The rise of artificial intelligence (AI) has brought undeniable opportunities for innovation and efficiency. However, a quiet phenomenon is unfolding, known as Shadow AI, which carries with it several considerable risks. When employees deploy unauthorised AI tools – ranging from generative chatbots and coding assistants to automated note-taking bots – without their organisation’s approval, they might inadvertently bypass critical data protection and security safeguards. What might seem like a quick shortcut to productivity can result in severe consequences, including personal data breaches, non-compliance with regulatory requirements, and operational disruptions that can go unnoticed.
As the EDPS, our mission is clear: we must ensure that innovation within EU institutions does not come at the cost of fundamental data protection rights.
When data is fed into an unapproved AI tool, it enters a regulatory blind spot where several hidden risks emerge. First, there is a distinct absence of legal compliance, as unauthorised tools lack formal agreements establishing the legal basis for data processing, defined data retention periods, or necessary safeguards for international data transfers. This creates a transparency black hole. Once data is entered into an unapproved system, it becomes virtually impossible to track or monitor where that information goes, how it is used, or who trains their models on it.
Furthermore, these tools introduce severe security vulnerabilities. For example, certain AI tools, such as automated meeting recorders, can join meetings without the oversight or approval of IT security teams, opening unexpected backdoors. Ultimately, this creates significant risks to data subjects, because disclosing personal data to third parties without strict oversight compromises an organisation's ability to fulfil data subject rights requests.
To effectively manage and mitigate these risks, organisations cannot rely on a strategy of simply looking the other way. We must adopt a proactive, comprehensive approach to AI governance that balances robust technical controls with a culture of awareness.
This begins with robust AI governance policies, where organisations develop and maintain clear, practical and aligned frameworks that explicitly define the authorised use of AI tools, establish clear data classification schemes and outline rigorous approval processes for evaluating new technologies. However, policy alone is not enough, and must be backed by technical controls and monitoring.
These technical controls include blocking unapproved AI domains, enforcing data loss prevention rules, and applying endpoint restrictions to prevent the installation of unapproved AI software. The most effective way to discourage the use of unapproved tools is by providing approved AI platforms that are secure, compliant and capable of meeting staff needs while ensuring full regulatory compliance. This technical foundation must be supported by enhancing employee awareness through continuous training, ensuring that staff understand the real-world risks associated with using public AI systems, the potential impacts on data subjects, and the importance of protecting sensitive data.
Securing our data does not mean stifling progress. By adopting clear governance, secure alternatives, technical monitoring and staff awareness, institutions can successfully reduce the risk of personal data breaches while fostering safe AI innovation.
Ultimately, mitigating the risks of Shadow AI is not a task for a single department. It requires close, continuous collaboration between data protection officers, IT departments, security teams and business functions. Together, we can maintain the reliability of institutional information, protect data subject rights, and ensure that the EU leads by example in responsible AI adoption.