Shadow AI Workflows: When Approved Tools Create Risks Your Governance Cannot See

A 200-attorney firm I worked with this spring ran an internal AI audit. Going in, the General Counsel was confident she knew the AI footprint. The firm had two approved deployments. A contract-review assistant the corporate group used. And a research summarizer the litigation group used. Both were under formal governance. Both had documented use cases. Both had been signed off by IT, by the Risk Committee, and by the partners who used them.

The audit found nine more workflows. Every one of them was running on one of the two approved tools.

Associates in the labor group had built a deposition-summarization script that fed transcripts into the research summarizer with a custom prompt. A junior partner in tax had assembled an auto-billing template that summarized timekeeping notes into client-ready narratives. The corporate group had extended the contract assistant to draft first-pass NDAs from a parameter set in a shared spreadsheet. Litigation paralegals had built a discovery prioritizer that ran document review summaries through the same approved tool.

Every one of them was a real productivity gain. None of them had been registered. None of them had been reviewed for privilege exposure. None of them had been audited for whether the data they fed into the model was data the firm was authorized to send to that vendor.

The General Counsel had been confident she knew the firm's AI footprint. She knew about two of the eleven workflows that actually existed.

This is shadow AI. It is the fastest-growing governance gap in enterprise AI today. And it is harder to detect than shadow IT in a way the existing detection stack was never designed to handle.

What Is Shadow AI, Specifically?

Shadow AI is the use of AI tools and capabilities within an organization that falls outside the visibility and governance of the central IT, security, or AI team.

The term is borrowed from shadow IT, which described employees using unapproved software, cloud services, or applications without IT oversight. Shadow AI follows the same pattern but with one critical difference that makes it both harder to detect and more dangerous to ignore.

Shadow IT involved unapproved tools. The tool itself was the unauthorized thing. Security teams could detect it by scanning for unauthorized software, cloud accounts, or API endpoints. The asset register and the actual environment eventually converged because detection was a tractable problem.

Shadow AI almost always involves approved tools. The model is authorized. The API access was granted. The data permissions are valid. The governance framework already approved the foundation.

What the governance framework did not approve is what each team does with that access. The prompts they write. The automations they build. The decisions they make based on the outputs. The data they feed into context windows that were never evaluated for that data type.

Your detection stack sees an approved tool being used by authorized users and reports compliance. The risk is in a layer the stack never reads.

Why Shadow AI Is Worse Than Shadow IT in Three Specific Ways

1. It looks identical to authorized usage. Shadow IT showed up as unauthorized software on an asset scan. Shadow AI shows up as authorized API calls on an audit log. There is nothing to flag.

2. It scales without leaving infrastructure traces. A new shadow IT tool needed install or onboarding, which left a footprint. A new shadow AI workflow is often just a new prompt in a personal Google Doc. No new account, no new tool, no new endpoint. The workflow can be production-grade within a day, invisible the entire time.

3. The data exposure is inside the prompt. A shadow IT tool's data exposure was about what the tool stored and where. Shadow AI's data exposure is about what gets pasted into the prompt, which is often privileged matter material, regulated personal data, or confidential business information that was never approved for the model's vendor under the firm's BAA, GLBA, or vendor-risk regime.

For law firms specifically, the exposure has malpractice and ethics dimensions covered in the biglaw AI governance guide and client-confidentiality technical guide. The ABA Model Rules and the state bar opinions that have followed them are clear about a partner's responsibility to know how the firm's AI tools are being used, and to know which data is being routed where.

How Do Shadow AI Workflows Grow Inside Organizations?

The growth pattern is consistent. I have seen this at law firms, hospitals, banks, and hotel groups. The script is the same.

The central team deploys an approved tool with a documented use case. A team in some department realizes they can use the same tool to solve a related problem. They build a small script. It works. They expand it. Nobody outside the team knows it exists.

Another team sees the first team's success and builds their own automation. Then another. Each team solves a real problem. Each automation is genuinely useful. Each one is invisible to the central governance framework.

Within months, the official AI estate (two workflows) has been extended into an actual AI estate of two official workflows and an unknown number of unofficial workflows spread across every team with access to the approved tool.

The gap between the official estate and the actual estate is where the compliance exposure, the privilege-waiver risk, and the conflicting automated decisions all live.

How Do You Audit and Govern Internal AI Usage?

Governing shadow AI takes observability across the full AI estate, official and unofficial. The five controls that actually work:

1. Prompt-level logging. Every prompt submitted to an approved model is logged. Not just the API call. The content. This is how you discover that the labor associates are running depositions through the research tool, that the tax partner is auto-billing, that the corporate group has extended the contract assistant well past its documented scope. Without prompt-level logging, the activity is invisible.

2. Workflow discovery. Automated scanning for scripts, scheduled tasks, browser extensions, and API integrations that interact with approved AI models outside of documented workflows. If someone built a Python script that calls the model's API on a cron schedule, the governance layer needs to find it.

3. Data flow tracking. Which data sources are being fed into the model's context by each workflow. An unofficial workflow that feeds privileged client material into a vendor that does not have a privilege-protective contract creates immediate exposure. Data flow tracking surfaces these undocumented paths.

4. Output auditing. What are the unofficial workflows producing. Are the auto-generated billing narratives consistent with the firm's billing standards. Are the discovery prioritizations defensible if challenged. Are the NDA drafts current with the firm's preferred clause library. Without output auditing, you do not know what your unofficial AI estate is actually doing.

5. Centralized AI catalog. Every workflow that touches an approved AI model, official or unofficial, is registered in a central catalog. This is the foundation for governance. You cannot govern what you cannot see. The catalog makes the invisible visible.

The AI governance frameworks guide lays out the operating model that supports these five controls. The ISO 42001 implementation guide maps them to the formal management-system requirements if your firm is pursuing certification.

What Shows Up in Your Next Audit

If your observability stops at what the central team deployed, you are blind to half the AI your organization actually runs.

That blind spot surfaces in one of three ways.

An incident. Something goes wrong in a workflow nobody knew existed. The investigation reveals an entire class of AI usage that was never governed. The remediation costs more than building governance from the start would have.

An audit. An internal or external audit requests a complete inventory of AI usage. The central team provides the official estate. The auditor finds the rest. The gap becomes a finding.

A data event. An unofficial workflow feeds sensitive data into a model context that was never evaluated for that data type. The exposure surfaces in incident response. The compliance team learns about the workflow for the first time during the breach call.

All three are preventable, with one requirement: observability across your full AI estate.

Vendor and Internal-Tool Diligence Questions That Catch Shadow AI

If you are responsible for governing AI inside a regulated organization, the questions to ask of every approved tool, and of the teams using it, are not the ones on the standard intake form.

1. What is the complete list of prompts being submitted through this tool, and where is that log stored?
2. What is the data classification of every input that has been submitted in the last 90 days?
3. Which scripts, scheduled tasks, or integrations are calling the tool's API outside of the documented workflow?
4. Which outputs are being committed to a system of record, sent to a client, or used to make a billable judgment, and who reviewed them before that happened?
5. What is the rate of new prompt patterns being introduced per week, and who is introducing them?

A team that can answer those five questions for every approved AI tool has shadow AI under control. A team that cannot answer any of them is operating on faith. Claire tags every workflow with an owner, a use-case category, and a data-classification at the point of creation. Every prompt is logged. Every output is auditable. Workflows that were not registered in advance cannot run, full stop. The General Counsel never has to learn about the deposition-summarization script during an audit. The script could not have been built without registering it.

---

Maya Chen is the voice behind Maya Builds AI, a video and podcast series on enterprise AI infrastructure for the people building and operating these systems. Three new videos a week on YouTube. The podcast lands weekly on Spotify and Apple Podcasts. For the law-firm-specific governance build, read the biglaw AI governance guide.