5 Things Every Business Owner Must Do Right Now to Protect Against Shadow AI
- Tom Foreman
- May 15
- 7 min read
Most business owners find out they have a shadow AI problem one of two ways.
The first way is proactive. They decide to look, they see what is actually happening inside their company, and they deal with it on their own terms. The second way is reactive. Something goes wrong — a data leak, a compliance question, a client who finds out their information went somewhere it was never supposed to go — and the business owner is left explaining a problem they did not know they had.
The gap between those two outcomes is not luck. It is whether or not you took the time to act before something forced your hand.
Shadow AI — the unauthorized AI tools your employees are already using without your knowledge or approval — is running inside 90% of businesses right now. More than three quarters of employees who use AI tools brought those tools to work themselves. And only 30% of business owners have any real visibility into what their teams are actually doing with AI on company time, on company devices, with company data.
If you are reading this, you are probably in the 70%. Here is what you need to do about it.
1. Get Visibility Before You Write a Single Policy
This is the mistake most business owners make, and it costs them months of wasted effort. They hear about shadow AI, they get concerned, and their first instinct is to write a policy. No unauthorized AI tools. Approved list only. Violations subject to disciplinary action. They send it to the team, feel like they handled it, and nothing changes.
The reason nothing changes is that a policy written without data is a policy written in the dark. You do not know what tools your team is actually using. You do not know which departments have the deepest AI habits. You do not know whether the tools already embedded in your most productive employees' workflows are the dangerous ones or the harmless ones. Without that information, your policy is a guess dressed up as a rule.
The right sequence is visibility first, policy second. Before you write a single word of AI governance documentation, find out what is actually happening. Which tools are being accessed? How frequently? By which parts of your organization? Where is data flowing when those tools are used?
That information exists. You just need something that can surface it. Crow, morriganAI's free AI footprint tool, does exactly this — it installs in under sixty seconds, collects zero personal employee data, and starts showing you your organization's real AI activity within minutes. Once you know what you are governing, writing the policy becomes straightforward.
2. Classify Your Data Before AI Touches Any More of It
Not every piece of information your business holds carries the same risk. A social media caption going through an AI writing tool is a fundamentally different situation than payroll figures being summarized by a free browser extension. Most businesses treat these as the same problem. They are not.
The practical solution is a simple three-tier data classification system that every employee can understand without a cybersecurity degree.
Public data is anything that could appear on your website or in a press release without consequence. AI tools can handle this freely and without restriction.
Internal data is operational information — internal processes, meeting notes, project timelines — that should stay inside the organization but would not cause catastrophic damage if it leaked. AI tools can be used here with approved, vetted tools only.
Sensitive data is anything that carries legal, financial, or reputational weight if it leaves the building. Client contracts, financial records, personnel files, proprietary processes, anything covered by a regulatory framework. No unauthorized AI tool should ever touch this category. Period.
Once your team understands these three tiers, shadow AI governance stops being an abstract policy argument and becomes a practical sorting exercise. The question for every AI interaction becomes: which tier is this data in, and which tools am I allowed to use with it?
3. Have the Honest Conversation With Your Team — the Right Way
Here is something worth understanding before you sit your team down: your employees are not trying to cause problems. The accountant running payroll summaries through a free AI tool on Friday afternoons does not think she is doing anything wrong. The sales rep pasting client proposals into ChatGPT believes he is just working smarter. They are not hiding from you. They just never connected their workflow shortcut to a company risk they were responsible for managing.
That context matters because the conversation you need to have is not a disciplinary one. It is an informational one.
The worst version of this conversation is the interrogation — who is using what, prove it, you are in trouble. That approach destroys trust, drives shadow AI further underground, and guarantees your team starts working around you instead of with you. The employees most likely to hide their AI tools after a punitive conversation are your best people, who use AI the most.
The better version of this conversation starts with what you found, not what they did wrong. "Here is what our AI data shows is happening across the company. Here is why some of it concerns me. Here is what I want us to build together going forward." That framing invites participation instead of defense. It also opens the door to the most valuable intelligence you have available — your own team telling you which tools are genuinely useful and should be approved versus which ones nobody actually cares about keeping.
One more thing: do not rely on self-reporting to get your data. People forget, they minimize, they do not always make the connection between a tool they use and its category as AI. Real behavioral data from a tool like Crow tells you what is actually happening. Employee conversations tell you why. You need both.
4. Write a Real AI Policy — Not a Fake One
Most small business AI policies are theater. They exist to satisfy a checkbox — we have a policy — without meaningfully changing what happens inside the company. A policy that says "only use approved AI tools" without naming the approved tools is not a policy. It is a paragraph.
A real AI policy has five components that theater policies skip.
It names specific approved tools, not just categories. "Approved AI writing assistants include X and Y" is enforceable. "Only use approved tools" is not.
It defines what data each tier of tool can access. This connects directly to your data classification work from step two. Your team should be able to look at any data handling situation and know exactly what the policy says without needing to ask someone.
It provides a path for requesting new tools. This is the piece most policies miss, and it is the one that matters most for keeping shadow AI from spreading. If your team has no legitimate way to request a new tool, the only option available to a resourceful employee is to go underground. Give them a simple, fast process — submit the tool, IT or leadership reviews it within five business days, decision communicated clearly — and most employees will use it. The ones who do not are a smaller, more manageable problem than the current situation.
It is reviewed on a schedule, not written once and forgotten. AI tools change. New capabilities emerge. Tools that were low-risk eighteen months ago may have updated their data handling terms in ways that change their risk profile entirely. Your policy needs a review cadence built in.
It includes real consequences that are proportionate to intent. An employee who accidentally used a tool they did not realize was unauthorized is a different situation than an employee who deliberately circumvented a policy they understood. Your policy should reflect that distinction rather than treating all violations identically.
5. Build an Ongoing Review Cadence — This Is Not a One-Time Audit
The most common mistake businesses make after addressing shadow AI for the first time is treating it as a completed project. They do the audit, they write the policy, they brief the team, and they move on. Six months later the shadow AI landscape inside their company looks completely different and they have no idea.
This happens for a straightforward reason. AI tools are released constantly. The specific tools your team was using when you ran your initial audit are not the only tools available to them today. Browser extensions get installed. New free tools go viral in specific industries. Employees change roles and bring new tool habits with them. The AI footprint of a fifty-person business in motion is not a static thing you can review once and declare resolved.
The practical answer is a regular review cadence — not a full audit every time, but a consistent, lightweight check-in on what has changed. Quarterly is a reasonable starting point for most small businesses. Monthly is better if you are in a fast-moving industry or if your initial audit revealed a high volume of shadow AI activity.
What you are looking for in each review is change from the previous period. New tools appearing that were not there before. Increased activity around specific tools that may signal a department-level adoption worth examining. Any tools that were previously approved whose terms of service or data handling practices have shifted.
This ongoing visibility is the difference between managing shadow AI and simply reacting to it. Businesses that build the cadence own the problem. Businesses that treat it as a one-time fix find themselves back at square one when something changes — which it always does.
The Common Thread Across All Five
If you read these five steps carefully, one thing connects all of them: the answer to shadow AI is not surveillance, restriction, or punishment. It is visibility, structure, and honesty.
The businesses that manage this well are the ones where leadership knows what is actually happening, communicates clearly about what is and is not acceptable, and gives their team legitimate paths to work with AI rather than around the company's policies. That combination builds trust instead of eroding it, and it keeps your best employees — the ones innovative enough to find AI shortcuts on their own — working with you instead of quietly around you.
Shadow AI is not a problem you can solve by looking the other way. But it is absolutely a problem you can get ahead of if you start today.
morriganAI helps small and mid-market businesses understand and manage their AI Identity — how their people, systems, and AI tools actually interact inside their operations. Based in Des Moines and Chicago, serving businesses across the Midwest.
Comments