How big is your shadow AI economy, and who owns it?

A dim corporate office at night with rows of empty desks, each monitor glowing faintly, suggesting AI activity running unattended and unseen after hours.

Most of the AI running inside a company today is unsanctioned, unmeasured, and invisible to finance and the board. Two reports this week reframe the shadow AI economy from an IT hygiene issue into a board-level question about risk, spend, and ownership.

TLDR

Most of the AI running inside a company today is unsanctioned, unmeasured, and invisible to finance and the board. That off-the-books activity has a name now, the shadow AI economy, and two reports out this week reframe it from an IT hygiene issue into a board question about risk, spend, and ownership. The move that works is visibility plus a fast sanctioned path, not a ban.

I read two things this week that belong in front of every board. The first, a July 2 analysis from Larridin, put a number on something most executives feel but cannot prove: 45% of AI adoption inside the average company is happening entirely outside IT’s line of sight. The second, a Forbes piece the same day by Gigamon chief executive Shane Buckley, added the part that stings. Only 13% of organizations believe they have adequate governance over the AI agents already running in their environment. Read those together and a quiet fact gets loud. Your company is running a second AI operation that nobody approved, nobody budgeted, and nobody can currently see.


What a shadow AI economy actually is

The phrase is not mine. It comes from an MIT study last year, Project NANDA’s State of AI in Business, which found that people at more than 90% of companies were using personal AI accounts for daily work while only about 40% of those same companies had bought an official model subscription. In plain terms, the real adoption curve had already happened. It just happened on personal logins and phones, not on the sanctioned stack the CIO presented to the board.

That gap is the shadow AI economy. And here is what makes it a governance matter rather than a curiosity: the shadow version often works better than the approved one. Employees are not being reckless. They are being efficient. Shadow AI is what happens when a company hands 200 smart people a slow tool and a fast tool, then acts surprised when they reach for the fast one.

The two AI operations inside one company (MIT Project NANDA, 2025)
OperationShare of companies
Official, sanctioned LLM subscription~40%
Employees using personal AI accounts for work90%+

The problem is not the productivity. The problem is that most of it sits off the books. The spend lands on personal cards and scattered expense lines, so finance understates it. The data exposure never reaches the risk register, so the audit committee understates it. And the capability, the actual work AI is doing, rarely makes it into the story leadership tells investors, so the board understates that too.


Three questions the board will ask about unsanctioned AI

When this lands on the agenda, and it will, three questions come up every time.

First, how much of it is there? The honest answer is that most leadership teams do not know yet, and that is a finding, not a failure. Saviynt’s 2026 CISO AI Risk Report found that 75% of security leaders had already discovered unsanctioned AI tools running in production, and 86% admitted they do not enforce access policies for those AI identities at all.

"75% of organizations in Saviynt's 2026 CISO AI Risk Report have already discovered unsanctioned shadow AI tools running in production."

Larridin, "Shadow AI Is No Longer Just an IT Problem," July 2, 2026

If three quarters of peers have already found shadow AI in production, the safe assumption is that it is running here too.

Second, what is it touching? This is the one that deserves attention. A PagerDuty survey this spring found that 66% of professionals had used AI at work despite believing it was against policy, and a meaningful share had fed real material into public tools: work correspondence, customer data, financial documents. That is not a hypothetical breach. That is source material leaving the building, one helpful prompt at a time. IBM’s breach research put a price on the consequences: organizations with high shadow AI saw roughly $670,000 in added breach costs.

Third, who owns it? This is where a board earns its keep. Shadow AI has no natural owner because it lives between functions. Security sees a threat surface. Finance sees untracked spend. Legal sees a disclosure question. HR sees a policy nobody follows. When no single executive owns the number, it stays a shadow.

Key Insight

The board's job is not to answer these three questions in the meeting. It is to make sure one named person leaves the meeting owning them.


Why a ban makes the shadow economy bigger, not smaller

The reflex, when leaders first see these numbers, is to shut it down. Block the tools, issue the policy, move on. It feels like control. It is the opposite.

A ban does not remove shadow AI. It removes your ability to see it.

The usage does not stop when the approved tool disappears, because the work still needs doing and the free tool still works. It just moves further underground, onto personal devices and accounts no logging will ever reach. The companies getting calmer about this are treating the shadow economy as free market research into which AI actually helps, then building a sanctioned fast path good enough that people stop needing the unsanctioned one. Visibility first, then a better default, then policy. In that order.

13%
of organizations believe they have adequate governance over the AI agents already running (Gigamon, Forbes, July 2026)

The sixty-second shadow AI brief for the board

If there is a minute at the next meeting, say this. We run two AI operations. One we approved and can see. One we did not and cannot. The second is bigger, and right now it carries most of our real usage and most of our unmeasured risk. We are not going to ban our way out of it, because a ban only pushes it deeper. We are going to make it visible, give people a fast sanctioned path so the shadow one loses its pull, and put one named owner on the number by next quarter.

Where the shadow AI economy goes from here

Two things are worth watching. The visibility spend is about to climb: Buckley’s Forbes piece noted that 93% of organizations have already bought new detection tooling, yet 41% report that breaches are taking longer to detect, not shorter. Buying tools is not the same as seeing. And the agent count is rising fast. Gartner’s estimate, cited in the same piece, is that the average Fortune 500 firm will run more than 150,000 AI agents within two years. A shadow economy of chatbots is a policy problem. A shadow economy of 150,000 agents holding credentials is a different animal. The teams that will be calm about it a year from now are the ones that started counting this quarter.

Sources

  1. Shadow AI Is No Longer Just an IT Problem - Larridin, 2026-07-02
  2. The AI Visibility Gap Driving The Rise Of AI Ops - Forbes Technology Council, 2026-07-02
  3. 2026 CISO AI Risk Report - Saviynt via Cybersecurity Insiders, 2026-01-24
  4. The 'shadow AI economy' is booming: Workers at 90% of companies say they use chatbots - Fortune (MIT Project NANDA, State of AI in Business 2025), 2025-08-19
  5. Shadow AI Is Happening Within Your Organization (2026 Shadow AI Survey) - PagerDuty / Wakefield Research, 2026-06-11
  6. Cost of a Data Breach Report - IBM, 2025-07-30

Back to all insights