Glossary
Shadow AI
Also known as: shadow AI, unsanctioned AI
Definition
Shadow AI is the use of consumer AI tools — ChatGPT, Claude, Gemini, Copilot — by employees without IT approval or visibility. It is the AI-era equivalent of shadow IT: productive, persistent, and a leading source of sensitive-data leakage when uncontrolled.
Why it matters
Shadow AI is the single largest unmanaged data-loss-prevention surface in most enterprises today. Employees paste customer records, source code, financial figures, and protected health information into web AI tools because the tools are useful and faster than approved alternatives. Banning the tools rarely works — usage migrates to personal devices, off-corporate networks, or unmonitored shifts in policy. The result is an audit gap: incidents happen, but the organization has no record of what data left, when, or to which model.
For regulated industries the cost is acute. A single PHI paste into ChatGPT can trigger a HIPAA breach assessment. A customer record in Gemini can become a GDPR Article 33 incident. Shadow AI is also a model-input vector for prompt injection if employees paste untrusted external content into copilots and re-share the output internally.
In practice
Governing shadow AI does not mean banning AI. It means redirecting employee usage onto monitored paths and enforcing data-loss-prevention rules at the browser, before data reaches the model. Prism X is a managed browser extension distributed via Intune, Google Admin, or Jamf that scans every prompt and file upload across ChatGPT, Claude, Gemini, and Copilot. Sensitive content is blocked, redacted, or warned per policy — and every event is logged with a redacted snippet for compliance review.
Related
More glossary terms
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.