Listen to the article
With increasing awareness of shadow AI as an ungoverned attack surface, organisations face urgent challenges in identifying and controlling unauthorised AI tools amid evolving EU regulations and the need for heightened visibility.
Security teams are increasingly finding that the most dangerous artificial intelligence tools in the workplace are not the ones they approved, but the ones they never knew were there. The IT Supply Chain article argues that so-called shadow AI has become a major ungoverned attack surface, with staff using consumer chatbots, embedded assistants, browser add-ons and low-code workflows that quietly move sensitive information beyond formal oversight.
That concern is echoed elsewhere in the industry. TechRadar has described shadow AI as a fast-growing problem in which employees adopt AI tools without central IT approval, creating gaps in security, compliance and accountability. One report highlighted by the site found that 75% of UK business travellers said they use, or would use, unapproved AI tools, largely because employers are not providing suitable alternatives.
The risk is not limited to obvious misuse such as pasting proprietary code into a public chatbot. The IT Supply Chain piece says the more difficult cases are hidden in ordinary software: an approved SaaS product that gains a new AI feature after a vendor update, a personal account that sits outside corporate identity controls, or an autonomous agent linking HR, finance and third-party models in a single workflow. Zscaler chief executive Jay Chaudhry has made a similar point, warning in an interview with TechRadar that AI agents are becoming the new weakest link in enterprise security.
What makes shadow AI especially pressing now is the regulatory backdrop. The European Commission says the EU AI Act entered into force on 1 August 2024, while the European Data Protection Supervisor describes it as the first global legal framework for AI. The law is being rolled out in stages, with some of the most demanding obligations still approaching, and it applies not only to firms based in the EU but also to organisations whose systems affect people in the bloc.
That means AI governance can no longer be treated as a paper exercise. According to the IT Supply Chain article, many organisations begin with policies, approval boards and acceptable-use rules, only to discover that none of those controls matter if they cannot first identify every AI system in use. The article argues for a discovery-first approach: building a live inventory, classifying systems by risk, controlling access, documenting data flows and continuously monitoring for new features or integrations.
The underlying message is that visibility now matters as much as policy. Companies that cannot see their full AI footprint cannot credibly claim to govern it, and regulators are unlikely to view ignorance as a defence. As TechRadar and the IT Supply Chain article both suggest, the organisations best placed to manage the next wave of AI risk are those that make approved tools easy to use, keep watch over vendor changes and treat shadow AI as an operational reality rather than a future problem.
Source Reference Map
Inspired by headline at: [1]
Sources by paragraph:
Source: Fuse Wire Services


