When employees find the path the organization failed to design in time
This article was triggered by something I recently read about what is now called Shadow AI: the use of artificial intelligence tools inside companies and organizations without formal approval, without clear rules and, very often, without real visibility from management or IT.
The more I thought about it, the less unfamiliar it felt. In fact, it reminded me of something I have seen again and again over the years, in almost every company, organization or working environment I have dealt with: Excel.
Not Excel as a simple office tool, but Excel as a parallel system. An unofficial database, a report, a CRM, a project-tracking tool, a customer list, a financial model, a repository of information and, quite often, the real version of truth that did not exist inside the official system.
Organizations had ERP systems, CRM platforms, dashboards, portals, workflows, internal procedures and expensive software. But when real work had to be done quickly, when the official system did not cover the need of the day or when changing it required time, approvals and budget, someone opened an Excel file and moved forward.
Not necessarily because Excel was the right solution. Because it was the available solution. It was there, it was fast, it was understandable and it did not require a ticket, a vendor, a requirements analysis or three months of waiting.
That is how, in many organizations, Excel became the unofficial operating system of the enterprise. Not because someone designed it that way, but because reality found its own path.
Today, the same thing is happening again. Only this time, Excel is called artificial intelligence.
Shadow AI is not surprising
I am not surprised that employees use AI tools without waiting for official approval from their company. I do not say this to justify it blindly, nor to underestimate the risks. I say it because it is completely predictable.
When an employee has to handle dozens of emails, reports, presentations, meeting notes, translations, customer replies, internal documents and constant demands for speed and quality, it is almost certain that they will use a tool that helps them. Not necessarily because they want to bypass the organization, but because they want to get their work done.
They did the same thing with Excel. They did the same thing with personal USB drives, personal email accounts and messaging apps that were not officially approved but were used because they were practical. The same pattern repeats itself with every technology that enters real work before it enters policy manuals.
This is where many organizations make their first mistake. They treat Shadow AI as a problem of disobedience, as if employees simply woke up one morning and decided to operate secretly against the company.
In reality, in most cases, Shadow AI is not born out of disobedience. It is born out of a gap. A gap in tools, a gap in policy, a gap in training, a gap in organization and, quite often, a gap in understanding the real daily work of the people inside the organization.
And when there is a gap, someone will fill it. If the organization does not fill it properly, employees will fill it themselves.
Prohibition is the easy illusion
The easy answer to these phenomena is always the same: prohibition. ChatGPT is forbidden, Claude is forbidden, public AI tools are forbidden, uploading company data is forbidden, using personal accounts is forbidden.
In many cases, caution is absolutely necessary. No one should be placing personal data, customer information, contracts, financial data, source code, trade secrets or internal strategy documents into any tool they happen to find online. That is not productivity. It is risk.
But prohibition alone does not solve the problem. It simply pushes it into the shadows. And that may be even more dangerous, because when something is visible, you can organize it, control it and correct it. When something is invisible, you simply hope it is not happening.
And hope is not a strategy.
If a company simply says “do not use AI”, without explaining, without training, without offering a safe alternative and without understanding why people are turning to these tools in the first place, then it is not controlling the situation. It is pretending to control it.
We have seen this before. We saw it with Excel, when companies had official systems but critical files were circulating in spreadsheets. We saw it with email, with messaging apps, with every tool that was used because it served real work better than the official process.
Technology almost always moves faster than organization. The real question is how quickly organization becomes serious enough to respond.
Neutrality is not always a virtue
I usually try to examine things calmly. I do not like easy reactions, and I do not believe that every new technology is either salvation or destruction. Artificial intelligence needs neither worship nor fear. It needs understanding.
But examining things calmly and objectively does not mean refusing to take a position. Especially when something is obvious, or when others prefer not to say it clearly.
And here something is obvious: employees will use artificial intelligence. They already do. Maybe not all of them, maybe not correctly, maybe not safely, but they do use it and they will continue to use it.
So the question is not whether AI will enter the enterprise. It already has. The real question is whether it will enter in an organized or uncontrolled way, with rules or in the shadows, with training or improvisation, with responsibility or ignorance, with a secure environment or with personal accounts and copied data in tools no one controls.
This is where we need to take a position. The answer is neither panic nor naivety. The answer is serious organization.
The real problem is lack of organization
Shadow AI reveals something deeper than artificial intelligence itself. It reveals how unprepared many organizations are to manage the way work is changing.
It is not enough to buy a tool. It is not enough to send a memo. It is not enough to hold a generic seminar and say that training has been completed. It is not enough to place the word AI inside a strategic presentation.
Something much simpler and much harder is required: organizations must genuinely organize its use.
That means informing people, training them, explaining what they can do and what they must not do, showing examples from their actual work, giving them a secure environment and rules they can understand. Not only telling them what is forbidden, but explaining why it is forbidden.
Because if employees do not understand the risk, policy is just another file no one reads. And if the approved tool is harder to use than the unofficial one, the company is simply pretending to have solved the problem. It has not solved it. It has moved it elsewhere.
AI training cannot be generic
There is another mistake I can already see coming. Many companies will offer “AI training” in the same way they have offered many other trainings in the past: a generic presentation, a few impressive examples, some terminology, a warning about data, a few references to prompts and then everyone returns to their daily work.
That is not enough.
AI is not used in the same way by everyone. Accounting has different needs. HR has different needs. Sales has different needs. Customer support has different needs. Developers have different needs. Management has different needs. Someone writing proposals has different requirements from someone handling personal data, and both have different requirements from someone working with technical documents or contracts.
Training must be practical and connected to real work. The question is not simply “what is artificial intelligence?” The right question is: how can I use it in my own work without exposing the company, the customer or myself?
Which data should never be placed into an AI tool? When should I ask for approval? How do I check the output? When should I not trust it? Who is responsible for the final text, the final decision, the final answer?
AI can help a lot. But it does not remove human responsibility. That has to be said clearly.
AI is not a magic box
One of the biggest problems with artificial intelligence is that it is often presented almost like magic. You ask, it answers. It writes, summarizes, suggests, organizes, translates and creates. And because it does all of this with confidence, many people forget that it can be wrong.
It can give a convincing wrong answer. It can omit a critical detail. It can invent things. It can reproduce bias. It can generate a text that looks correct but has not been verified.
It can make an employee better. But it can also make that same employee stop thinking, if it is used without judgment.
That is why training should not be only technical. It must also be training in judgment. How do you check, question, verify and understand when an answer is useful and when it only sounds good?
Artificial intelligence can accelerate work. It must not replace responsibility.
The approved tool must be better than the unofficial one
If a company truly wants to reduce Shadow AI, it must stop thinking only in terms of prohibition. It must offer a better alternative.
If the approved tool is slow, difficult, limited or practically useless for real work, employees will return to the unofficial one. This is not theory. It is the same story we have seen in every technological change.
People do not always use the tool that was approved. They use the tool that helps them.
So if we want to bring AI out of the shadows, the official environment must actually be useful. Secure, but not paralyzed. Controlled, but not useless. Organized, but not bureaucratic. It must protect the company without preventing work from happening.
That is the difficult part. But that is also the real goal.
Shadow AI is a mirror
For me, the most interesting thing about Shadow AI is not the tool itself. It is what it reveals.
It reveals the distance between the official image of an organization and the way it actually works. It reveals whether processes help or obstruct. It reveals whether management understands how its people work. It reveals whether technology has been designed around work or whether work is forced to fit around technology.
And this is not only about AI. It was always about Excel too. Because Excel, in many cases, was not just a tool. It was proof that the official system was not enough.
Shadow AI is the same. It is not merely a security problem. It is a comment on how the organization works. And that comment is not always flattering.
The new Excel is not waiting for anyone’s approval
Excel did not become the unofficial operating system of enterprises because someone approved it strategically.
It became that because people had work to do.
The same thing is now happening with artificial intelligence.
It will not wait for the perfect policy, the ideal committee, the complete governance framework or the next management presentation.
It will be used because it is useful.
And when something is useful, it finds a way.
So the question is not whether companies will allow AI. In many ways, that question is already late.
The real question is whether they will understand in time how it is being used, by whom, for what purpose and with what risk.
Because real work has a way of moving beyond organizational charts.
In the past, it did that with an Excel file no one knew who updated, but everyone trusted.
Today, it does it with an AI tool no one approved, but many already use.
And perhaps this is the most honest message of Shadow AI:
employees do not always wait for the organization to design the future of work.
Sometimes they start it themselves.
The question is whether the organization will continue discovering it after the fact.



