Shadow AI: The Unapproved Tools Your Staff Are Already Using

Shadow AI is the unapproved use of artificial intelligence tools by your staff — pasting company data into ChatGPT, running client calls through a free transcription app, installing a browser AI extension — without IT knowing or approving it. It is happening in your business right now, whether you have a policy or not.

The instinct is to ban it. That fails. This post covers what shadow AI actually looks like, the real risks, how to find what is already in use, and how to give staff a safe option instead of a locked door.

What shadow AI actually is

Shadow AI is the AI cousin of shadow IT — staff using software the business never sanctioned. The difference is that AI tools are free, browser-based, genuinely useful, and they ingest whatever you feed them. That makes adoption fast and the data exposure quiet. In a typical Melbourne SME it shows up as:

  • Public chatbots — staff pasting contracts, client emails, financials or source code into the free tiers of ChatGPT, Google Gemini or Claude to summarise, rewrite or debug.
  • Free transcription tools — meeting bots that join Teams or Zoom calls and quietly record and transcribe board meetings, HR discussions and client briefings to a third-party server.
  • Browser AI extensions — Chrome and Edge add-ons that promise to “summarise this page” while reading everything on screen, including data inside your line-of-business apps.
  • AI features bolted onto consumer apps — note-takers, design tools and PDF readers that have added an AI feature most users never think twice about.

None of this is malicious. It is a marketing manager hitting a deadline, an accounts clerk speeding up a reconciliation, a salesperson who wants their call notes written for them. The intent is fine. The data trail is the problem.

The real risks

The risks are concrete, and several carry legal weight in Australia.

Confidential and customer data leaving the business

When someone pastes a client list, a draft contract or a spreadsheet of personal details into a public AI tool, that data has left your control. On free and consumer tiers you generally have no contractual data-handling guarantees, no Australian data residency, and limited ability to demand deletion. Once it is out, it is out.

Your data becoming training data

Several consumer AI services reserve the right to use submitted content to improve their models unless you are on a paid plan that explicitly opts out. A confidential prompt today could influence an answer given to a stranger tomorrow. For a law firm, an accountant or anyone handling commercial-in-confidence material, that is a genuine professional problem.

Intellectual property and privacy breaches

Feeding proprietary code, product designs or unpublished strategy into an external tool can weaken your claim over that IP. More seriously, if the data includes personal information — names, contact details, health or financial records — you are likely engaging the Privacy Act 1988 and the Australian Privacy Principles, which require reasonable steps to protect personal information and to control offshore disclosures. A staff member uploading a customer database to a US-hosted chatbot can put you on the wrong side of those obligations, and a serious breach is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

Inaccurate output, trusted blindly

The risk that gets least attention is the most common in practice. AI tools produce confident, fluent answers that are sometimes wrong — fabricated case citations, invented figures, misremembered policy. When staff paste that output straight into client advice, a board paper or a compliance document without checking it, the error is now yours. The tool does not sign off on the work; your business does.

Why banning it outright fails

The first reaction from a nervous business owner is “block all of it”. It does not work, for three reasons.

First, the tools are too accessible. You can block a domain on the corporate network, but staff will use their phone, home laptop or personal browser profile. You have not removed the risk; you have just lost sight of it.

Second, AI genuinely makes people faster and your competitors are using it. A blanket ban tells your best people the business is behind, and they will route around it.

Third, a ban with no sanctioned alternative guarantees the worst outcome: people still use AI, but only the unmonitored consumer versions, because you gave them nothing else. The goal is not zero AI. It is governed AI — the same logic that underpins sensible cyber security everywhere else.

How to discover what is already in use

You cannot govern what you cannot see, and most businesses have no idea how deep shadow AI already runs. Three practical ways to find out:

  • SaaS and cloud app discovery (CASB) — a Cloud Access Security Broker, or the app-discovery capability in Microsoft Defender for Cloud Apps, inventories which cloud services staff sign into and ranks them by risk. The fastest way to see that thirty people are logging into AI tools you never approved.
  • Network and DNS logs — your firewall and DNS resolver already record outbound connections. Filtering for known AI domains shows traffic volume and which devices generate it, even before you have a CASB in place.
  • Conversations — the most underrated method. Ask teams, without blame, what AI tools they use and why. People are usually happy to tell you, because they do not see it as a security issue. That honesty tells you where to provide a safe option.

A construction firm in Box Hill we work with ran exactly this exercise. A discovery scan plus a few honest conversations turned up four AI transcription tools quietly joining site-coordination meetings, and two project managers pasting subcontractor agreements into a public chatbot to summarise variations. Nobody was acting in bad faith. They simply had no sanctioned tool and no rule telling them where the line sat.

Building a sane AI position

The fix is a short, clear acceptable-use position backed by a real alternative — not a 40-page policy nobody reads.

A short acceptable-use position

Write a one-page AI acceptable-use statement that answers the questions staff actually have: which tools are approved, what data must never go into a public tool (client personal information, financials, contracts, anything under NDA), and that AI output must be checked by a human before it is used in client work. A policy people understand is worth ten they ignore.

Provide a sanctioned, safe option

This is the part most businesses skip, and the part that makes the policy stick. Give staff an enterprise-grade AI tool with proper data protections — most commonly Microsoft 365 Copilot, which operates inside your tenant, respects existing permissions, and does not use your prompts to train public models. When people have a fast, sanctioned tool that works, the pull towards consumer apps drops sharply.

The catch is that Copilot surfaces anything the asking user can already reach, so loose permissions become a liability the moment you switch it on. That is why governance comes first, and why conditional access policies matter for controlling which devices and users can reach these tools at all. The data-governance groundwork sits alongside the rest of your Microsoft 365 setup.

The governance and DLP layer

A policy tells people what to do; technical controls back it up when they forget. This is the AI data governance layer, and for Microsoft 365 businesses it largely lives in Microsoft Purview.

Two Purview capabilities do most of the work:

  • Sensitivity labels — tagging documents as Confidential or Highly Confidential, with encryption on the top tier, so the most sensitive data is marked and protected before any AI tool can touch it.
  • Data Loss Prevention (DLP) — rules that detect sensitive content (Tax File Numbers, Medicare numbers, credit card numbers, client records) and warn or block when someone pastes or uploads it to an unsanctioned destination. Endpoint DLP extends that to the browser and clipboard, which is precisely where shadow AI lives.

Start DLP rules in audit-only mode for a fortnight, tune out the false positives, then move the high-risk ones to block. Turn everything to block on day one and you will have the finance team locked out of legitimate work by Tuesday.

ConcernConsumer AI (free tier)Sanctioned enterprise AI
Data residency / controlUsually offshore, no guaranteesInside your tenant, contractual terms
Used to train public modelsOften, unless opted outNo
Respects existing permissionsNo concept of themYes
AuditableNo visibilityLogged via Purview audit
DLP enforceableNoYes

Staff training closes the loop

Tools and policies fail without the why. A thirty-minute session showing real examples — what happens to a contract pasted into a free chatbot, why the transcription bot in the board meeting is a problem, how to use the sanctioned tool instead — changes behaviour far more than a signed policy ever will. The message is not “AI is dangerous, stop”. It is “AI is useful, here is how we use it safely”. Train people to treat AI output as a draft to verify, never a finished answer.

Frequently asked questions

Is using ChatGPT at work illegal in Australia?

Using it is not illegal. The risk is what you put into it. If staff feed personal information into a public AI tool, you may breach the Australian Privacy Principles, particularly the rules on protecting personal information and disclosing it overseas. A serious breach can trigger reporting obligations to the OAIC. The tool is fine; uncontrolled data going into it is the problem.

Does Microsoft 365 Copilot solve the shadow AI problem?

It removes most of the pull towards consumer tools by giving staff a fast, sanctioned alternative that keeps data inside your tenant. It does not replace governance. You still need sensitivity labels, sensible permissions and DLP, because Copilot surfaces whatever the user can already access. Provide the safe tool and govern the data underneath it.

What is the first thing we should do about shadow AI?

Find out what is actually in use. Run a SaaS discovery scan or check your DNS logs, and have a few honest conversations with staff. You cannot write a sensible policy or pick the right sanctioned tool until you know what problem people are solving and which tools they have reached for.

Where to start

Shadow AI is not a reason to panic, and certainly not a reason to ban a technology your staff find useful. It is a reason to look. Find out what is in use, write a one-page position people will follow, give them a safe enterprise tool, and back it with Purview labelling and DLP. That sequence — discover, sanction, govern, train — turns an invisible risk into a managed one.

TechAssist has run Microsoft 365 and security for Melbourne SMEs since 2014, with thirteen Australian-employed engineers and a 24/7 NOC in Tecoma. If you would like a hand finding what is in use and putting a sane AI position in place, get in touch with TechAssist. We will tell you plainly what is happening, what to allow, and what to lock down.

Shadow IT Discovery: Finding the SaaS Tools Your Staff Bought on a Credit Card

The average 50-person Melbourne SME has 60 to 80 SaaS apps in use. Finance can see maybe 15 of them. The rest were signed up to by individual staff on free trials or personal credit cards. The fix is discovery, triage and a clear sanctioning path, not a memo telling people to stop.

Why shadow IT happens (and why blaming users is the wrong move)

Before we talk discovery, it is worth being honest about why shadow IT exists. Three reasons account for almost all of it.

The first is speed. The official process for getting a new SaaS tool approved at most Melbourne SMEs is “raise a request, wait two weeks, get told no”. Trello is free. Notion is free. Calendly is free. ChatGPT is free. A salesperson who needs to send a polished proposal to a prospect by Friday will not wait two weeks. They will sign up for the free tier on Wednesday and put the paid upgrade through their personal card if the trial expires before they have proven the case for an official tool.

The second is feature gaps. Microsoft 365 is excellent at a lot of things and mediocre at a few. Planner is not Trello. Forms is not Typeform. SharePoint document collaboration is not Notion. When the official toolset has a feature shaped hole, staff fill it from outside. The accounting firm we audited last quarter had three separate Notion workspaces precisely because nobody could agree whether SharePoint or Teams was the right place to do running notes.

The third is autonomy. Department heads — particularly in sales and marketing — often have their own budget and the authority to spend it. They are not breaking any rules when they sign up to HubSpot, Mailchimp, Canva Pro or Loom. They are exercising the budget authority they were given. IT only finds out when something integrates badly with the core stack, or when the credit card runs through to finance.

The right framing is: shadow IT is a signal that your official tooling is missing something. Treat it as feedback, not as misbehaviour.

The actual cost of unsanctioned SaaS

Shadow IT is not free for the business. It costs in five distinct ways.

Direct duplication. Three different teams each paying $50 a month for the same tool because none of them knows the others have it. We have audited Melbourne SMEs that were paying for Slack, Microsoft Teams, Google Chat and Discord simultaneously. None of the leaders knew about all four.

Data exposure. Client data in unmanaged tools the business has no idea exists, with no DLP, no retention policy, and no offboarding when the staff member leaves. The Notion workspace tied to someone’s personal email survives their departure indefinitely unless someone goes looking.

Compliance failure. The Australian Privacy Act obligations apply to personal information regardless of which SaaS tool the staff member chose to store it in. The fact that the tool was not sanctioned by IT is not a defence. The 2024-25 amendments tightened the breach notification and accountability requirements specifically here.

Integration risk. Every shadow tool that connects to Microsoft 365 via OAuth gets a slice of access to your tenant. Most of them are fine. Some of them are not. There is a non-trivial number of “free productivity apps” with read access to mailbox content.

Exit friction. When a senior staff member leaves and they have been the de facto owner of three shadow SaaS tools the rest of the team relies on, you are now in the position of either paying ransom to get the data out, or rebuilding the institutional knowledge from scratch.

Four discovery methods that actually work for SMEs

You do not need to buy a Cloud Access Security Broker for $40,000 a year to find your shadow IT. There are four cheap and effective methods, and the right answer for most Melbourne SMEs is to run all four sequentially.

Method 1: Microsoft Defender for Cloud Apps (if you have it)

If you are on Microsoft 365 E5, Defender for Cloud Apps is built in. If you are on Business Premium, it is not, but the related “Cloud Discovery” features in Microsoft Defender for Endpoint give you a surprisingly useful subset. Both work by analysing endpoint and firewall logs for outbound connections to known SaaS providers, then producing a discovery report that maps which staff are using what.

The first run of this against a tenant is always sobering. We ran it for a 70-person legal firm in Richmond and the discovery report identified 137 distinct cloud services in use, of which the firm had formally sanctioned 12. The rest broke down into “harmless free tools nobody minds” (about 80), “duplicates of things we already pay for” (about 20), “things that should probably be replaced” (about 15), and “wait what is this” (about 10).

Defender for Cloud Apps gives you a risk score per service based on a published catalogue of about 30,000 cloud apps with their compliance and security attributes. That risk score is a useful starting point for triage but should not be treated as the final word.

Method 2: Expense report keyword scan

This costs nothing. Export the last twelve months of corporate card transactions and personal expense reimbursements. Scan for the obvious keywords: Notion, Trello, Asana, Monday, Loom, Calendly, Canva, HubSpot, Mailchimp, ChatGPT, Anthropic, OpenAI, Zapier, Make, Airtable, Slack, Zoom, Lucidchart, Miro, Figma, Dropbox, Google. Add any local Australian SaaS providers relevant to your industry.

This catches everything that has gone through finance — which is roughly two-thirds of all shadow IT, in our experience. The expense report scan is fast, cheap, and produces a list with names attached, which is the part that makes the conversation possible. A salesperson cannot deny they signed up to HubSpot when the $80 a month is on their May expense report.

We did this exercise for a Geelong construction firm and the keyword scan caught more shadow SaaS than the Defender for Cloud Apps discovery did, because so much of the spend was on personal cards being expensed back.

Method 3: Browser extension audit

If your staff use Chrome or Edge on managed devices, the installed extensions list is a goldmine of shadow tooling. Grammarly, Loom, Asana, Notion Web Clipper, ChatGPT extensions, password manager extensions that are not the corporate one, screen recorders, AI writing assistants — they all show up.

This is also where you find the genuinely risky stuff. There is a long tail of malicious browser extensions that survive on the Chrome Web Store for weeks at a time before being pulled, often with names that look like productivity tools. An extension audit catches these and is also a chance to enforce an allowlist via Microsoft Edge for Business or Chrome Enterprise policies.

For Melbourne SMEs on Microsoft Intune, this is a one-page report. For unmanaged endpoints it requires a walk-the-floor approach, which is part of why endpoint management matters.

Method 4: Microsoft 365 OAuth consent report

This is the one most people miss. Every time a staff member clicks “Sign in with Microsoft” on a third-party SaaS app, that app gets an OAuth token to access some scope of their Microsoft 365 data. The list of apps with active OAuth consent against your tenant lives in the Entra admin centre under Enterprise Applications, and is usually astonishing the first time someone looks.

We did this for a Camberwell architecture firm and found 89 third-party applications with active OAuth consent against their tenant, including three that had been granted “read all mail” scope — one of which was a free email tracking tool an account manager had signed up to in 2022 and forgotten about. That OAuth grant survived their staff turnover and was still active two years later.

The OAuth consent report is also where you find the AI integrations. ChatGPT plugins, Anthropic Claude connections, Zapier OAuth grants, all the new wave of AI productivity tools that are wiring themselves into Microsoft 365. None of them are inherently malicious. All of them deserve to be looked at.

The four-bucket triage: sanction, replace, retire, ignore

Once you have a discovery list, every item goes into one of four buckets. The bucket determines the action. This is the framework we use with every Melbourne SME shadow IT engagement.

BucketWhat it meansActionTypical examples
SanctionGenuinely useful, no reasonable alternative in the existing stack, acceptable risk profileBring under IT management, move billing to the corporate card, document data classification, set up offboarding workflowSpecialist design tools, niche industry apps, accepted general productivity tools (Calendly, Loom)
ReplaceDuplicates a capability the business already pays for elsewhereMigrate users to the official tool, cancel the shadow subscription, set a hard dateTrello when the org pays for Planner, Dropbox when the org pays for OneDrive, Slack when the org pays for Teams
RetireGenuinely risky, dormant, abandoned, or actively dangerousRevoke OAuth grants, contact provider for data export, then deleteForgotten OAuth grants from 2022, malicious browser extensions, abandoned personal accounts holding client data
IgnoreLow risk, low cost, low value to act onNote it, move on, do not waste cyclesFree productivity tools with no data sharing, personal-use tools, ad-hoc utilities

The ignore bucket is important. The temptation in shadow IT projects is to try to bring everything under formal control, which is both impossible and counterproductive. If a salesperson has Grammarly installed on their personal browser profile and uses it occasionally, that does not need to be on a vendor management register. Pick your battles.

Case study: a Melbourne accounting firm with three Trellos

A mid-sized accounting firm we work with — about 60 staff across two offices, including one in South Yarra — asked us to run a shadow IT discovery exercise in mid-2025 because their cyber insurer had started asking pointed questions about SaaS inventory at renewal. The findings were instructive.

The expense report scan turned up three separate Trello accounts run by three different teams. None of the teams knew the others had one. Each was paying $13 per user per month for the standard tier. The combined annual spend was $14,400, and the equivalent functionality was already available in Microsoft Planner and Loop, which were included in their existing M365 Business Premium subscription.

The OAuth consent report identified two Notion workspaces with active access to mailbox content. One was being actively used by the marketing team; the other belonged to a partner who had set it up in 2023 to draft a strategy document and then forgotten about it. The forgotten one still had read access to his mailbox via OAuth.

Most concerning, the browser extension audit identified a competitor’s project management tool — a SaaS aimed at accounting firms specifically — installed by a junior accountant on her work laptop. She had been adding live client data into it as a personal productivity tool because she found it easier than the firm’s official practice management software. The client data exposure was real, the staff member’s intent was harmless, and the underlying problem was that the official tool was genuinely worse than the alternative she found.

The triage outcome: Trellos consolidated and replaced with Planner over six weeks. The active Notion workspace was sanctioned and brought under IT management with proper offboarding workflow. The forgotten one was retired and OAuth revoked. The competitor tool was retired, the data was migrated out and into the firm’s official system, and the practice management software was put on the roadmap for replacement because the staff feedback was now formally on the table. None of this would have happened without the discovery exercise.

Building a sanctioning path so this does not happen again

Discovery is the first step. The longer-term fix is to build an internal path for staff to legitimately request new SaaS tools, with a turnaround time fast enough that they do not need to go around it. Three principles.

Time-box the approval. Five business days from request to yes/no. Longer than that and people will revert to shadow IT. The five-day commitment is enforceable if the assessment is structured: data classification, vendor security posture, integration impact, cost. A senior engineer can usually run this in two hours.

Pre-approve common categories. Maintain a list of SaaS categories where any tool from a pre-approved shortlist can be self-served by staff. Design tools, video conferencing, scheduling tools — none of these need a full assessment every time someone wants to use one. The shortlist gets reviewed quarterly.

Make rejection mean something. If you say no to a tool, you owe the requester either an alternative that meets their need or a clear explanation of why the problem cannot be solved that way. “No” without context is what drives staff into the shadow IT cycle. Co-managed IT models often work well here because they give internal IT the capacity to run this assessment without becoming the bottleneck.

The role of identity and conditional access

Shadow IT discovery is closely related to the broader identity story. The more you centralise authentication through Microsoft Entra ID, the more visibility you get over what is connected to your tenant. Tools that require staff to create separate accounts with personal email addresses are inherently invisible; tools that integrate via “Sign in with Microsoft” show up in the OAuth consent report.

Conditional Access policies can be configured to require admin consent for any new third-party application requesting Microsoft 365 data access, which closes the OAuth-grant-from-2022 problem at the source. This is one configuration change, takes about thirty minutes, and stops new shadow IT from accumulating in that specific way. We make it a standard part of the cybersecurity baseline for every new client tenant we onboard.

The trade-off is that admin consent becomes a queue you have to service. If the queue is slow, staff will route around it. Five business days, again.

What this costs to fix

For a typical 50-person Melbourne SME, a complete shadow IT discovery and triage engagement runs four to six weeks of elapsed time and one to two days of senior engineer effort. The deliverables are: an inventory of cloud services in use, a triage report with recommended actions per service, a remediation plan for the high-risk items, and a sanctioning workflow design for ongoing requests.

The hard-dollar return varies but is almost always positive. The Geelong construction firm saved $9,400 a year in duplicate SaaS subscriptions identified during discovery. The Richmond legal firm saved closer to $22,000 because they had been paying for three project management tools and four file-sharing tools simultaneously. The South Yarra accounting firm broke even on direct cost but eliminated a real data exposure that would have been a notifiable breach if it had been discovered later.

The softer return — the reduction in compliance risk, the cleaner OAuth surface, the ability to answer “what SaaS tools do you use” honestly on an insurance renewal — is harder to put a number on but matters more.

How TechAssist runs shadow IT discovery

We treat shadow IT discovery as a structured engagement, not an ongoing service. The work is intensive for four to six weeks and then transitions into a steady-state sanctioning process that internal stakeholders can run themselves with our support.

Founded in 2014, we have 13 Australian-employed engineers and a 24/7 NOC in Tecoma. Our two offices — Tecoma and 575 Bourke Street CBD — let us run on-site sessions for Melbourne metro clients on the same business day where the discovery work needs human follow-up. We are Essential Eight aligned and ISO 27001 capable, which matters when the deliverable from the engagement needs to land in front of an auditor or cyber insurer.

We have run shadow IT engagements for clients in construction, manufacturing, logistics, law firms, accounting firms and healthcare. The methodology is broadly similar; the specific tools that show up vary wildly by industry. A construction firm’s shadow IT is almost entirely site-management apps and free file-sharing tools. A law firm’s is document collaboration and AI drafting tools. A healthcare provider’s is patient communication platforms — which is where the regulatory stakes get serious.

Frequently Asked Questions

Is shadow IT really a security problem or just an IT housekeeping issue?

Both, depending on which tool. A free Calendly account with no client data in it is housekeeping. A Notion workspace holding client matter notes with OAuth access to a partner’s mailbox is a security problem. The point of discovery and triage is to tell the difference and act accordingly.

Can we just ban shadow IT outright?

You can write a policy that says so, but you cannot enforce it without either heavy egress controls (which most SMEs find impractical) or a fast sanctioning process (which most do not have). The realistic answer is “discover, triage, sanction the useful, retire the risky, build a fast path for new requests so people use it”.

How often should we run a discovery exercise?

The first run is the big one. After that, an annual refresh combined with a quarterly OAuth consent review is enough for most Melbourne SMEs. If your business is going through rapid headcount growth or a significant tooling change, run discovery more often.

Do free SaaS tools count as shadow IT?

Yes. The pricing is irrelevant to the risk assessment. A free Trello account with client tasks in it is the same data exposure problem as a paid one. The triage matters more than the cost.

What about staff using their personal ChatGPT account for work?

This is the 2026 version of the shadow IT problem and it deserves its own conversation. Personal AI accounts in use for work tasks need to be either replaced with sanctioned enterprise alternatives (Microsoft 365 Copilot Chat, ChatGPT Team, Anthropic Claude Team) or actively prohibited. The middle ground — “just be careful” — does not work because there is no audit trail.

Should we tell staff we are running discovery?

Yes. Transparency makes the exercise work better. Staff who know discovery is happening volunteer information that the technical methods would not have caught. Frame it as “we want to make sure the tools you need are properly supported”, not as “we are looking for who broke the rules”.

What to do this week

Pick one of the four discovery methods and run it. The expense report scan is the easiest starting point and requires nothing more than a spreadsheet and an hour. The OAuth consent review is the second easiest if you have Microsoft 365 admin access. Both will turn up enough to justify a broader conversation.

Whatever you find, do not lead with blame. Lead with curiosity. The staff who signed up for these tools were trying to do their jobs. The fix is to build a system where doing their jobs and following the rules are the same thing.

If you want a hand running a structured shadow IT discovery and triage across your Melbourne business, get in touch. We will tell you what is worth fixing and what is not.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.