What every board now needs to ask about shadow AI

The shadow AI headline that reached the board

On June 9, Lookout published a study with ZK Research carrying a title that reads like a quiet confession: “Solving for the Mobile AI Blind Spot: Executive Confidence Meets Technical Reality.” I read it twice. One number does the work of the whole report. 93% of security executives say they are completely confident in their AI governance. In the same study, 52% of all generative AI use has moved to mobile devices, where the network perimeter those executives trust simply cannot watch. Help Net Security covered it two days later under a plainer headline: most organizations cannot see much of their own mobile AI activity. So the board hears “our security leaders are confident” and relaxes. The report is saying, gently, that the confidence is the part to worry about.

What the shadow AI confidence gap actually means

Here is the thing about shadow AI. It is not a story about reckless employees. It is the completely predictable result of smart people being handed the most useful tool of their careers and then being asked to wait. So they use it on their phones, in personal accounts, on the train home. The work still gets done. It just gets done somewhere the company cannot see.

The Lookout numbers stack up fast. 59% of mobile AI traffic flows “dark,” invisible to network discovery. 68% of organizations have zero visibility into what autonomous AI agents are doing on employee devices. 72% cannot even identify the AI components quietly baked into apps they already approved. None of that shows up in a confident answer to the question “do we have AI under control?”

Now the uncomfortable pairing. A Grant Thornton survey from this spring asked executives a different question: could they pass an independent AI governance audit in the next 90 days? 78% said they were not strongly confident they could. Put the two studies side by side and the picture clears up. We feel in control. We could not prove it. Those are not the same sentence, and a board that mistakes one for the other is the board most likely to be surprised.

Confidence is not control. The board most likely to be surprised is the one that mistakes the first for the second.

Shadow AI: what leaders feel versus the data

If shadow AI makes it onto the agenda, three questions tend to surface. Here is how I would answer them, calmly, with the evidence in hand.

Can we actually see it? This is the first and most honest question, and “we have a policy” is not an answer to it. A policy is a sentence. Visibility is a system. The Lookout data says most companies have the sentence and not the system. The fix starts small: an inventory of what is genuinely in use, pulled from real signals rather than a survey nobody fills in honestly.

Who is actually doing this? Most boards assume shadow AI is a frontline habit. The data points up the org chart, not down it. BlackFog reported earlier this year, in coverage from CIO, that 69% of presidents and C-suite members, and 66% of senior vice presidents, are fine using AI tools that were never approved. The people writing the policy are often the ones quietly working around it. That is worth saying out loud in the room, because it shifts the tone from “discipline the staff” to “fix the system all of us are already using.”

Could we prove it to an auditor in 90 days? This is where the EU AI Act stops being abstract. The Lookout study found 78% of security leaders cannot produce the audit-ready evidence those frameworks will ask for, and EY noted this spring that 85% of tech leaders are prioritizing time-to-market over governance. The August high-risk deadline is close, and “we were confident” is not a control an auditor accepts. The good news: the work that makes an audit survivable is the same work that closes the visibility gap. Do it once, get both.

Shadow AI means the tools outran the rules

If you have one minute, here it is. Shadow AI is not a sign the company is falling apart. It is a sign the tools are more useful than the rules, which is normal and fixable. One new study this month put hard numbers on a gap we already suspected: leaders feel in control, and the usage has moved to places the old tools cannot see. We will not ban our way out of this, because banning is what moved it onto phones in the first place. The plan is calmer than it sounds. Make the usage visible. Give people a sanctioned option that is actually good. Get to where we could pass an audit on purpose rather than by luck. That is a quarter of focused work, not a fire drill. And one honest caveat for the room: the fresh figure here comes from a single study, so treat it as a reason to look at our own logs, not as gospel.

Watch mobile discovery and the August AI Act deadline

Two things over the coming weeks. First, whether mobile-native discovery turns into a real budget line, since mobile is where the usage actually went. Second, the EU AI Act high-risk deadline in August, which turns “we could not see it” from an embarrassment into a finding. Neither needs panic. Both reward starting now, while it is still a quiet quarter and not a headline.

The companies that handle shadow AI well are not the ones with the strictest bans. They are the ones who got honest about what was already happening, and built the light switch before anyone asked where it was.