shadow AI

How Does Shadow AI Show up In Small Businesses?

There’s a good chance someone in your company has committed “Shadow AI.”

According to a Salesforce survey, 55% of surveyed employees reported using unapproved AI tools at work. This is the primary way shadow AI shows up in small businesses.

It sounds pretty intense, like some kind of sci-fi thriller, but don’t panic. While shadow AI is a serious issue, it is manageable. That’s why, in this post, we’re going to cover:

  • The differences between shadow AI and shadow IT
  • The risks shadow AI introduces
  • Why shadow AI shows up in small businesses
  • How to keep your business protected from shadow AI

Let’s get into it.

Key Takeaways:

  • Shadow AI is the use of AI tools without IT approval or oversight.
  • Easy-to-use tools make it simple for employees to adopt AI on their own.
  • Shadow AI can lead to data exposure, compliance issues, and reputational risk.
  • A strong AI policy can help mitigate shadow AI.

Shadow AI Vs Shadow IT

You may have heard about shadow IT before. The concept is similar to shadow AI, but here are the key differences:

  • Shadow IT is when any software, hardware, or tech is being used in a business without IT approval, knowledge, or oversight.
    • Example: Using your own personal Google Drive to store work data without telling anyone.
  • Shadow AI deals specifically with AI tools and platforms.
    • Example: Using ChatGPT to generate a report using company data without telling anyone.

The Risks of Shadow AI

So, what’s the big deal? If AI makes your day easier, isn’t that a good thing?

It can be, but people are using these tools without fully understanding the risks.

Data Exposure

Tools like ChatGPT are run by third parties with their own data policies, settings, and configurations. You don’t own the tools. Anything you enter might be stored for training, third-party review, or saved inside the AI so it can remember things about you.

That means important work information can be suddenly stored outside of your organization.

And when over one-third of employees have reported sharing sensitive information with their AI tools, this can become a major problem.

Compliance Violations

Regulatory compliance takes data security very seriously. The EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are just a few regulations designed to protect people’s data. Violating these regulations can lead to major fines – violating the GDPR alone can cost upwards of EUR 20,000,000.

When you enter data into an AI, you lose sight of that data. You can’t track, delete, or protect it once it’s out in the AI wilds. That loss of transparency and control can easily put you out of compliance.

AI Cyberattacks

Cybercriminals have been exploiting organizations’ AI blind spots. These attacks are known as adversarial AI attacks, and they can range anywhere from extracting sensitive information from poorly secured AI to manipulating AI outputs by corrupting AI databases. Either way, if you aren’t sure what AI tools your employees are using, you leave your organization open to these attacks.

A famous case involved researchers causing GPT-2 to output private information such as names, email addresses, and phone numbers by using specific “trigger” phrases.

The AI Tonal “Drift”

AI tools are great at speeding up repetitive tasks or generating basic ideas, but when employees rely too heavily on unauthorized AI tools, quality and consistency can suffer.

That’s not to say AI output is bad, but if your company has spent years solidifying a distinct voice and brand, inconsistent use of different AI tools can cause that voice to “drift,” resulting in confusing messaging and off-brand content.

Why Shadow AI Shows up In Small Businesses

Zero Barrier to Entry

It only takes a quick web search or a single click to start using AI. These tools are designed to be easy to access and easier to use. More recently, they’re being built directly into platforms like Salesforce’s Sales Cloud, HubSpot’s Sales Hub, and other everyday business tools.

These tools alone aren’t the problem, but if you don’t know who is using what tools, and what those tools are being used for, you’re going to quickly lose track of your data.

Productivity Pressures

Employees are under more pressure than ever. According to the Microsoft Work Trend Index, nearly 3 out of 4 people say they don’t have enough time or energy to do their jobs. When pressure is at its peak, it’s no surprise that employees are turning to AI to help.

Without a clear AI policy, each employee will gravitate to their preferred AI tool, each with its own security and data practices that your business won’t know about.

Lack of AI Policies

Without a clear policy, businesses leave themselves wide open to shadow AI. If your employees don’t know what they can and can’t use, they’ll use what they want. Each employee will naturally gravitate towards their own preferred tool, each with its own security and data practices.

What are some examples of shadow AI?

Shadow AI can be tricky to spot, and many employees may not even realize what they’re doing. Here are some examples:

Using ChatGPT to summarize meetings: An employee pastes a meeting that details critical client information into ChatGPT to create a summary, not realizing that they could be exposing client information.

A similar thing happened to Amazon when confidential information was shared with ChatGPT, which caused the AI to generate outputs that resembled sensitive data.

Using AI extensions: an employee may experiment with third-party AI extensions to speed up development without reviewing the plug-in’s privacy policy or data security practices.

Lasso Security found a perfect example of this when they discovered that Microsoft Copilot was accidentally sharing private code that had been memorized inside the Bing search engine. Even if the original code was deleted, the AI could still suggest that code to other users.

Unsecured AI chatbots: An organization may set up a customer service chatbot that could accidentally share incorrect information or expose sensitive information shared with it by customers.

New York City faced this exact issue with its “MyCity” chatbot, which began giving users incorrect and misleading legal advice. Because the bot wasn’t properly secured, the city was left responsible.

How to Mitigate the Risk of Shadow AI

Create an AI Policy

Creating a concrete and clear AI policy is critical to staying ahead of shadow AI. With an AI policy, you can outline:

  • Which AI tools can and can’t be used.
  • Who is authorized to use them.
  • What kind of information is strictly off-limits (client lists, emails, etc.).
  • How to request a new AI tool for approval.

Monitor AI Usage Automatically

Even with an AI policy, employees may end up using plug-ins and SaaS with AI built in. End point management software gives your IT department better insight into what is being used, allowing you better control over your environment.

Turn off Model Training

Some AI tools allow you to disable model training – the ability for an AI tool to improve from your data. Disable this feature so your data stays your data.

Anonymize Sensitive Information

If you do end up needing to use an AI tool, make sure you anonymize any potential sensitive data with codewords or placeholders. That said, we recommend keeping potentially sensitive data out of third-party AI completely.

Stopping Shadow AI with The 20 MSP

Shadow AI is an increasing challenge for small businesses. Without the proper tools, policies, and know-how, unauthorized AI is extremely difficult to track and stop.

That’s where The 20 MSP comes in.

We know how difficult it is to monitor this kind of thing alone. For a predictable monthly fee, you get a team of security experts who monitor your systems 24/7/365. We’ll help you create an AI policy that fits your business with the tools to enforce it, so no company secrets are left in the open.

If that’s something you’re interested in, let’s talk.

Want more tips like this?

Subscribe using the form on the right and get our latest insights delivered straight to your inbox.

About The 20 MSP

As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.