Home South Africa News Shadow AI: Unauthorized Tool Use Emerges as Critical Cybersecurity Challenge

Shadow AI: Unauthorized Tool Use Emerges as Critical Cybersecurity Challenge

Shadow AI: Unauthorized Tool Use Emerges as Critical Cybersecurity Challenge
Shadow AI: Unauthorized Tool Use Emerges as Critical Cybersecurity Challenge. Image for illustration purposes only, generated with AI.

Cybersecurity experts are raising alarms about “Shadow AI”—the unsanctioned use of artificial intelligence tools by employees and business units without organizational oversight—as a rapidly growing threat to data privacy, regulatory compliance, and enterprise security.

Munyaradzi Chadenga, a cybersecurity expert from the Cimplicity Institute, explained that Shadow AI does not refer to external hackers, but rather to internal staff using accessible AI tools to streamline workflows without IT department knowledge. For example, an HR team processing 1,000 job applications might use an unsanctioned AI tool to shortlist candidates. While efficient, this practice exposes sensitive personal information—including ID numbers, phone numbers, and addresses—to unmonitored third-party systems.

“Once that data enters an unsanctioned AI tool, it disappears into what I call a black hole,” Chadenga said. “Nobody can access it, control it, or verify where it goes. That is a data leakage issue organizations are already facing.”

Research indicates African organizations now contend with some of the highest volumes of cyberattacks globally, even as employees increasingly connect AI tools directly to corporate systems. The core challenge, Chadenga noted, is that technology evolves faster than governance frameworks. “We are in a new era of AI. Every day brings new tools and functionalities. We need to be agile in how we think about these toolsets,” he said.

He drew a parallel to the early adoption of YouTube in workplaces: companies initially tried to block access, but could not control employees’ personal devices. “We cannot turn off people’s phones. Aggressive blocking puts us at greater risk,” Chadenga warned.

A Pragmatic Path Forward

Chadenga outlined a three-step strategy one major corporation successfully implemented to balance productivity with security:

1. Awareness: Inform staff that unsanctioned AI traffic is monitored and designate an official, organization-approved AI tool.
2. Policy: Establish an acceptable-use policy permitting only the sanctioned tool for business purposes.
3. Controlled Access: Deactivate internal access to unauthorized tools while creating a formal approval process for exceptions—allowing teams to request additional tools when business needs require, subject to security review.

“This approach streamlines AI use, ensures monitoring, and still allows people to get the job done faster,” Chadenga said. “If we simply block them, they will find more brilliant ways around it.”

Attackers Move Faster, Defense Requires Layers

Chadenga confirmed that malicious actors are adopting AI capabilities faster than many organizations can defend. “Hackers’ core business is to breach systems. They only need to get lucky once. We, meanwhile, are still structuring governance,” he explained.

To counter this asymmetry, he advocates a “defense in depth” strategy: multiple, layered security controls so that if one barrier is bypassed, others remain. “If someone gets over your fence, you still have dogs, a locked door, and a safe inside. That is the mindset we need,” he said.

Collaboration and Policy Priorities

Industry-wide collaboration is essential, Chadenga emphasized. Conferences like the IT Web Security Summit enable sectors to share threat intelligence without disclosing proprietary operational details. “If one organization in a sector faces a specific attack, sharing that insight helps the entire industry prepare,” he said. He cited the banking sector’s SABRI collective as a model for cross-organization dialogue and urged broader inclusion of public-sector entities.

With South Africa developing its national AI policy framework, Chadenga advised policymakers to prioritize inclusive consultation. “Technology users, cybersecurity professionals, and regulators need to sit together. We must protect data without stifling innovation,” he said. Effective policy should establish guardrails—not roadblocks—to enable secure AI adoption.

Three Immediate Actions for Leaders

When asked what CEOs, university leaders, or government heads should do immediately to address Shadow AI risks, Chadenga recommended three concrete steps:

1. Discover: Audit the environment to identify which AI tools employees are using and track data flows to external applications. Existing security tools can monitor this traffic.
2. Classify: Categorize organizational data by sensitivity—distinguishing internal team reports from board-level or competitively sensitive information.
3. Build Policy: Develop AI usage policies aligned with data classification. Permit sanctioned tools for lower-sensitivity tasks while requiring enhanced security controls for high-risk data access.

“Governance is easier when we know what we are protecting and how tools are currently being used,” Chadenga concluded. “Discovery must come first.”

As AI adoption accelerates across African enterprises, experts stress that proactive, collaborative, and risk-aware governance—not prohibition—is the most viable path to harnessing innovation while safeguarding organizational and public trust.