By Sherrine Green-Thompson, Senior Expert – Digital Transformation, KPMG Netherlands
For more than two decades, enterprise leaders have wrestled with Shadow IT — unsanctioned spreadsheets, departmental databases, and later, cloud applications adopted outside formal governance. It was often framed as a compliance failure or an IT control problem.
Today, a more complex phenomenon is emerging.
Shadow AI is not simply the next iteration of Shadow IT. It represents a structural shift in enterprise risk, autonomy, and architectural visibility. Where Shadow IT introduced unsanctioned tooling, Shadow AI introduces unsanctioned cognition — systems capable of generating insight, influencing decisions, and in some cases, acting semi-autonomously.
The governance question is no longer about controlling applications. It is about governing intelligence embedded across the enterprise.
The Evolution of Enterprise Invisibility
The trajectory from Shadow IT to Shadow AI has followed a clear progression.
Shadow IT (1990s–2010).
Business units created local solutions to move faster than centralised IT. The risk surface was limited to data inconsistency, security gaps, and technical debt.
SaaS Proliferation (2010–2020).
Cloud platforms lowered barriers to entry. Departments could adopt enterprise-grade solutions via a credit card. Risk shifted from local inconsistency to fragmented data, duplicated processes, and diminished architectural oversight.
API Economy and Composability (2020–2023).
Enterprises embraced modularity and integration at scale. Systems became interconnected. The architecture surface expanded, and governance required cross-platform orchestration rather than system-by-system control.
Generative AI and Embedded Intelligence (2023–Present).
AI capabilities became embedded inside SaaS platforms, collaboration tools, and development environments. Employees began using public generative AI tools for drafting, analysis, and coding. Visibility eroded further. Risk moved from data sprawl to knowledge leakage and algorithmic influence.
Emerging Agentic Ecosystems.
The next phase introduces semi-autonomous AI agents capable of initiating actions, triggering workflows, and interacting across systems. At this stage, the enterprise is not merely managing tools — it is managing distributed cognitive actors.
At each phase, three variables increased: speed of adoption, invisibility of usage, and complexity of risk.
Why Shadow AI Is Fundamentally Different
Shadow IT primarily created structural inconsistency. Shadow AI introduces epistemic and regulatory risk.
First, data leakage and model training exposure become systemic. Employees uploading proprietary information into external models risk unintended data retention or exposure. The risk extends beyond confidentiality to intellectual property erosion.
Second, hallucination and epistemic uncertainty alter decision quality. Generative models can produce plausible but incorrect outputs. When embedded into knowledge workflows, this introduces subtle degradation of institutional decision-making.
Third, embedded AI within SaaS platforms reduces architectural visibility. AI features are activated through configuration, not deployment. Traditional architecture inventories may not detect where intelligence is influencing process outcomes.
Fourth, autonomous decision loops introduce accountability ambiguity. As AI systems trigger actions across workflows, tracing decision lineage becomes more complex.
Finally, regulatory frameworks are evolving rapidly. The EU AI Act, ISO/IEC 42001, and the NIST AI Risk Management Framework signal a formalization of AI governance expectations. Organisations that treat AI as an informal productivity tool may find themselves structurally unprepared for regulatory scrutiny.
Shadow AI is therefore not simply a compliance issue. It is an architectural one.
A Cross-Industry Pattern
Across industries — from financial services to consumer goods to public sector — a recurring pattern is emerging.
An organisation discovers widespread employee use of generative AI tools. Initial response: restrict access. Security policies are tightened. Communications emphasise prohibition.
Usage does not disappear.
Instead, it moves further underground or fragments across unmanaged environments. Productivity benefits are realised unevenly. Risk visibility declines.
A more mature response reframes the issue architecturally:
- Establish an AI reference architecture defining approved interaction patterns.
- Introduce policy-as-code guardrails for data classification and usage monitoring.
- Define decision rights between central governance and federated experimentation.
- Provide sanctioned enterprise AI platforms that reduce incentive for shadow usage.
The shift is subtle but decisive: from policing behavior to designing for safe adoption.
Architecture’s Evolved Mandate
Enterprise Architecture must now operate as an orchestrator of intelligence.
This requires five structural shifts:
- Guardrails over Gates.
Move from approval-based governance to principle-based enablement. Define acceptable AI interaction patterns and embed them in platforms. - AI Reference Architectures.
Develop explicit blueprints covering data flow, model lifecycle, monitoring, explainability, and human oversight. Architecture must make AI visible. - Policy-as-Code Governance.
Embed compliance controls directly into development pipelines and AI platforms, aligning with NIST AI RMF and ISO 42001 principles. - Federated Enablement with Central Visibility.
Allow experimentation at the edge while maintaining enterprise-level telemetry and oversight. - Decision Rights Clarity.
Clarify accountability across CIO, CDO, Risk, and Architecture functions. Governance without clear ownership accelerates shadow behavior.
In this model, architecture becomes “innovation signal intelligence.” Rather than suppressing new behaviors, it detects, evaluates, and institutionalises them.
The Coming Inflection Point
The next structural shift will occur when AI agents transition from advisory roles to semi-autonomous actors within enterprise workflows.
When agents negotiate supply orders, adjust pricing, or triage customer interactions, the governance model must address not only system integrity but delegated decision authority.
At that point, architecture maturity becomes a competitive differentiator.
Organisations that have invested in AI visibility, reference architectures, and embedded governance will scale confidently. Those that rely on reactive restriction will struggle to reconcile innovation with compliance.
Shadow AI is not a failure of governance. It is a signal.
A signal that intelligence has become distributed, embedded, and increasingly autonomous.
The question is no longer whether employees will use AI. It is whether enterprise architecture will evolve quickly enough to structure its use responsibly.