{"id":8797,"date":"2026-07-17T07:00:00","date_gmt":"2026-07-17T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8797"},"modified":"2026-07-17T07:00:00","modified_gmt":"2026-07-17T07:00:00","slug":"senior-executives-are-killing-your-shadow-ai-strategy","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8797","title":{"rendered":"Senior executives are killing your shadow AI strategy"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">Shadow IT has long been a major problem for CISOs, but the biggest problem may be coming from the executive suite\u2019s hunger for unsanctioned AI.<\/p>\n<p class=\"wp-block-paragraph\">Nearly two-thirds of senior decision-makers admit to using <a href=\"https:\/\/www.cio.com\/article\/4178359\/why-your-most-ai-savvy-employees-are-driving-shadow-ai.html\">unapproved AI tools<\/a>, compared to just 31% of lower-level employees, according <a href=\"https:\/\/www.trustedtechteam.com\/pages\/shadow-ai-whitepaper-download\">to a survey<\/a> by Microsoft solutions partner TrustedTech.<\/p>\n<p class=\"wp-block-paragraph\">The use of <a href=\"https:\/\/www.cio.com\/article\/647725\/it-leaders-grapple-with-shadow-ai.html\">shadow AI<\/a> is prevalent among senior executives even though three in four employees acknowledge security or data privacy risks related to the practice.<\/p>\n<p class=\"wp-block-paragraph\">\u201cMost shadow AI users are not ignorant of the risk,\u201d TrustedTech says in a white paper. \u201cThey are deliberately choosing to use these tools anyway. This is not a training issue. It is a culture, incentives, and alternatives issue.\u201d<\/p>\n<p class=\"wp-block-paragraph\">In many cases, the problem is driven by a lack of approved tools, the report adds.<\/p>\n<p class=\"wp-block-paragraph\">\u201cPeople use shadow AI because what their employer hands them is worse than mainstream AI tools, or because nothing has been approved in the first place,\u201d the report says. \u201cThat doesn\u2019t change until the sanctioned tools are genuinely worth using.\u201d<\/p>\n<h2 class=\"wp-block-heading\">A question of authority<\/h2>\n<p class=\"wp-block-paragraph\">The use of shadow AI by CEOs and other C-suite executives can create major problems for CISOs, CIOs, and other IT executives because they may not have the authority to put the kibosh on it.<\/p>\n<p class=\"wp-block-paragraph\">It also presents a challenge for IT leaders to provide the AI tools that employees and executives want to use.<\/p>\n<p class=\"wp-block-paragraph\">When executives use shadow AI, CISOs are in a difficult position, because governance only works when it\u2019s modeled from the top, says<a href=\"https:\/\/www.linkedin.com\/in\/annolan\/\">\u00a0Andy Nolan,<\/a> VP of technology at TrustedTech.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIf senior leaders bypass approved AI tools or policies, it sends an implied message that speed matters more than security and compliance,\u201d he adds. \u201cEmployees notice that behavior, and it becomes much harder to ask the rest of the organization to follow standards that leadership isn\u2019t following themselves, first.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Another major problem is that executives often work with highly sensitive information, including financial data, strategic plans, intellectual property, and customer information, he notes.<\/p>\n<p class=\"wp-block-paragraph\">But CISOs and CIOs also can\u2019t solve the problem by becoming the AI police in every situation, Nolan says, because their role is to help the business innovate safely.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThat requires executive alignment, clear governance, and providing secure AI tools that people actually want to use,\u201d he adds. \u201cWhen leadership embraces those solutions, the rest of the organization is almost sure to follow.\u201d<\/p>\n<h2 class=\"wp-block-heading\">All risk, no reward<\/h2>\n<p class=\"wp-block-paragraph\">The use of shadow AI by senior executives puts CISOs and CIOs in an impossible position, agrees <a href=\"https:\/\/www.linkedin.com\/in\/amit-maloo-b087291\/\">Amit Maloo<\/a>, CISO at AI procurement provider Ivalua. CISOs and CIOs are <a href=\"https:\/\/www.cio.com\/article\/4182288\/cios-are-being-held-accountable-for-ai-they-dont-fully-control-ibm-study-finds.html?utm=hybrid_search\">held accountable<\/a> for the risk exposure but have no visibility into the problem, he says.<\/p>\n<p class=\"wp-block-paragraph\">\u201cWhen senior leaders use ungoverned AI tools for business decisions, those decisions still have consequences, such as financial commitments, contract reviews, and data sharing,\u201d he adds. \u201cBut there is no audit trail, no permissions model, or no way to reconstruct what happened or why.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Part of the problem is that approved AI options often don\u2019t meet the needs of users, Maloo says.<\/p>\n<p class=\"wp-block-paragraph\">\u201cAI policies alone aren\u2019t enough; organizations need to pair governance with usability,\u201d he adds. \u201cIf approved AI tools don\u2019t meet the pace of business, employees at every level, including leadership, will find their own solutions. Successful organizations will be those that make the secure path the easiest path.\u201d<\/p>\n<p class=\"wp-block-paragraph\">IT leaders can\u2019t solve the problem with more governance, he notes. \u201cPolicies and restrictions slow shadow AI down, but they don\u2019t stop it, especially when the people using it are senior enough to absorb the disciplinary risk,\u201d Maloo adds. \u201cWhat CIOs can do is focus on providing tools that grant users full access to the necessary systems and data, eliminating the need to choose between a capable but ungoverned tool and a safe but limited one.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Speed over security<\/h2>\n<p class=\"wp-block-paragraph\">The TrustedTech data echoes a <a href=\"https:\/\/www.teramind.co\/l\/shadow-ai-report-2026\/\">June report<\/a> from employee monitoring software vendor Teramind, which found that more than two-thirds of C-level executives prioritize speed over security when using AI tools, notes <a href=\"https:\/\/www.linkedin.com\/in\/nikkale\/\">Nik Kale<\/a>, a principal engineer and product architect at Cisco, and member of the Coalition for Secure AI.<\/p>\n<p class=\"wp-block-paragraph\">In addition, the Teramind report found that two-thirds of enterprise AI activity runs through personal accounts on platforms for which the company already owns licenses, he notes.<\/p>\n<p class=\"wp-block-paragraph\">\u201cPeople are paying for the governed version and using the ungoverned version of the same product, so the problem isn\u2019t the tools,\u201d he says. \u201cThe approved path is slower, buried in procurement, or disconnected from where the work actually happens, and speed wins every time under a deadline.\u201d<\/p>\n<p class=\"wp-block-paragraph\">The problem then isn\u2019t with the AI tools, but with the friction involved, he says. \u201cPeople aren\u2019t going around the front door because the room is locked,\u201d Kale adds. \u201cThey\u2019re going around it because the front door is slower.\u201d<\/p>\n<p class=\"wp-block-paragraph\">In many cases, the use of shadow AI exposes a couple of shortcomings in enterprise processes, adds <a href=\"https:\/\/www.linkedin.com\/in\/matt-scavetta-018b10173\/\">Matthew Scavetta<\/a>, chief technology innovation officer at IT solutions provider Future Tech Enterprise.<\/p>\n<p class=\"wp-block-paragraph\">Many organizations don\u2019t do a good job of making employees aware of the AI tools available to them, he says, and many organizations don\u2019t offer training on the sanctioned applications, which drives users to pick products they are familiar with.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIf you don\u2019t solve problems for people quickly or make people aware of which tools they can use safely, they will find a workaround,\u201d he adds. \u201cAI tools are no different than anything else.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Shadow AI use by executives puts IT leaders in an incredibly difficult position, he says.<\/p>\n<p class=\"wp-block-paragraph\">\u201cCIOs, in particular, are under more and more pressure each year to keep up with what\u2019s possible as tech influencers keep preaching about the potential of these tools,\u201d Scavetta says. \u201cCEOs and board members are constantly getting swept up in the hype; meanwhile, there are more and more case studies coming out showing how little ROI some organizations have realized. It\u2019s a never-ending game of balancing possible with practical.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Shadow IT has long been a major problem for CISOs, but the biggest problem may be coming from the executive suite\u2019s hunger for unsanctioned AI. Nearly two-thirds of senior decision-makers admit to using unapproved AI tools, compared to just 31% of lower-level employees, according to a survey by Microsoft solutions partner TrustedTech. The use of [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8798,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8797"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8797"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8797\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8798"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}