In many companies, artificial intelligence is already at work. Just not always where the leadership thinks. And not always in a way that anyone has formally approved.

Employees use ChatGPT, Gemini, Copilot and dozens of other tools because they see a simple benefit in them: writing an email faster, preparing a proposal, summarizing a document, improving a text, generating an image, analyzing data or finding inspiration for a presentation.

Most of the time there is no ill intent. There is time pressure, a need for efficiency and a natural curiosity about new tools. The problem starts when the organization does not know where AI is used, what it is used for and what data goes into it.

This is exactly what Shadow AI is - artificial intelligence used beyond the knowledge, control or formal approval of the organization.

AI does not wait for a company policy

Technology rollouts used to look different. A company chose a system, signed a contract, ran training, granted access - and only then did employees start using the tool.

With AI, that order has often been reversed.

First, employees started experimenting. Only later did companies start asking whether they had an AI policy, a register of tools, security rules, approval procedures and evidence that the team had been trained.

That is why Shadow AI is so hard to capture. It is not always visible in the budget, contracts or IT systems. Sometimes it is simply in an employee's browser, a private account, a browser plug-in or an AI feature hidden inside a tool the company was already using.

The biggest risk is not AI itself

In the debate about artificial intelligence it is easy to fall into extremes. Some see it mainly as a threat, others purely as an opportunity. In practice, the biggest problem is not using AI itself, but using it without rules.

A company may have employees who use AI every day and, at the same time, have no knowledge of which tools are used, in which processes, on what data and with what impact on customers, candidates, employees or business decisions.

This creates a dangerous gap. The organization formally does not manage something that genuinely affects how it operates.

In the context of the AI Act this is particularly important. The regulatory approach is based on risk, and risk cannot be assessed if a company does not know where AI actually occurs. A general declaration that „we use AI” or „employees have access to tools” is therefore not enough. You have to understand the specific use cases.

Using AI to improve the style of an internal note means something different from using it to screen CVs, handle complaints, create customer communications or support decisions about people. The same technology can be a neutral improvement in one place and a significant risk in another.

The first step: see where AI is already running

Companies often want to start with big documents: an AI policy, a strategy, procedures, regulations. These are important elements, but documents alone will not solve the problem if they are created in isolation from reality.

The first step should be simpler: check where AI is already being used.

Not in order to block everything straight away. And not to look for someone to blame. The point is to build a realistic picture of the situation. Only then can you decide which tools to allow, which to limit, which require further analysis and which should not be used in the company at all.

Such a first AI register does not have to be perfect. It should, however, answer a few basic questions: which tool we use, for what purpose, in which department, on what data and who is responsible for the process.

That is enough to move from guesswork to management.

Shadow AI and the company's responsibility

The biggest mistake is to assume that because a tool is used individually by an employee, the risk is also purely individual.

In reality, the consequences may affect the entire organization.

If customer data, a fragment of a contract, a recruitment document, a financial report or an internal strategy ends up in an external AI tool, the company may run into trouble - not because someone used modern technology, but because it had no clear rules for using it.

The same goes for quality. AI can help prepare content, an analysis or a recommendation, but the output still requires responsible human judgment. Without it, it is easy to end up with incorrect information, unjustified conclusions or decisions made on the basis of material that no one has properly verified.

Shadow AI therefore reveals not only a technological problem. It reveals a management problem.

The AI Act forces order

The AI Act does not mean that every company must suddenly become a technology company. It does mean, however, that organizations should take a conscious approach to how they use AI systems.

In practice, this means the need to put a few areas in order: employee competencies, rules for using AI, risk assessment, knowledge of the tools in use and documentation of the actions taken.

This is exactly where Shadow AI becomes one of the most important topics. Because if a company does not know which AI tools its teams use, it is hard to talk about genuine readiness for regulatory requirements.

You cannot prepare an organization for the AI Act with a presentation for the board or a one-off training alone. What you need is a process that lets you see, organize and document how AI is used in the company.

Where does AI TrustCERT help?

AI TrustCERT was created precisely to help companies move from uncontrolled, scattered use of AI to an organized operating model.

This is not just training about artificial intelligence. It is a practical way to build an organization's basic readiness: from employee awareness, through rules for using AI, to a register of tools, approvals, risk assessment and a readiness report.

This way a company can answer the questions that will become increasingly important in the context of the AI Act:

  • do we know where we use AI?
  • do employees know the rules?
  • do we have confirmations and evidence of the actions taken?
  • can we show that the topic has been put in order?

Because in practice the point is not to be afraid of AI.

The point is not to pretend that the company is in control of it if it does not know where it is already running.

Summary

Shadow AI is one of the most important gaps in companies' readiness for the AI Act. Not because employees use AI, but because they often do so faster than the organization manages to create rules.

Companies that want to use artificial intelligence responsibly should start with a simple question: where is AI already present in our everyday work?

Only afterwards can you build policies, training, registers, risk assessment and reporting.

Today, the biggest risk is not AI itself. The biggest risk is not knowing how it is really being used.

AI TrustCERT helps close that gap - step by step, in an organized and documentable way.

Sources

  1. EUR-Lex - Regulation (EU) 2024/1689, Artificial Intelligence Act. The official text of the regulation laying down harmonized rules on artificial intelligence: eur-lex.europa.eu
  2. European Commission - Regulatory framework for AI. An overview of the AI Act regulatory framework and the timeline for applying its provisions: digital-strategy.ec.europa.eu
  3. European Commission - AI Literacy - Questions & Answers. An explanation of the obligation to ensure a sufficient level of AI literacy (Article 4 of the AI Act): digital-strategy.ec.europa.eu
  4. AI TrustCERT internal materials - workbook / starter plan: AI tool register, Shadow AI identification, classification of use cases and risks.