Shadow AI is the use of AI tooling outside the function’s sanctioned stack: personal accounts, browser plug-ins, consumer-grade large language models handling matter-grade work, AI-enabled features inside tools the function did not procure as AI tools. Shadow AI is the canonical Pillar 6 (Vendor) and Pillar 4 (Governance) risk vector.
The class is structurally different from sanctioned AI risk. Sanctioned AI risk is measurable, scoped, and governed (even when imperfectly). Shadow AI risk is by definition unscoped: the function cannot enumerate what it does not know is in use. Every other Risk Taxonomy class is undercounted in a function with high Shadow AI prevalence because the function lacks the inventory against which to count.
Why Shadow AI appears
Shadow AI proliferates when the sanctioned stack fails to meet user needs at the point of work. A drafting assistant restricted to specific use cases creates demand for unsanctioned alternatives. A research tool requiring approval per query drives lawyers to consumer chatbots. The proximate cause is policy; the structural cause is mismatch between sanctioned capability and operational need. The function that bans consumer LLMs without providing institutional-grade alternatives drives Shadow AI underground; the function that provides institutional-grade alternatives with friction lower than the consumer tool displaces Shadow AI without ever needing to ban it.
Shadow AI also appears at organisational seams. The matter management system with an undocumented AI-enabled feature. The vendor that adds AI capability to an existing contract under a routine update. The user who installs a browser extension that processes legal text. These are Shadow AI cases the function does not detect through policy review because they enter through paths policy does not survey.
Why Shadow AI matters
Shadow AI exposes the function to every Risk Taxonomy class without any of the Defensibility evidence. Data leakage is the most acute (sensitive client material entering vendor training corpora, sub-processor chains the function has not vetted, prompt logs retained against the function’s data handling policy), but professional conduct exposure, regulatory non-compliance, and client confidentiality breach follow closely. A function that cannot articulate its Shadow AI prevalence cannot complete a Defensibility Posture Statement honestly; the unknown is itself the exposure.
How institutional functions address it
High Shadow AI prevalence is a Foundational or Operational maturity signal. By the Integrated Maturity Band, sanctioned tooling has displaced Shadow AI through better operating discipline, not through prohibition. The structural mechanism is to make the sanctioned stack the path of least resistance: faster than the chatbot, safer than the plug-in, integrated with the matter management system. Prohibition without alternative drives Shadow AI underground; provision with discipline displaces it.
The detection side requires periodic Shadow AI audits: anonymous user surveys (asking which tools users actually use, not which they are supposed to use), browser extension audits at the endpoint management layer, network egress analysis for AI service domains, and matter management workflow walkthroughs that surface AI-enabled features the function did not formally procure. Audits at six-month cadence are baseline; quarterly is institutional.