Shadow AI in the Company
Shadow AI in the company: the invisible compliance risk
38 percent of your employees have already shared sensitive company data with AI tools. Without your knowledge. Without approval. Without control.
This is not scaremongering. It is an IBM study from 2024.
And this is exactly where the problem begins that most SMEs overlook with the EU AI Act: they do not even know which AI systems are in use in their company.
What is shadow AI?
Shadow AI describes the use of AI tools by employees without the knowledge or approval of the IT department. The sales employee who drafts offers with ChatGPT. The marketing colleague who creates texts with Jasper. The controller who has Excel data analysed by Claude.
Nobody acts maliciously. Everyone wants to be more productive. But nobody thinks about the consequences.
The figures are alarming: according to a recent Varonis study, 98 percent of employees use unapproved apps, increasingly including AI tools. Between 2023 and 2024, the use of generative AI applications in companies rose from 74 to 96 percent.
The tools are there. The control is missing.
Why is this an EU AI Act problem?
The EU AI Act requires companies to know, classify and, depending on the risk, document and monitor their AI systems. Article 4 explicitly requires AI literacy for all employees who work with AI systems.
How do you want to demonstrate compliance for systems you do not even know exist?
But the problem goes deeper. Imagine your HR team uses an AI tool to pre-select applications. That sounds harmless. But under Annex III of the EU AI Act it is a HIGH-RISK use case, category 4: employment and worker management.
Suddenly comprehensive documentation obligations, risk assessments and human oversight requirements apply. And nobody in the company knows about it.
The three risks of shadow AI
The first risk is data protection and data leakage. When employees enter confidential contracts, customer data or business figures into external AI tools, this data leaves your company. Many AI providers use entered data to train their models. Your trade secrets could appear in the answers given to other users.
The second risk is compliance violations. Without an inventory, you do not know whether you have HIGH-RISK use cases. You cannot carry out risk assessments. You cannot provide training records. In an inspection by supervisory authorities, you are left empty-handed.
The third risk concerns liability and reputation. If an AI-based tool makes a discriminatory decision, for example in applicant selection or lending, your company is liable. Even if you knew nothing about the use.
Why classic IT inventories are not enough
Many companies think: we have software asset management. We know what is installed.
The problem: most AI tools run in the browser. ChatGPT, Claude, Gemini, Midjourney, all web-based applications. They appear in no software inventory. No installation, no licence, no trace.
On top of that come AI features embedded in existing tools. Microsoft Copilot in Office 365. AI assistants in CRM systems. Automatic text suggestions in email clients. Many employees do not even know they are using AI.
How to build an AI inventory
An AI inventory is a structured overview of all AI systems and AI applications in your organization. It forms the basis for any EU AI Act compliance.
The first step is the objective. Clarify in advance: do you record all AI systems or first focus on potential HIGH-RISK use cases? For the start I recommend: record everything you find. Classification comes later.
The second step is the systematic search. Check your software asset management for installed AI applications. Analyse your SaaS subscriptions, which tools have AI features? Survey department heads: which tools do your teams use to boost productivity? Run anonymous employee surveys. Check expense reports for AI tool subscriptions. Look at browser extensions.
The third step is documentation. For each AI system found, document: name and provider of the tool, purpose of use in the company, which department or which employees use it, which data is entered, whether there is an official approval.
The fourth step is the role determination. For each system, clarify: are you a provider (did you develop or substantially modify the system) or a deployer (do you use a ready-made system)? Most SMEs are deployers, but the obligations are significant nonetheless.
The underestimated question: which data flows where?
An AI inventory is not just a list of tools. It is an overview of data flows.
Ask concretely: which data do employees enter into the tool? Where is this data processed and stored? Does the provider use the data to train its models? Is there a data processing agreement under the GDPR?
Especially with free AI tools, caution is advised. If you do not pay for the product, your data is often the product.
From inventory to risk classification
Once you know which AI systems are in use, the decisive question follows: which of them are HIGH-RISK under the EU AI Act?
Here the process-layer approach I use in my framework applies: it is not the tool itself that is classified, but the combination of tool and purpose of use.
ChatGPT for marketing texts: MINIMAL RISK. ChatGPT to support applicant selection: HIGH-RISK. Same tool, completely different compliance requirements.
Check each use case against the eight HIGH-RISK categories of Annex III: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential services (credit scoring, insurance), law enforcement, migration and border control, administration of justice.
For SMEs, category 4 (employment) and category 5 (essential services) are especially relevant. Every AI use in HR or in customer assessments deserves particular attention.
Practical immediate measures
You do not need a complete AI governance framework tomorrow. But you should start today.
First measure: communicate. Inform your employees that the EU AI Act is coming and that AI use has to be documented. No bans, no threats, just information. Most employees will cooperate once they understand the reason.
Second measure: create a simple list. A spreadsheet is enough to start. Columns: tool name, department, purpose, data types, approved yes/no.
Third measure: define an approval process. New AI tools should be checked before use. No bureaucratic monster, a simple checklist with five questions is enough.
Fourth measure: offer alternatives. If you ban shadow AI without offering alternatives, employees get creative. Better: provide approved tools that offer the same benefit but are under your control.
What this means for your EU AI Act compliance
An AI inventory is the first step of my 5-phase framework NADOVO, the DISCOVER phase. Without this inventory you cannot define processes, assess risks or implement measures.
The good news: you do not need an expensive tool. You do not need external consulting for six-figure sums. You need method and consistency.
Start this week. Ask in your next team meeting: which AI tools do you actually use? The answers will surprise you.
Conclusion
Shadow AI is not a theoretical risk. It is happening now, in your company. 98 percent of employees use unapproved apps. The question is not whether, but which ones.
The EU AI Act turns ignorance into a compliance trap. You cannot prepare for obligations you do not know about. You cannot manage risks you do not see.
An AI inventory is not a bureaucratic mandatory exercise. It is the cornerstone for responsible AI use and for your legal certainty from August 2026.
The deadline is approaching. The time for excuses is over.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...