Why Shadow AI Use by Employees is Creating Hidden Legal Exposure

By: Moish E. Peltz

Generative AI has moved from novelty to necessity in a matter of months, and employees across nearly every industry are quietly incorporating it into their daily work, often without their employer's knowledge or approval. While this informal AI usage may feel like a harmless productivity hack, it is rapidly becoming one of the most significant sources of hidden legal exposure facing modern businesses. From data privacy violations and trade secret leakage to copyright infringement and discrimination claims, the unsanctioned use of AI tools is creating risks that many companies are only beginning to understand. This article explains what "shadow AI" looks like in practice, why employees turn to unauthorized AI platforms, the specific legal and compliance risks involved, and what businesses can do to protect themselves.

What “Informal AI Use” or “Shadow AI” Means in the Workplace

"Shadow AI" refers to the use of artificial intelligence tools by employees without the formal knowledge, approval, or oversight of their employer's IT, legal, or compliance functions. It is the AI-era successor to "shadow IT," the long-standing problem of workers using unsanctioned software, cloud storage, or personal devices to get their jobs done. The difference is that today's shadow AI tools, including ChatGPT, Claude, Gemini, Copilot, Perplexity, and a rapidly expanding universe of niche generative AI platforms, can ingest, analyze, and reproduce sensitive company data at a scale and speed that traditional shadow IT never could.

Informal AI use typically takes several forms. An employee may paste a client contract into a public chatbot to summarize it, upload a confidential financial model to an AI spreadsheet assistant, use a free transcription tool to record an internal meeting, or rely on an AI image generator to create marketing assets. In each case, the employee may be acting in good faith to work more efficiently (or the employee might be violating a company policy), but in either event, the company has no visibility into what information is being shared, where it is being stored, how it is being used to train third-party models, or who else may eventually have access to it.

Surveys consistently show that the majority of knowledge workers now use generative AI on the job, and a large share do so without telling their employer. Even at organizations that have rolled out approved AI platforms, employees frequently use unauthorized AI tools alongside them because they perceive consumer versions as either faster, more capable, or simply more familiar. The result is a sprawling, invisible layer of AI activity that sits entirely outside the company's IT and governance framework.

Why Are Employees Turning to Unapproved AI Tools?

The primary driver of shadow AI is straightforward: employees are under pressure to do more with less, and generative AI delivers measurable productivity gains. When workers can draft a memo, analyze a dataset, or generate code in a fraction of the time it would otherwise take, the temptation to use whatever tool works best, regardless of whether it has been vetted, is enormous. 

Internal policy gaps amplify the problem. Many organizations have not yet issued clear guidance on which AI tools are permitted, what types of information can be entered into them, or what disclosure obligations apply when AI assists with a work product. In the absence of clear rules, employees default to the tools they already use at home. Even when policies exist, they are often vague, outdated, or poorly communicated, leaving workers to make their own judgment calls about acceptable AI usage.

There is also a cultural dimension. Recent research, including a widely cited 2025 study from Harvard Business Review, found that employees who openly admit to using AI are sometimes perceived as less competent or less diligent than peers who do not. That social penalty pushes AI use underground, where it is harder for employers to monitor, train against, or correct. The combination of productivity pressure, weak governance, and reputational risk creates near-ideal conditions for shadow AI to flourish.

How Shadow AI Creates Legal, Compliance, and Business Risks

When employees use unauthorized AI tools to handle company data, the legal and compliance consequences can extend far beyond a single careless prompt. Shadow AI touches nearly every area of corporate risk, including privacy, intellectual property, professional responsibility, employment law, regulatory compliance, and litigation exposure, and the issues often compound one another. The sections below outline the most significant categories of risk that businesses should understand.

Data Privacy and Confidentiality Breaches

The most immediate risk is data exposure. When an employee pastes customer records, employee personal data, health information, or financial details into a public AI platform, that sensitive information may be retained on the provider's servers, reviewed by human trainers, or used to improve the underlying model. Depending on the data involved, that single act can trigger obligations under the GDPR or EU AI Act, the California Consumer Privacy Act, HIPAA, the Gramm-Leach-Bliley Act, state biometric privacy laws, and a growing patchwork of sectoral regulations. Regulators around the world are increasingly critical of activities which would enter personal data into third-party AI systems without a lawful basis, proper disclosures, and often a data processing agreement, none of which are typically in place for consumer AI tools.

Beyond potential regulatory exposure, unauthorized AI usage frequently violates the confidentiality provisions in customer contracts, vendor agreements, and NDAs. A single employee uploading a confidential deal document or product roadmap can expose the company to breach-of-contract claims, indemnification demands, and class action litigation from the affected companies or individuals whose data was disclosed without authorization.

Intellectual Property and Copyright Risks

Generative AI creates intellectual property risks in both directions. On the input side, feeding proprietary source code, product designs, research data, or other trade secrets into a public AI platform may destroy trade secret protections that depend on maintaining secrecy. Once trade secret information leaves the company's controlled environment, courts may find that the company failed to take reasonable steps to protect it, eliminating trade secret protection entirely.

On the output side, AI-generated content carries its own risks. Material produced entirely by generative AI is generally not eligible for copyright protection under current U.S. Copyright Office guidance, meaning that marketing copy, code, or creative assets created with AI may not belong exclusively to the company. AI outputs can also risk infringing third-party copyright if the model reproduces protected material from its training data, exposing the business to infringement claims it never anticipated.

Attorney-Client and Privileged Information Exposure

For law firms, in-house legal teams, and any business that handles privileged communications, shadow AI poses a unique threat to the attorney-client privilege and work product doctrine. Disclosing privileged content to a third-party AI provider, particularly one that retains inputs or uses them for model training, can be treated as a waiver of privilege, opening the door to discovery by adversaries in future litigation. The ABA and State bar associations, have issued formal ethics guidance warning lawyers about confidentiality, competence, and supervision obligations when using generative AI.

The risk is not limited to lawyers. Compliance officers, HR professionals, internal investigators, and executives routinely handle privileged or sensitive material, and any of them may inadvertently waive protection by routing that information through an unauthorized AI tool. Once disclosed, privilege can be extremely difficult to claw back.

Inaccurate AI Outputs and Decision-Making Liability

Generative AI systems are well known to "hallucinate", meaning producing confident, plausible-sounding outputs that are factually wrong. When employees rely on unverified AI outputs to make business decisions, draft client deliverables, or evaluate candidates, the company can be held accountable for the resulting harm. Lawyers have been sanctioned for filing briefs that cited AI-fabricated cases, and employers have faced discrimination claims when AI-assisted hiring and performance tools produced biased results.

The liability is magnified when AI is used in high-stakes employment decisions. The EEOC has confirmed that employers remain responsible for discriminatory outcomes produced by AI tools, and a growing number of jurisdictions, including the European Union, New York City, Illinois, Colorado, and California, have enacted laws requiring notice, bias audits, or impact assessments before AI can be used in employment contexts. Shadow AI use in hiring, promotion, or termination decisions can expose the company to class action litigation even when leadership had no idea the tool was being used.

Cross-Border Data and Regulatory Violations

Many popular AI platforms (or their subprocessors) may process data on servers located outside the United States, which can trigger cross-border data transfer obligations that the employee never considered. Under the EU GDPR, the UK GDPR, and similar regimes in Brazil, China, Canada, and elsewhere, transferring personal data to a third country requires a valid transfer mechanism such as Standard Contractual Clauses or an adequacy decision. Routing data through a consumer AI tool almost never satisfies these requirements.

Sector-specific regulators add further complexity. Financial institutions face oversight from the SEC, FINRA, and federal banking agencies; healthcare entities must comply with HIPAA; defense contractors face ITAR and EAR export controls that can be violated the moment technical data is shared with a foreign-hosted AI model. A single unauthorized AI session can simultaneously create privacy, sectoral, and export control violations across multiple jurisdictions.

Legal and Regulatory Frameworks Governing Workplace AI Use

The legal landscape for workplace AI is evolving rapidly, and businesses can no longer assume that the absence of a specific "AI law" means the absence of regulation. At the federal level, the FTC has signaled that it will use its existing authority over unfair and deceptive practices to police AI-related harms, and the EEOC has issued guidance on algorithmic discrimination in employment. NIST's AI Risk Management Framework, while voluntary, is quickly becoming a benchmark for responsible AI governance and is increasingly referenced in regulatory enforcement and litigation.

State-level activity is even more active. The Colorado AI Act, California's SB 1001 and AB 2930, Illinois's Artificial Intelligence Video Interview Act and amendments to the Illinois Human Rights Act, and New York City's Local Law 144 all impose substantive obligations on employers using AI systems (for example, notice requirements, bias audits, and recordkeeping). The EU AI Act, which has already begun phased implementation, imposes risk-based requirements that apply extraterritorially to many U.S. companies with European operations or customers.

Layered on top of these AI-specific frameworks are the longstanding bodies of law that already apply: privacy statutes, trade secret law, copyright and trademark law, securities regulations, professional responsibility rules, employment discrimination law, and contract law. Shadow AI does not get a pass on any of these. If anything, the lack of a formal AI governance program makes it more difficult for a company to demonstrate the reasonable care that many of these regimes require.

How Can Businesses Reduce Legal Exposure from Employee Shadow AI Use?

The good news is that the legal risks of shadow AI can be made more manageable when companies act proactively rather than reactively. The most effective approach combines robust governance, clear policies, approved technology, ongoing training, and meaningful oversight. Practical steps that every business should consider include the following.

As part of a larger governance framework, adopt a written AI usage policy that specifies which AI platforms are approved, what categories of information may and may not be entered into AI tools, when disclosure of AI assistance is required, and what the consequences are for noncompliance. The policy should be socialized across an organization, reviewed regularly, and updated as the technology and regulatory environment evolve.

Provide sanctioned, enterprise-grade AI tools that meet the company's security, privacy, and contractual requirements. Employees are far less likely to use unauthorized AI platforms when an approved alternative is genuinely useful, easy to access, and integrated into their existing workflows. Enterprise agreements should include commitments around data retention, model training opt-outs, confidentiality, indemnification, and breach notification.

Train employees, not just once, but on an ongoing basis, on the responsible use of AI, including specific examples of what shadow AI looks like, why it is risky, and how to recognize sensitive data that should never be entered into a public model. Pair training with technical controls such as data loss prevention tools, network monitoring, and access restrictions that make it harder for sensitive information to leave the corporate environment.

Finally, build AI governance into existing compliance structures. Designate people as accountable for organizational AI risks, conduct AI risk assessments, document vendor due diligence, maintain an inventory of AI systems in use, and ensure that legal, IT, HR, and security teams coordinate on AI-related decisions. When AI is used in employment, lending, healthcare, or other high-risk contexts, build in human review, bias testing, and audit trails from the start.

Speak With an Experienced Artificial Intelligence Lawyer

Informal AI use is not going away, and the legal exposure it creates will only grow as regulators, plaintiffs' lawyers, and contracting counterparties become more sophisticated about generative AI. Businesses that wait for a breach, lawsuit, or enforcement action to develop an AI governance strategy will find themselves on the defensive, often at significant cost. The companies that fare best will be those that treat shadow AI as the serious legal and operational issue it is, and address it before it becomes a headline.

The attorneys at FRB advise clients across industries on the full range of legal issues raised by artificial intelligence in the workplace, from drafting AI usage policies and vendor agreements to defending privacy, employment, and intellectual property claims. If your organization is grappling with how to manage employee AI use, evaluate AI vendors, or respond to an AI-related incident, we can help. Contact FRB today to schedule a consultation with an experienced AI lawyer and put a defensible AI governance program in place before the next regulator, plaintiff, or counterparty comes calling.

DISCLAIMER: This summary is not legal advice and does not create any attorney-client relationship. This summary does not provide a definitive legal opinion for any factual situation. Before the firm can provide legal advice or opinion to any person or entity, the specific facts at issue must be reviewed by the firm. Before an attorney-client relationship is formed, the firm must have a signed engagement letter with a client setting forth the Firm’s scope and terms of representation. The information contained herein is based upon the law at the time of publication.