News & Blogs

Shadow AI: A Critical and Accelerated Risk for Internal Audit

Global · · internalaudit360.com

Shadow AI, the unauthorized use of generative and agentic AI tools by employees, presents a significantly accelerated and more opaque risk than traditional shadow IT. Internal auditors must prioritize understanding and mitigating these risks, which include data leakage, compliance failures, cybersecurity vulnerabilities, and operational decision-making errors, to safeguard organizational data and maintain regulatory adherence.


The Emergence and Escalation of Shadow AI Risks

Shadow AI represents a new frontier of risk for internal audit, evolving from the familiar challenges of shadow IT but with amplified speed, opacity, and potential impact. Employees are increasingly leveraging generative AI tools for tasks like drafting, summarization, and coding, often without the knowledge or approval of IT, compliance, or risk management. This unauthorized usage, driven by perceived productivity gains, creates significant control gaps. Unlike shadow IT, which often required software installation, shadow AI operates primarily through browser sessions, leaving minimal digital traces and making detection more difficult. Surveys indicate a substantial lack of visibility into employee AI usage within organizations, with many struggling to establish formal AI governance frameworks.

The risks associated with shadow AI are not theoretical. Real-world incidents, such as a Disney employee inadvertently facilitating a data breach through malware embedded in an AI art program, and Samsung engineers exposing proprietary code and meeting notes to public chatbots, highlight the severe consequences. These cases underscore vulnerabilities in data protection, intellectual property, and regulatory compliance. The financial implications are also substantial; IBM's 2025 Cost of a Data Breach Report found that shadow AI contributed significantly to breach costs, primarily due to inadequate AI access controls. Internal auditors must recognize that these forces converge at the intersection of data protection, third-party risk, and model risk, often falling outside existing policy coverage.

Internal Audit's Proactive Response to Shadow AI

To effectively address shadow AI, internal audit functions need to adopt a proactive and continuous risk assessment approach. This involves building immediate visibility into AI usage patterns by analyzing network telemetry, endpoint inventories, and cloud access security broker (CASB) logs. This initial discovery phase should aim to identify both approved and unapproved tools, data types involved, and the business units utilizing them. Integrating shadow AI into annual audit planning as a cross-cutting risk, rather than a standalone audit, ensures that every data-intensive audit includes procedures to test for AI-assisted workpapers and confirm data residency and retention obligations are met.

Furthermore, internal audit should advocate for pragmatic governance that balances innovation with control. This includes establishing clear policies prohibiting sensitive data from public models, curating a limited approved toolkit with enterprise agreements and no-training clauses, and streamlining the intake process for new AI tools. Strengthening audit team capabilities to interpret model cards, analyze data loss prevention alerts, and understand prompt injection risks is crucial. Continuous monitoring of regulatory developments, such as the EU AI Act and evolving Canadian legislation, is also essential to ensure compliance. By tracking key performance indicators like the reduction in unapproved AI domains and the adoption rate of approved tools, internal audit can measure progress and report effectively to audit committees, ultimately reducing breach exposure and enhancing data stewardship.

Key Risk Areas and Mitigation Strategies

Internal auditors should focus on several key risk areas when assessing shadow AI:

  • Data Leakage: Once prompts leave the corporate environment, retrieval is impractical, and data may be retained by model providers, potentially resurfacing in other users' outputs.
  • Compliance Failures: Fragmented logging and lack of control over processing activities impede compliance with regulations like GDPR, HIPAA, and SOX, as well as emerging AI-specific laws.
  • Cybersecurity Exposure: Malware-laden AI tools, prompt injection attacks, and personal accounts without multi-factor authentication bypass enterprise protections, as demonstrated by the Disney incident.
  • Operational and Decision Risk: Hallucinated or biased AI outputs can lead to flawed decisions, particularly in legal and finance contexts.
  • Accountability Gaps: Without proper inventory and lineage, oversight weakens, making root cause analysis difficult and hindering governance by audit committees.

To mitigate these risks, internal audit should implement a continuous assessment using five lenses: visibility (analyzing network traffic and conducting surveys), cost and breach exposure (mapping critical data flows and sampling DLP alerts), control design (assessing acceptable use policies and approved toolkits), third-party exposure (reviewing AI additions to vendor contracts), and culture (interviewing power users and measuring provisioning times for approved tools). This comprehensive approach, aligned with the IIA Global Internal Audit Standards, empowers organizations to navigate the complexities of shadow AI with confidence, fostering secure innovation.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →