Employees using AI without approval could be putting sensitive company and personal data at risk, according to The European Data Protection Supervisor (EDPS). The so-called “shadow AI” can create security blind spots, compliance failures, and even data breaches.
-
The EDPS warns that unauthorized AI tools can expose sensitive data.
-
Regulators may struggle to track how data is used once it enters unapproved AI systems.
-
Shadow AI can create security risks and unexpected access points.
-
The watchdog urges organizations to adopt AI governance and monitoring controls.
Shadow AI refers to the deployment of AI tools, such as chatbots and coding assistants, without upper management's approval. This carries considerable risks, like unintentionally bypassing critical data protection safeguards.
“What might seem like a quick shortcut to productivity can result in severe consequences, including personal data breaches, non-compliance with regulatory requirements, and operational disruptions that can go unnoticed,” European Data Protection Supervisor Wojciech Wiewiórowski says in a statement.
According to the EDPS Chairman, the use of unauthorized AI tools can create a “blind spot” for regulators, leading to a lack of legal compliance and, in turn, a so-called “transparency black hole.”
“Once data is entered into an unapproved system, it becomes virtually impossible to track or monitor where that information goes, how it is used, or who trains their models on it,” Wiewiórowski explains.
Shadow AI also introduces all kinds of security issues. For example, automated meeting recorders can join meetings without oversight or approval from security teams, thereby creating unexpected backdoors.
To effectively manage and mitigate AI-related risks, organizations must address them rather than ignore them. This requires clear governance policies, technical safeguards, and a workforce that understands how to use AI responsibly.
Wiewiórowski calls for establishing clear policies regarding the use of AI tools, as well as implementing technical controls and monitoring services, including blocking unapproved AI domains, enforcing data loss prevention rules, and applying endpoint restrictions to prevent the installation of unapproved AI software.
“Mitigating the risks of Shadow AI is not a task for a single department. It requires close, continuous collaboration between data protection officers, IT departments, security teams, and business functions,” Wiewiórowski concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked