EDPS warns against the risks of Shadow AI

The European Data Protection Supervisor (EDPS) has published a blog article on the impact of shadow AI, highlighting the significant data protection and security risks it poses when employees use unauthorised AI tools without organisational approval. These unapproved technologies, including chatbots, coding assistants, and meeting recorders, can bypass critical safeguards and create regulatory blind spots.

Consequences include potential personal data breaches, compliance failures, and operational disruptions. Unauthorised tools lack formal processing agreements, explicit data retention periods, or international transfer safeguards, making data tracking impossible and complicating data subject rights requests. Security vulnerabilities also emerge, such as automated recorders joining meetings without IT oversight.

To mitigate these risks, the EDPS is calling for a proactive governance strategy combining technical controls and employee awareness. Organisations should establish clear policies defining authorised AI use, alongside technical measures such as blocking unapproved domains, enforcing data loss prevention rules, and providing secure, compliant alternatives that meet staff productivity needs. Ongoing employee skills development is required to ensure employees understand the risks to data subjects.

Training Announcement: Freevacy offers a range of independently recognised professional AI governance qualifications and AI Literacy short courses that enable specialist teams to implement robust oversight, benchmark AI governance maturity, and establish a responsible-by-design approach across the entire AI lifecycle. Find out more.