---
id: "question-shadow-ai-security"
type: "open-question"
source_timestamps: ["¶2"]
tags: ["security", "governance", "shadow-it"]
related: ["concept-shadow-ai-solutions", "action-build-no-code-playgrounds"]
resolution_path: "Frameworks detailing how IT and InfoSec teams can rapidly vet and sanction popular shadow tools, or implement data-loss prevention (DLP) guardrails without stifling frontline experimentation."
sources: ["adoption"]
sourceVaultSlug: "hbr-seg-adoption"
originDay: 9
articleStem: "hbr-edu-40-workers-dont-trust-ai"
sourceUrl: "https://hbr.org/2025/11/workers-dont-trust-ai-heres-how-companies-can-change-that"
sourceTitle: "Workers Don’t Trust AI. Here’s How Companies Can Change That."
---
# Balancing Shadow AI with Enterprise Security

**Open question:** the authors note that **nearly half of frontline employees** are turning to unapproved **"shadow" AI** (see [[concept-shadow-ai-solutions]]) because they trust it more than mandated tools. The article advocates building internal [[concept-digital-playgrounds]] to *capture* this innovative energy — but it **does not address the immediate data-security, privacy, or compliance risks** posed by the current rampant use of unapproved external AI tools.

**Why it matters (from enrichment):** security and compliance experts warn that unapproved AI use can cause **data leakage, IP loss, and regulatory breaches**, especially in regulated industries (healthcare, finance, life sciences). Responsible-AI regimes — **NIST AI RMF, the EU AI Act, ISO AI standards** — all stress human oversight, transparency, and risk-based controls.

**Resolution path:** frameworks for how IT/InfoSec can **rapidly vet and sanction the most-used shadow tools**, or deploy **data-loss-prevention (DLP) guardrails**, *without* stifling frontline experimentation. A pragmatic synthesis: **rapidly formalize and channel** widely used shadow practices into sanctioned equivalents (see [[action-build-no-code-playgrounds]]) *while simultaneously tightening controls* on unsanctioned use — rather than celebrating shadow AI uncritically.
