Shadow IT has challenged internal auditors for more than a decade. Shadow AI is the same phenomenon, but accelerated, more opaque, and materially riskier. It refers to employees using generative and agentic AI tools without the knowledge or approval of IT, compliance, or risk management.
Attorneys pasting contracts into public chatbots, clinicians uploading patient notes for transcription, and developers debugging proprietary code in consumer models illustrate the pattern. The productivity gains are real. Multiple published studies report time savings of 20 percent or more on drafting, summarization, and coding tasks. The control gaps are equally significant.
This is not theoretical. The fourth Protiviti AI Pulse Survey, “No Visibility, No Confidence” published earlier this year reports that 47 percent of large organizations lack visibility into employee AI usage, and approximately two-thirds (65 percent) face challenges with shadow AI (Protiviti, 2026). The 2024 IIA North American Pulse of Internal Audit found cybersecurity and IT audits combined account for nearly 20 percent of audit plans, versus 17 percent for operations, yet internal audit budgets remain constrained. These conditions allow unsanctioned AI to proliferate.
Why the Risk Has Matured
Three developments during the past two years accelerated shadow AI and distinguish it from classic shadow IT.
1. Consumer models reached enterprise capability. Summarization, code generation, and analysis now occur in browser sessions rather than controlled environments. Unlike shadow IT, which required software installation, shadow AI leaves minimal endpoint traces.
2. Governance lagged adoption. Only about four-in-10 organizations maintain a formal AI governance framework, according to multiple industry surveys. Policies written for data loss prevention rarely address prompt engineering or model training opt-outs.
3. Breach economics shifted. IBM’s 2025 Cost of a Data Breach Report found shadow AI present in about 20 percent of data breaches, adding $670,000 to average breach costs, largely because 97 percent of affected organizations lacked proper AI access controls (IBM, 2025). Inferred from IBM’s breach statistics, the real cost driver is not malware alone, but the inability to contain data once it enters a model.
These forces often converge outside existing policy coverage, at the intersection of data protection, third-party risk, and model risk.
Real Cases, Real Consequences
Disney (2024)
According to the U.S. Department of Justice, in early 2024 Ryan Mitchell Kramer, 25, of Santa Clarita posted a program on various online platforms, including GitHub, purporting to create AI-generated art. The program contained malware that gave Kramer access to victims’ computers and stored credentials. A Disney employee downloaded it in April or May 2024, giving Kramer access to the employee’s personal computer and the login credentials stored on it. Using those credentials, Kramer accessed the employee’s Slack account and in May 2024 downloaded approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels. In July 2024 he threatened the victim while posing as a member of a fictitious Russia-based hacktivist group called “NullBulge,” then publicly released the stolen data on July 12, 2024. Kramer agreed to plead guilty in May 2025 (DOJ, 2025). The lesson is not about AI capability but about software supply chain hygiene.
Source: U.S. Department of Justice
Samsung (2023)
In April 2023, several Samsung engineers used ChatGPT to support debugging and summarisation activities. Under deadline pressure, they entered confidential source code and internal meeting notes into the tool. At the time, OpenAI retained user prompts for model‑training purposes, which meant Samsung’s proprietary information left the organization’s control as soon as it was submitted.The engineers were not acting with malicious intent. They were attempting to work more efficiently with the tools available to them. However, their actions resulted in a potential data‑exposure incident with direct implications for intellectual property protection, regulatory compliance, and competitive positioning.
Source: Bloomberg
Healthcare and financial services. Internal audit continues to identify clinicians transcribing patient notes in consumer tools and analysts summarizing loan files or contracts in public models, typically without business associate agreements, data residency controls, or audit trails, creating direct exposure under HIPAA, GLBA, and SOX.
In Canadian public sector environments, the risk compounds. Treasury Board directives on Automated Decision-Making, provincial privacy commissioners’ guidance, and federal responsible-use AI guidance create overlapping obligations.
Canada’s Artificial Intelligence and Data Act (AIDA), part of Bill C-27 introduced June 2022, died in committee after Parliament was prorogued on Jan. 6, 2025. The bill lapsed and will not return in its original form. Its core themes of risk management, transparency, and accountability for high-impact AI are expected to shape future federal legislation and are already influencing provincial regimes such as Quebec’s Law 25. Internal auditors should monitor these developments and not wait for a federal framework before acting.
Shadow AI vs. Shadow IT: Why History Rhymes
Internal auditors managed shadow IT by inventorying unsanctioned SaaS and creating approved cloud catalogs. Shadow AI is harder. It requires no installation, generates no traditional asset record, and transmits data instantly outside the perimeter. Blocking openai.com breaks legitimate research. The winning strategy remains the same: make the approved path faster and easier than the alternative.
Key Risk Areas
Data leakage. Once prompts leave the corporate environment, retrieval is impractical. Without explicit no-training clauses, data may be retained by model providers and may resurface in other users’ outputs.
Compliance failures. GDPR, HIPAA, SOX, PIPEDA, and emerging AI regulations require demonstrable control over processing activities. Fragmented or incomplete logging impedes the ability to attest to compliance and to meet breach notification obligations.
Cybersecurity exposure. Malware-laden tools, prompt injection attacks, and personal accounts without MFA bypass enterprise protections. The Disney incident shows how AI tools become malware vectors.
Operational and decision risk. Hallucinated or biased outputs influence decisions when drafts are treated as final. Legal and finance teams are particularly exposed when summarizing contracts or regulatory filings.
Accountability gaps. Without inventory and lineage, oversight weakens and root cause analysis becomes difficult. Audit committees cannot govern what they cannot see.
Enhanced Risk Assessment: The Five Lenses
Annual risk assessments are insufficient because usage patterns shift weekly. A continuous assessment using five lenses provides better coverage and directly supports Standard 9.4 (Internal Audit Plan) of the 2024 Global Internal Audit Standards, Domain IV: Managing the Internal Audit Function.
Lens 1: Visibility
Protiviti’s fourth AI Pulse Survey finds 47 percent of large organizations lack full visibility into employee AI use, 65% struggle with shadow AI, and only about four in 10 maintain a formal framework. Analyze 30 days of DNS (Domain Name System) queries for known model endpoints (openai.com, anthropic.com, gemini.google.com, huggingface.co), browser extensions, OAuth (Open Authorization) grants, and CASB (Cloud Access Security Broker) logs. Supplement with targeted business-unit surveys, which typically surface additional unauthorized tools beyond what telemetry captures alone.
Audit test: Reconcile the top 10 destinations to approved AI register and investigate variances.
Lens 2: Cost and breach exposure
IBM’s 2025 Cost of a Data Breach Report shows shadow AI-related breaches averaged $4.63M; 97 percent of affected organizations lacked proper access controls, and shadow AI added $670,000 per incident, representing roughly 20 percent of breaches. Map three critical data flows: prompts containing regulated data, outputs pasted into work products, and files uploaded for summarization. Sample 25 to 50 DLP (Data Loss Prevention) alerts per quarter where the destination involves AI-related.
Audit test: Select five incidents and trace whether data residency and retention obligations were met.
Lens 3: Control design
Assess whether Acceptable Use policies explicitly address public generative AI, whether data classification defines permissible AI destinations, and whether an approved toolkit exists with enterprise agreements, no-training clauses, and SSO (Single Sign-On) with MFA. For high-risk use cases, evaluate prompt logging, output validation, and human-in-the-loop controls.
Audit test: Attempt a controlled paste of dummy PHI (Protected Health Information) into an unapproved model on the corporate network; verify blocking or alerting occurs.
Lens 4: Third-party exposure
Many exposures originate from approved SaaS vendors that added generative capabilities in 2024–2025. The McHire platform, which is Paradox.ai’s hiring system used by McDonald’s, illustrates how a sanctioned vendor can introduce the same control gaps found in unsanctioned tools. Inventory AI additions to existing vendor contracts and review for data use for training clauses, opt‑out mechanisms, audit rights, and breach notification timelines.
Audit test: Request written confirmation of training opt out from your top five AI‑enabled vendors and verify that the confirmation aligns with contract terms, data‑use clauses, and current platform behavior.
Lens 5: Culture
Interview power users in legal, HR, communications, and development. Three drivers recur: speed, lack of awareness of approved tools, and slow provisioning. Measure time-to-provision for approved AI access. When it exceeds 48 hours, shadow usage increases predictably.
Audit test: Correlate provisioning time with shadow AI detections by department.
These lenses align with the IIA Global Internal Audit Standards Cybersecurity Topical Requirement (effective February 5, 2026) and provide audit committees with measurable coverage.
How Internal Audit Can Respond
Build visibility first: Launch a 30-day discovery initiative consolidating network telemetry, endpoint inventories, and CASB logs. Build a simple dashboard showing approved versus unapproved tools, data types observed, and business units involved. This creates immediate value without waiting for policy.
Integrate into annual planning: Treat shadow AI as a cross-cutting risk, not a separate audit. Every data-intensive audit should include procedures to test for AI-assisted workpapers and confirm regulated data has not exited controlled environments.
Advocate for pragmatic governance: Effective governance includes: a policy prohibiting designated data classes from public models; a limited approved toolkit (one enterprise conversational agent, one code assistant, one summarization tool); SSO, logging, and no-training terms; and a streamlined intake process with three questions and two-day triage by IT, Legal, and Risk.
Strengthen capabilities: Audit teams do not need to become prompt engineers. They need to interpret model cards, analyze DLP alerts, review prompt logs, and understand prompt injection risks. Two-hour workshops on data leakage scenarios are sufficient for baseline competency.
Monitor regulatory developments: EU AI Act obligations, U.S. state-level transparency rules, SEC expectations on AI risk disclosures, and Canada’s evolving AI regulatory landscape are converging. Maintain a quarterly regulatory scan and brief the audit committee on changes to attestation requirements.
Measure what matters: Track three KPIs: percentage reduction in unapproved AI domains month-over-month; percentage of data flows mapped to approved tools; and approved toolkit adoption rate. Report these in weeks, not quarters.
Moving Forward With Confidence
Shadow AI will persist as model capabilities advance. The productivity benefits are real and employees will seek them. Organizations that succeed will make secure usage paths faster and easier than unsanctioned alternatives. Internal audit is uniquely positioned to enable this balance through independence, enterprise-wide visibility, and application of control principles that support rather than hinder innovation.
The 2026 North American Pulse of Internal Audit highlights continued resource constraints alongside elevated technology risk. Addressing shadow AI offers measurable benefits: reduced breach exposure (IBM estimates US$670,000 per incident avoided), improved compliance posture, and stronger data stewardship.
Chief audit executives should elevate this topic in risk assessments, board reporting, and IT steering committees. Start with visibility, prioritize by data sensitivity, and measure progress in weeks, not quarters. Start this quarter. Internal audit cannot govern what it cannot see. 
Nirpendra Ajmera is a Chief Audit Executive at an Electrical Utility Company focused on modernizing audit, controls, and AI‑related risk oversight.