Shadow AI: The productivity boost you didn’t approve (and how to manage it safely)

How to gain visibility, set guardrails, and reduce shadow AI risk without slowing productivity

Key takeaways

• Shadow AI is mainstream. Employees are already using unapproved AI tools across the business.
• The risk is immediate. Untracked AI use increases data exposure, compliance risk and loss of visibility.
• Bans are not a strategy. Restriction alone often drives AI use further out of view.
• Visibility must come first. You cannot govern AI use you cannot see.
• Keep governance simple. Clear policies and practical guardrails reduce risk without slowing productivity.

Generative AI has moved from “interesting experiment” to everyday work tool almost overnight. It’s helping teams draft emails faster, summarize meetings, create marketing copy, and troubleshoot technical problems. For small and mid-sized organizations, that productivity lift can be real — especially when IT resources are limited and everyone wears multiple hats.

But there’s a catch: Much of this AI adoption is happening outside approved tools, processes and oversight. That’s what the industry is calling shadow AI — employees using AI services that IT didn’t select, security didn’t vet and leadership didn’t govern. And for organizations in the 100–2,000 employee range (often with no full-time CISO and MSP-led security), shadow AI can quickly turn into a visibility and governance gap.

The good news: You don’t need a large security team to get shadow AI under control. With the right approach — and practical guardrails — you can keep the benefits of AI while reducing the risks.

Why does shadow AI and AI security matter for SMBs and MSPs?

Shadow AI is a visibility problem first. If employees can access AI tools from their browsers or embedded SaaS features, AI usage can spread faster than policies and approvals. When IT can’t see which AI tools are being used, it’s hard to answer basic questions:

• Which AI apps are in use, and by whom?
• Are people putting sensitive customer or company data into them?
• Do those tools store prompts or use data for training?
• Are we accidentally violating privacy rules or contractual commitments?

This is where AI security becomes less about “stopping AI” and more about managing AI use responsibly.

For SMBs, the risks tend to concentrate in a few practical areas:

• Data exposure and leakage: Users may paste sensitive information (customer details, invoices, HR information, internal plans) into public AI tools without realizing where that data goes or how it’s retained.
• Compliance and privacy drift: If AI usage is untracked and unmanaged, it’s easy to end up with inconsistent practices that increase the likelihood of non-compliance with regulations such as GDPR, HIPAA or industry requirements.
• Policy lag and user confusion: Many organizations don’t have clear generative AI guidelines, and employees aren’t always sure what’s allowed — so they make their own calls.
• Operational burden on MSPs: When customers adopt unsanctioned AI tools, MSPs often deal with the downstream impact — support tickets, inconsistent configurations and difficult risk conversations — without standardized tools to assess and govern usage at scale.

Most importantly: Shadow AI isn’t a sign of bad intent. It’s usually a sign that people are trying to be more efficient. The goal shouldn’t be fear-driven restriction. It should be visibility plus guardrails that let teams use AI safely.

How common is shadow AI in the workplace?

Shadow AI is not a niche behavior; it’s widespread, and it’s often invisible to managers.

• 50% of employees in a multi-country study said they use AI tools that are not authorized or provided by their employer.
• In a global survey, 57% of employees said they hide their AI usage from supervisors, and 66% reported using AI at work without knowing if it was allowed.
• Even when organizations try to ban personal AI tools, 46% of employees say they would continue using them anyway, suggesting that blanket bans often push usage further underground.
• The data-risk impact is tangible: 48% of employees admitted to inputting confidential company or customer information into public generative AI services.
• And real incidents are being reported: 1 in 5 organizations (20%) said they suffered a security breach tied to employees using unsanctioned “shadow AI” tools, while only 37% had policies or detection to manage unauthorized AI usage.

Read together, these figures point to a simple conclusion: AI adoption is already happening, often without approval — and sometimes without the organization even knowing it.

That doesn’t mean AI is unsafe. It means organizations need an AI security approach grounded in the realities of how people work: enable the productivity benefits while putting sensible controls in place.

How can IT leaders, MSPs and SMB decision-makers reduce shadow AI risk?

You don’t need a perfect AI program to start reducing shadow AI risk. What you need is a practical, repeatable baseline that matches SMB constraints and MSP operating models.

Here are five actions that work well in the real world:

1. Start with discovery: “What are we actually using?”

Before you write policies or enforce controls, get visibility into the AI tools in use — both obvious and embedded. Shadow AI is decentralized by nature, so assumptions usually miss the mark.

2. Define “acceptable use” in plain language

Many organizations still lack a formal generative AI use policy (only 34% report having one, with a small portion relying on bans). A short, clear policy is better than an ambitious one no one follows.
Focus on basics:

• What types of data must never be entered into AI tools
• Which AI services are approved (and why)
• When to use secure/sanctioned alternatives
• How exceptions get reviewed

3. Add risk context: not all AI tools are equal

A single list of “allowed vs. blocked” tools is rarely enough. Some AI services have enterprise controls, strong privacy commitments and clear data handling — others don’t. Risk needs context so IT (and MSPs) can prioritize what matters most.

4. Use practical guardrails instead of heavy-handed bans

Given that many employees will keep using AI even under bans, governance works best when it’s simple and enabling: approve low-risk tools, restrict high-risk ones and guide users toward safer options.

5. Make it repeatable for MSP delivery

MSPs need centralized, multi-customer visibility and consistent workflows to run AI risk assessments efficiently. When tools are easy to deploy and manage, shadow AI becomes a service opportunity rather than an endless stream of reactive support issues.

How Barracuda AI Security addresses shadow AI without adding complexity

Barracuda AI Security is designed for the SMB reality: limited IT resources, growing application sprawl and the need for governance that’s practical, not theoretical. It is delivered through BarracudaONE as a solution capability that combines discovery, risk context and practical governance for AI usage.

Discover: Visibility into shadow AI usage

The first challenge is simple: You can’t control what you can’t see. Barracuda AI Security automatically discovers AI tools in use across the organization using DNS and network telemetry — helping expose shadow AI that might otherwise remain invisible.
This approach is built to minimize friction: It’s designed to surface real usage patterns without requiring heavy deployments or complex projects, which is critical for SMB teams and MSPs managing multiple environments.

Assess: Risk and compliance context that’s actionable

Visibility is only useful if it leads to decisions. Barracuda AI Security classifies discovered AI services using the Barracuda Artificial Intelligence Risk Classification, giving IT teams and MSPs clear context on which tools may pose higher data, privacy or compliance risk.
This is especially important for organizations that don’t have a dedicated CISO or an internal governance function: The classification and structure help teams benchmark what “acceptable” AI risk looks like.

Enforce: Practical governance guardrails (approve, deny, redirect)

Barracuda’s approach emphasizes practical AI governance without added complexity. Admins can set simple guardrails — approve, deny or redirect AI usage — through workflows integrated into BarracudaONE.

That means you can guide users toward sanctioned tools and reduce exposure to higher-risk services, while keeping productivity intact. It’s governance designed for how SMBs operate: fast, clear and manageable.

Built for MSPs: Multi-tenant, low-touch, scalable

AI Security also supports MSP delivery models with centralized dashboards, multi-tenant management, and guided onboarding, so partners can deliver AI risk assessments and governance efficiently across customers.

Instead of treating shadow AI as an unbounded problem, MSPs can turn it into a structured advisory motion: assess usage, recommend guardrails and provide ongoing governance as a differentiated managed service.

A practical path forward

Shadow AI is the natural outcome of fast-moving technology meeting real-world business pressure. For SMBs and MSPs, the goal isn’t to slow innovation — it’s to make AI adoption visible, understandable and governable.

With Barracuda AI Security delivered through BarracudaONE, organizations can discover what’s being used, assess risk with clear context and enforce practical guardrails without needing a large security team or a patchwork of point solutions.

If your organization is asking, “How do we keep the benefits of AI while staying in control?” — this is the right place to start.