Mechanism
Individuals use AI tools the function has not approved, governance does not know about, and the Evidence Register cannot account for. Shadow AI is the structural condition that creates every other class without governance visibility.
Evidence (what the Evidence Register holds)
Approved-vendor list currency; fast-path approval audit log; non-punitive disclosure mechanism activity log; quarterly Shadow AI Discovery exercise record.
Mitigation
Actively-curated approved-vendor list; fast-path approval (the slow path drives usage underground); AI literacy naming the approved list explicitly; non-punitive disclosure mechanism; quarterly Shadow AI Discovery exercise (Chapter 6).
Editorial Framing
Shadow AI proliferation is the structural class. It does not produce one specific failure mode; it produces the conditions under which every other class can manifest without governance visibility. The mitigation is product, not punishment: a fast-path approval mechanism and an actively-curated approved-vendor list reduce shadow usage by removing the friction that drives it underground.
Indicative Examples
- Lawyer using a consumer AI assistant on a personal account for client work
- Paralegal using a free research tool excluded from the vendor list
- Partner pasting matter content into an uncontrolled chatbot