Shadow AI and the Leadership Gap: Scaling AI to Your Advantage

SANS Institute’s Rob Lee offers commentary on shadow AI and the leadership gap, and how to scale AI to your advantage. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

This rise of decentralized AI adoption – or shadow AI – is not new, but rather a growing trend that poses significant risks to a corporate entity’s organizational security and operations. According to MIT’s Project NANDA study, roughly 90% of employees report using AI tools without informing their IT departments.

The problem isn’t AI adoption. It’s how enterprise leaders choose to govern it.

For most security teams, “The Framework of No” has served as a baseline response to implementing new AI technology within an organization and managing its potential risk. This methodology – rejecting platforms that can’t be easily secured and banning them in an effort to ‘protect the company’ – ultimately creates operational blind spots that do more harm than good over time.

Discouraging AI use on an organizational level leads to a disjointed AI adoption rollout, leaving employees more motivated to take AI implementation into their own hands.

Organizations will ultimately benefit from bringing shadow AI into the light. It’s no longer enough to ignore or restrict AI usage out of fear. Enterprise leaders need a robust governance framework that aligns with business goals while enabling safe and transparent adoption.

Where the “Framework of No” Falls Short

Restrictive policies are often the go-to solution in response to a weak AI roadmap, but the consequences of such an approach can be far-reaching. Control without context can exacerbate disorganization within the culture. When new technologies are restricted, innovation moves underground as employees find ways to activate them outside of approved channels.

An organization can’t protect what it can’t see. Prompt injections, IP leakage, model misuse, and other vulnerabilities arise when security teams are not aware of or not involved in AI adoption decisions. Most importantly, a “no” culture erodes both trust and the willingness of teams to engage with security.

Replacing control with clarity is the best path forward. Organizations must shift from a security posture that restricts and isolates AI adoption to one that partners with AI innovation to ensure it is safe, secure, and aligned with team objectives.

3 Steps Leadership Can Take Today

To ensure AI is properly implemented, leadership must take the proper steps to know what’s happening in their organization and foster a culture where its use feels safe and clear:

1. Find It – Use telemetry, surveys, and data-mapping exercises to identify shadow AI tools already in use across the organization. Understanding where AI is embedded and how employees are leveraging it is the first step toward managing risk and enabling value.
2. Fund It – Reallocate budgets to shift from pure gatekeeping to empowering responsible AI usage. One practical approach is to start with lower-risk, non-critical functions (e.g., marketing). Provide these teams with a defined budget and ask them to propose enterprise-grade AI tools that meet security and compliance requirements. This creates a controlled environment for experimentation while reducing reliance on unsanctioned tools.
3. Scale It – Build the organizational roles, processes, and capabilities needed to support AI at scale. This includes defining accountability structures, establishing an AI champion network, selecting KPIs that measure responsible adoption, and incorporating AI usage expectations into performance reviews. Provide “lifeguards,” centralized experts who can guide teams, while using these early efforts as structured experiments to learn what works.

Examples of roles that support scaled, responsible AI use include:

• AI SOC Orchestrator – A leadership role overseeing the integration of AI within SOC environments, ensuring AI systems effectively support threat detection and response.
• AI Governance Lead – Responsible for establishing and enforcing AI governance, ensuring compliance with internal standards, regulations, and ethical guidelines.
• AI Incident Response Orchestrator – Focused on coordinating responses to AI-driven incidents and managing risks associated with AI-related security threats. AI is now the nucleus of the corporate operational landscape. Security teams must evolve from being gatekeepers to enablers of safe, innovative AI use – not the reason it happens in secret. By bringing AI experimentation to the open, IT teams, employees and business leaders can determine what works, properly manage risks, and transform AI from a control challenge into a competitive advantage.

The proliferation of shadow AI presents both challenges and opportunities for organizations navigating AI adoption’s complexities. By following this outlined approach, leaders are enabled to not only mitigate risk but also recognize AI as a strategic asset that converts said challenge into a competitive advantage.