in the room. It surfaces only when telling you costs nothing.
Shadow AI is not your people breaking the rules. It is your people telling you the rules have not caught up with the work.
Done in that order, governance becomes a way of building trust rather than spending it. You move from the leader who would rather not look to the leader people come to first. And this is where the deeper point sits, quietly, for whoever is ready to hear it. The bottleneck is no longer the technology. The technology is already in your building, in capable hands, doing useful work. The open question is whether your people trust you enough to tell you what they are doing, and whether you have built the kind of clarity that makes telling you the easy choice. That is a human capability, and it is one you can build deliberately. Our work with leadership teams starts exactly there: the visibility, the approved path, and the trust that keeps both honest.
Frequently asked questions
Is shadow AI mostly a security problem or a trust problem?
Why do bans tend to make shadow AI worse?
Where should we focus first when governing AI across teams?
- McKinsey & Company, Superagency in the Workplace, 2025
- Okta / Apprize360 study, reported by The Register, 2026
- UpGuard, reported by Cybersecurity Dive, 2025
- TELUS Digital Experience survey, reported by Tech Monitor, 2025
- WalkMe AI in the Workplace survey, 2025
- Deloitte, State of AI in the Enterprise, 2026
- BlackFog survey, reported by CIO, 2026
- Cyberhaven Labs, 2023

About the author
British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.