Shadow AIis your team using AI tools nobody approved, on work nobody cleared, usually with good intent and no cover. It’s the most common AI risk in Australian business right now, and the fix is not a ban. It’s rules, an honest conversation and training that gives people a legal route to the productivity they’ve already found.
In every keynote I ask the room to put a hand up if they used AI this week. Every hand goes up. Then I ask who has told their boss. Most of the hands come down. That gap has a name, and it’s probably in your business today.
How does shadow AI show up?
Quietly, and in the places you’d least like it to. The Josys Shadow AI Report surveyed 500 Australian tech decision makers in 2025 and found 36% of employees have uploaded sensitive company data into AI tools. Strategic plans led the list at 44%, then technical data at 40%, financials at 34% and internal communications at 28%. One in four admitted to sharing customer personal information. Sales and marketing teams carried the highest risk at 37%.
The pattern behind the numbers is always the same, and I see it in every engagement. The marketing coordinator pastes the strategy doc into a free chatbot to summarise it before a deadline. The admin lead runs client emails through one to soften the tone. Nobody is being reckless on purpose. They found something that works, there were no rules about it, so they used it and didn’t mention it. Microsoft’s data says 75% of workers now use AI on the job; other research puts the share hiding it from their managers at more than half.
I watched it happen in real time with the Greater Springfield Chamber program. The discovery was never teaching people AI from scratch; a good slice of the room was using it well before the first workshop, and the session was simply the first time anyone said so out loud.
Your people are already using AI. The only question is whether it’s declared.
Why do bans fail?
Because banning AI doesn’t stop the using. It stops the telling.
Research across 2025 and 2026 keeps landing on the same finding: 49% of workers are using AI in ways their employer hasn’t approved, and of those, 58% are doing it in free-tier tools with no enterprise data protection at all. Push it underground and you keep every bit of the risk while losing every bit of the visibility. IBM found one in five security incidents now involves unsanctioned AI, and breaches involving shadow AI cost an average of USD $4.63 million.
It’s getting harder to police by the month, too. AI features are now embedded inside the everyday software your team already has approval to use, which means the detect-and-block approach is fighting the tide. And from 10 December 2026, Privacy Act obligations around automated decision-making kick in. You can’t disclose what you don’t know is happening.
The amnesty conversation
The way out is embarrassingly low-tech. You call it what it is, take discipline off the table and ask.
Something like this, in your own words: I know most of us are already using AI somewhere in our work. That’s fine, and nobody is in trouble. Over the next month I want to know what’s being used and what for, because I’d rather build our rules around reality than around what I wish was happening. If something is saving you three hours a week, I want everyone to have it.
If you want a structured read on where your business sits before you open the conversation, the AI Readiness check takes about three minutes and gives you the starting map.
Frame the audit as research, not investigation. The teams that get honest answers are the ones where the first discovery gets celebrated, not punished. Run it for a month and you’ll end up with something no consultant can sell you: a real map of where AI is already creating value in your business, drawn by the people doing the work.
Turning shadow use into declared use
This is a guardrails job, and it follows the same sequence as my GIST framework. Guardrails: write down what never goes into AI tools, which is the one page that kills most of the risk on day one, and my policy templategives you the starting point. Intent: decide why AI belongs in your business at all, informed by that map your amnesty month just drew. Strategy: pick the approved tools, on business-tier accounts, so people have a legal route that’s better than the shadow one. Practical Training: teach the rules and the tools together, because a rule nobody was trained on is a rule nobody follows.
The full write-up on getting the policy done is its own article. The short version: one page, six sections, published with a review date.
What to do on Monday morning
- Have the amnesty conversation this week. Take discipline off the table, ask what’s being used and celebrate the first honest answer loudly.
- Stand up an approved list with at least one business-tier tool on it. People stay in the shadows when the official route is worse than the unofficial one.
- Write the one-pager. The Board-Ready AI Policy Template gets you from blank page to published in an afternoon, with versions for small businesses, mid-size teams, not-for-profits and member associations.
The Augmented Workforce isn’t a future state. It’s already on your payroll, working quietly. Bring it into the light and it gets better; leave it in the dark and it just gets riskier.
Write the one-pager.
The Board-Ready AI Policy Template gets you from blank page to published in an afternoon, with versions for small businesses, mid-size teams, not-for-profits and member associations.
Get the AI policy template →Questions people ask
Is shadow AI the same as banned AI use?
No. Banned use breaks a rule that exists. Shadow AI mostly happens where no rule exists at all: the tools were never approved because nobody ever decided anything. That distinction matters, because you can't fairly discipline people for crossing a line you never drew.
Should we discipline staff for using AI without approval?
Not for the past, unless something truly serious happened with data you're legally obliged to protect. Draw the line, publish it, train everyone on it, then hold it going forward. Punishing the past guarantees you'll never hear the truth again.
How common is shadow AI in Australian businesses?
Very. Australian research in 2025 found 36% of employees had put sensitive company data into AI tools, and global studies put overall exposure at around 70% of organisations. If you have more than a handful of staff, assume it's happening and plan from there.
Human-led. AI-leveraged. My philosophy, my business, this article. The Augmented Workforce in action.
Drafted with Ada, my AI collaborator. Reviewed, shaped and signed off by me. How I work with AI· Tracy Sheen CSP
