Shadow AI: The Symptom, Not the Threat

Healthcare staff are increasingly using AI tools without official approval. While no policy or directive has permitted these usages, it is possible to find a number of staff members drafting documents using chat bots, analysts using AI to clean and organize datasets, and other work requiring the use of AI. It is common among the staff to either use AI tools without approval or to see coworkers use unapproved AI tools, and the trend is increasing. The common approach is to ban unapproved AI, but that only treats the symptom and ignores the root of the problem.

Shadow AI should not be perceived as a threat. It should be perceived as a solution. When employees seek alternative ways to get their work done outside of the approved work tools, they are reporting that the way approved work tools are insufficient. The instinct to ban the tools should be replaced with the question as to why these people decided that the unapproved tools were worth the risk.

The work is heavy and the approved options do not help. For the tasks that need to be done, a person uses the tool sitting one tab away to work faster. Administrators have stated that the draw is speed and a number of employees have stated that there is no approved alternative.

The problem is not the judgment. Rather, the organization left a gap in which a workaround became necessary and then expressed confusion as to why people filled the gap. The same instinct that enables a good employee to work around a broken process is the same one at play, and punishing this process teaches people to be secretive instead of stopping the workaround.

Why prohibition makes it worse

The instinct to prohibit meets a hard fact. The tools are ubiquitous, they run on end-user equipment, and the processing runs in a location that the organization cannot control. Simply stating the tools are prohibited does not eliminate the tools. It eliminates the oversight the organization had of the tools.

A prohibition drives exactly the opposite behavior. The tools are not used less, they are talked about less. Work that was done in the oversight of the organization is moved to private accounts and personal phones, where no one can oversee the work or learn from it. The organization exchanges a visible problem it can manage for an invisible one it cannot. Every additional layer of prohibition adds a marginally smaller understanding of what is happening within the organization.

The hidden dangers of shadow AI

Shadow AI manifests when out-of-context, AI-generated workflows become part of the decisions and records of an organization. Consider a Quality Assurance team that leverages an external AI model to analyze a workflow and generate a recommendation. If leadership chooses to follow the recommendation, then, with shadow AI, months later when something goes wrong, the organization is paralyzed because there is no documentation to communicate the recommendation, the reasoning, or the data. In fact, the shadow AI outputs may have become part of the official workflows of the organization, eliminating any sense of ownership or control.

There is an exposure that lives outside the typical privacy concerns. When employees use external tools to process internal information, what leaves the premises of an organization is not patient information. It is a loss of proprietary information and institutional knowledge. Once processed by an external unapproved AI tool, the information is no longer under the control of the organization. The impact of the loss eclipses the constraints of the laws covering patient information.

The most productive course of action

The most productive course of action is to acknowledge the presence of shadow AI. The absence of a policy to address shadow AI allows an organization to bypass the presence of unapproved tools. Acknowledging the tools creates the opportunity to understand the reasons employees use unapproved tools. This provides insight into the unaddressed needs of employees and the functions that the organization is not providing.

Making the authorized option better than the consumer version is the main game changer. If the authorized option takes a log in, a request, and three approvals, while the consumer version takes one click, people will continue to use the consumer version. An alternative approach only works if it is the easier option as well, which means the authorized version has to win on convenience as well as rules. That is the harder thing to create than a policy memo prohibiting the alternative, and it is the only thing that actually changes the way people behave.

The last puzzle piece is openness. As long as stating I used AI to do this feels like a confession, people will conceal the truth and the organization will remain ignorant. The solution is to treat that statement as ordinary workplace behavior. When disclosing AI use becomes evidence in support of good work rather than a confession of guilt, it is brought back to the open and checked.

Time is running out

Every month this goes unaddressed, AI work that is undocumented and unreviewed becomes a more permanent part of the work process and the essential knowledge of the organization. The longer it remains concealed, the larger the volume of work that will need to be undone. The choice is either to meet the need now, while the use can still be made explicit, or to later reveal the full extent of what was done during an organizational intervention gone wrong.

Shadow AI represents a demand signal from the workforce that has gone unanswered by leadership. It is not a problem of discipline; there are systems that interpret it that way. Such systems will inadvertently transform a concealed risk into a visible signal of actual workforce demand. As for the others, as long as they persist in pursuing a ban, they will only instruct their most talented individuals to perform great work in the most obscure locations.

Christopher Hutchins Founder and CEO, Hutchins Data Strategy Consultants