AIAdopt
HomeInsightsShadow AI in SMEs: risks, scale and how to respond
whitepaperFebruary 2026· 7 min reading time

Shadow AI in SMEs: risks, scale and how to respond

Shadow AI, the unapproved use of AI tools at work, is growing fast in SMEs. The risks for data, quality, compliance and reputation, and how to channel it.

Shadow AI in SMEs: risks, scale and how to respond

Shadow IT is a familiar phenomenon: employees using their own tools and systems without IT's approval. Shadow AI is the new variant, and it is growing faster than any IT department can keep up with.

This whitepaper describes what shadow AI is, how widespread it is in SMEs, which risks it brings, and how to deal with it as an organisation without stifling innovation.

What is shadow AI?

Shadow AI is the use of AI tools by employees without the organisation knowing about it or having approved it. It is not about malice, it is about employees who want to do their work better or faster and use tools they have found themselves.

Concrete examples: an employee who has customer emails rewritten by ChatGPT. An HR employee who has application letters summarised by an AI tool. A marketing employee who generates images with a free AI service. A finance employee who uses an AI browser extension to analyse spreadsheets.

All these situations have two things in common: the organisation does not know about them, and company data may be processed through channels that the organisation has not authorised, assessed or contractually controlled.

The scale of the problem

Research shows that generative AI at work has grown rapidly, while a substantial share of that use takes place outside formal approval, policy or the employer's view. Widely cited figures from the Microsoft and LinkedIn Work Trend Index show that a large majority of knowledge workers use AI at work, and that a large share of them bring their own AI tools without their employer knowing, so-called "bring your own AI". Younger employees lead the way, but unauthorised AI use occurs in all age groups.

In SMEs, shadow AI is particularly hard to control. AI adoption is growing, while smaller organisations often have less formal security capacity, monitoring and governance. Available industry research suggests that unauthorised AI use is not only a large-enterprise problem, but the exact scale differs by country, sector and measurement method. Large companies more often have security teams and tooling that can flag network traffic to public AI services, precisely what is usually missing in SMEs.

The result: in many SMEs there is no view at all of which AI tools employees use, which data they share with them, and which risks that brings.

The risks

Shadow AI brings four categories of risk.

1. Data loss and privacy

When employees enter company data into public AI tools, that data is processed on external servers, possibly outside the EU, and depending on the tool, account type, settings and contract, it may also be used to improve AI models.

Browser extensions are a particularly risky form of shadow AI when they have broad permissions. A summarise button can mean that the extension has access to page contents, emails, forms or documents that the employee did not realise were being exposed, including confidential emails, financial data and customer information. In effect, it can become a data breach or unlawful processing incident with an AI veneer.

This is not only a business risk, it is also a GDPR risk. In Belgium, the Data Protection Authority (GBA) can become involved where shadow AI leads to unlawful processing of personal data or a reportable data breach.

2. Quality risks

AI tools produce output that sounds convincing but can be factually wrong, so-called hallucinations. When employees without training use AI-generated content without checking it, incorrect information can end up in customer communication, reports or decision-making.

A concrete example: lawyers have been sanctioned and fined for including AI-generated, non-existent case law in court documents. The AI had simply invented the cases in question, and nobody had checked before the document was filed.

3. Compliance risks

To comply with the EU AI Act, organisations in practice need to know which AI systems they use and which risk level applies to them. For high-risk AI, specific documentation and use obligations apply on top of that. If you do not know that employees are using AI, you cannot map it. And if a supervisory authority asks which AI systems you deploy, "we do not know" is not a strong answer.

There are also specific prohibitions in the AI Act that employees can breach without realising it. Using emotion recognition on employees in the workplace? Prohibited, except for medical or safety reasons. Using AI to gauge customers' moods is not automatically prohibited, but it can trigger transparency, GDPR and consumer-protection risks. Using AI for unlawful social scoring? Prohibited. Other forms of scoring may be high-risk rather than banned, depending on purpose and effect.

4. Reputational risks

Imagine a customer discovering that their confidential data was processed by a public AI tool. Or an applicant finding out that their cover letter was summarised by ChatGPT without their consent. The reputational damage can be greater than the legal consequences.

Why banning alone does not work

The reflex response to shadow AI is often: ban it. Block ChatGPT on the company network. Ban AI browser extensions. Write a strict policy with sanctions.

Banning alone does not work. Blocking high-risk tools can be a necessary part of your policy, but a ban without approved alternatives, policy and training usually pushes use further underground. Shadow AI is almost always a signal of need, not of bad intent. Do not see it as rebellion, but as free market research into the needs of your own team. And AI is not going away: organisations that ban AI outright lose competitiveness.

The approach: channel instead of block

Step 1: Take stock of current use. Ask employees, openly and without threat, which AI tools they use. Also check network traffic and installed browser extensions.
Step 2: Offer approved alternatives. A business ChatGPT or Copilot licence with the right enterprise settings and contractual safeguards, so that data is not used for training. That is a fundamental difference from the free versions.
Step 3: Draw up a policy. An Acceptable Use Policy for AI. Short, clear and concrete. Communicate it actively in a team meeting, not as an attachment to an email.
Step 4: Train your staff. Employees who understand why shadow AI is risky stop of their own accord, provided they have a good alternative. Training is not the stick. Training is the carrot.

The role of the IT department

IT can block tools, monitor network traffic and manage enterprise licences. But the policy must come from leadership, the training from HR, and the culture change from everyone.

A smart approach: use your firewall not only to block, but to redirect. When an employee browses to an unauthorised AI site, redirect them to an internal page with the message: "Want to use AI? Good idea, use our secure business environment and complete the AI literacy training first."

Conclusion

Shadow AI is not a problem you solve by banning it. It is a signal that your organisation is lagging behind the needs of your staff. The solution is not less AI, but better AI: approved, secured, and supported by policy and training.

Organisations that take shadow AI seriously often find they solve two problems at once: the compliance risk shrinks, and productivity rises, because staff now work with better tools, in a safer way.

Need help tackling shadow AI in your organisation? AIAdopt supports you through the whole journey: from inventory and risk assessment to policy, training and ongoing management. Our Module 4 (IT/Technical) covers shadow AI detection and governance in depth, and with an AI-AdoptieScan (AI Adoption Scan) we map where you stand today.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.