Shadow AI: the first AI governance failure is not knowing which AI systems exist within the organisation

Good AI governance must, first and foremost, be workable in practice. It should be embedded in the organisation’s existing decision-making processes, rather than operating in parallel to them.

In August 2024, the European Union’s Artificial Intelligence Regulation — the AI Act — entered into force. Europe moved quickly to legislate on AI with a stated ambition: to be first, to regulate in detail, and to turn the European rulebook into the international standard. The promise was to bring certainty. At this stage, the result has been more about multiplying questions.

Although it has formally been in force since 2024, the AI Act applies on a phased basis. Some obligations, such as those relating to AI literacy and prohibited practices, are already in force since February 2025, while others, including a significant part of the regime applicable to high-risk AI systems, have August 2026 as their “go-live” date.

Yet, before the Regulation has truly begun to apply in full, its amendment is already under discussion. In November 2025, the European Commission presented the so-called Digital Omnibus, a simplification package proposing amendments to the AI Act, including adjustments to the application timeline for the rules on high-risk systems and a reduction of certain administrative obligations. For the proposed amendments to take effect before August 2026, the final text will need to be approved and published within a very tight timeframe.

And while the Regulation finds its course, AI is already inside organisations. It is present in recruitment, marketing, contract analysis, fraud detection, customer support, programming, cybersecurity, document management, financial analysis, and individual productivity. It does not always come through the front door. Sometimes it arrives unnoticed through a SaaS tool, a new feature introduced by a vendor, an assistant embedded in a platform already in use, an informal pilot, or an employee who has found a faster way to do their work.

This is why, even before the Regulation produces all of its effects, many organisations already feel the need to implement internal rules to control the AI they have in-house. They want to implement AI governance not only out of concern about a future fine — although that also matters — but because the use of AI raises reputational, financial, and operational risks that do not depend on a European timetable.

Remarkably, many organisations still do not know, with precision, which AI systems they use. And they know even less about whether shadow AI exists: that is, whether their employees are using AI systems that have not been internally validated and approved.

This is where AI governance begins in practice. It begins with a task that is not very visible, but is absolutely foundational: mapping existing systems, identifying use cases, understanding which tools are involved, who uses and supervises them, and what level of risk they pose to the organisation. It sounds simple, but it usually is not. Consider that, in many organisations, the speed at which AI systems are adopted makes a manual, case-by-case assessment within a useful timeframe practically impossible. At a certain point, more systems enter the organisation than compliance teams are able to assess. And when that happens, there is no real way around it: it is necessary to automate what can be automated and reserve human decision-making for the points where it is needed.

Good AI governance must, first and foremost, be capable of being applied. It should be embedded in the processes through which the organisation already makes decisions, rather than existing outside them. It should be based on clear, proportionate policies which, in the current context, are adaptable. The best policy is not the longest, nor the most detailed. It is the one that provides sufficient guidance to decide today and enough flexibility not to become obsolete tomorrow.

However, there is little value in having AI mapped, a well-structured inventory, and carefully designed policies if the organisation is not prepared to apply them. AI governance is not exhausted by the document. On the contrary: it must reach the way people use tools, select vendors, approve use cases, review outputs, flag risks, and make decisions. And that requires knowledge. Contrary to what one might think, generic user-level training along the lines of “what is artificial intelligence” is not enough.

Organisations need to train those who use AI tools, naturally. But they also need to train those who approve, those who supervise, and those who decide. A board member does not need to know how to code a model. They do, however, need to understand which questions should be asked before approving its use. A procurement team does not need to know model architecture, but it should be able to identify when a vendor is incorporating AI into a service. A business team does not need to know the AI Act by heart. But it does need to know when it is dealing with a high-risk use and how to seek assistance. In other words, AI literacy is not a course. It is a condition of governance.

The timeline may change. Guidance may be delayed. The Digital Omnibus may even simplify certain obligations. But none of that changes the essential point: AI is already inside organisations and, at this point, governing it is no longer a matter of anticipating obligations. It is a matter of acting in time.