HomeTrainingAI tools and shadow AI
Module 9 · 7 min

AI tools and shadow AI

What can be placed in a chatbot, what cannot, and how to verify output.

The employee does not enter company secrets, personal data, or client documents into AI tools without permission.

Threat

AI helps defenders and attackers: scams become more believable, while employees can accidentally leak data.

What to know

  • A public AI chat is not automatically a safe place for client lists, contracts, code, passwords, or incident information.
  • AI can be confidently wrong, so legal, financial, and security conclusions must be checked.
  • Attackers use AI to create well-written scam messages and adapt them to a specific person.
  • A safe AI policy defines which tools may be used and which data may be entered.

Actions

  • Do not enter passwords, access keys, client data, or unpublished contracts into an AI tool.
  • Anonymise examples when AI is needed to improve text.
  • Check AI suggestions against an official source or company procedure.
  • If an AI tool asks to connect a work account or grant broad permissions, stop and ask.

Manager note

A blanket AI ban without alternatives creates shadow AI. A short approved-tools and allowed-data policy works better.

Sources