Shadow AI has already arrived in your organization. The question is not whether it exists, but what you are going to do about it.
We call Shadow AI the use of artificial intelligence tools by employees without the knowledge, approval or formal control of data or technology departments. It is the direct successor to Shadow IT from the 2010s, with one key difference: the speed of adoption is radically higher.
Only 40% of companies have official LLM subscriptions. Yet employees at more than 90% of those same companies report regular personal AI use for work tasks.
While official programs remain stuck in pilot phases, many teams are already using language models daily. The gap between business speed and corporate approval process speed has never been so evident.
Two wrong responses
The Police CDO
Blocks everything and demands prior approval for any AI tool. The result is predictable: Shadow AI does not disappear, it simply becomes more invisible. Employees look for personal alternatives, use private accounts and avoid mentioning their tools in meetings. You have created exactly the scenario you wanted to avoid: uncontrolled use, without traceability and outside the corporate firewall.
The Open-Door CDO
Removes any barrier assuming that innovation cannot be contained. The problem is that without structure, risk materializes: sensitive data exposed in external models, business decisions based on unvalidated outputs, and an attack surface that grows without control.
Both extremes fail for the same reason: they ignore that the demand is legitimate and that the solution lies in design, not in prohibition or blind permissiveness.
The solution: pragmatic three-layer governance
Layer 1 — Free Zone with Visibility
Personal productivity tools (summaries, drafts, translations) without prior approval, but with passive usage tracking and basic risk training. The goal is not to control, but to have visibility.
Layer 2 — Enabled Zone with Conditions
Access to business or operational data via request with validation and periodic output review. This is where use cases that generate real value but require a certain level of oversight come in.
Layer 3 — Restricted Access Zone
Customer data, regulated information and critical systems. Formal approval and complete documentation. No shortcuts here, and there should not be.
The BBVA case: execution over perfection
BBVA deployed ChatGPT Enterprise for 125,000 employees in two months rather than studying the problem indefinitely. The results speak for themselves:
- User growth from 3,000 to 11,000 in one year
- 83% weekly active users
- Savings of 2 to 5 hours per person per week
- 74% reduction in support time in Peru operations
They did not wait for a perfect governance framework. They designed one that was good enough, executed it and refined it with real data. That is data leadership in practice.
The uncomfortable conclusion
Shadow AI is not a threat. It is a symptom indicating that there is demand and productivity potential within your organization that data teams are not meeting with sufficient speed.
Shadow AI will not disappear through prohibition. It grows because data teams cannot meet organizational needs fast enough. The answer lies in designing governance that is more attractive than chaos.
More attractive than chaos, faster than uncontrolled alternatives, and robust enough to protect when things fail. That is the work of the data leader today.
