The unauthorized deployment of artificial intelligence tools by staff members—dubbed “Shadow AI”—is emerging as a critical vulnerability for organizations worldwide, according to cybersecurity specialists. Munyaradzi Chadenga of the Cimplicity Institute warns that while AI offers transformative potential, its unsupervised adoption introduces significant risks to data privacy, regulatory compliance, identity management, and overall cyber resilience.
Shadow AI refers specifically to employees or business units utilizing AI applications without organizational approval or IT department awareness. Chadenga clarified that this threat does not originate from external hackers, but from internal workflows. He illustrated the scenario: an HR team receiving 1,000 job applications uses an accessible AI tool to identify five top candidates. While this accelerates hiring, sensitive personal data—including ID numbers, contact details, and residential addresses—is transmitted to third-party systems beyond the organization’s control.
“Once that information enters an unsanctioned AI platform, it vanishes into what I describe as a black hole,” Chadenga stated. “No one can retrieve it, audit it, or confirm its destination. That constitutes an active data leakage incident.”
Recent research indicates that African organizations now experience some of the highest frequencies of cyberattacks globally, even as staff increasingly integrate AI tools directly with corporate infrastructure. The underlying tension, Chadenga explained, stems from technology evolving more rapidly than governance structures. “We are navigating a new AI era. New tools and capabilities emerge daily. Our approach to oversight must be equally agile,” he said.
He referenced the historical challenge of workplace YouTube access: organizations initially attempted to block the platform, but could not regulate employee use of personal smartphones and devices. “We cannot simply flip an off-switch anymore. Overly restrictive measures may inadvertently heighten exposure,” Chadenga cautioned.
Practical Mitigation: Awareness, Policy, and Controlled Flexibility
Chadenga detailed a three-phase framework successfully deployed by a major corporation to reconcile productivity with security:
1. Transparent Communication: Staff were informed that traffic to unsanctioned AI services is monitored, and leadership designated an official, organization-approved AI platform for business use.
2. Formalized Acceptable-Use Policy: A clear policy was established permitting only the sanctioned tool for work-related tasks involving company data.
3. Managed Access with Exception Pathways: Internal access to unauthorized AI tools was deactivated, but a formal request process was introduced. Employees needing additional capabilities—such as image generation not supported by the approved tool—could submit an approval form for security review.
“This method channels AI usage through monitored pathways while preserving operational efficiency,” Chadenga noted. “If we simply prohibit tools, users will devise more sophisticated workarounds.”
Adversaries Leverage AI; Defense Requires Layering
Chadenga affirmed that threat actors are integrating AI capabilities faster than many defenders can adapt. “Malicious actors focus exclusively on breaching systems. They need only succeed once. Meanwhile, organizations are still building governance frameworks,” he explained.
To address this imbalance, he advocates a “defense in depth” methodology: implementing multiple, overlapping security controls. “If an intruder bypasses your perimeter, additional layers—like internal monitoring, access restrictions, and encrypted storage—should still protect critical assets,” he said, using the analogy of a fence, guard dogs, locked doors, and a safe.
He emphasized that attackers using AI are pursuing familiar objectives—ransomware deployment, data exfiltration, operational disruption—but executing them with greater speed and sophistication.
Sector Collaboration and Inclusive Policy Design
Cross-industry information sharing is vital, Chadenga stressed. Events such as the IT Web Security Summit facilitate dialogue where organizations can exchange threat insights without disclosing proprietary operational details. “If one entity in a sector encounters a specific attack vector, sharing that intelligence helps the entire industry strengthen defenses,” he said.
He cited the banking sector’s SABRI collective as an effective model for sector-specific collaboration and urged expanding such forums to include public-sector institutions. “Security challenges affect everyone. We need discussions that welcome both private and public stakeholders, free from judgment or fear of reputational risk,” Chadenga added.
With South Africa advancing its national AI policy framework, Chadenga advised policymakers to prioritize inclusive consultation. “Regulators, cybersecurity practitioners, and daily technology users must collaborate. The goal is to safeguard data without impeding innovation,” he said. Effective policy should establish guardrails—not barriers—to enable secure, responsible AI adoption.
Three Priority Actions for Organizational Leaders
When asked what immediate steps CEOs, university leaders, or government department heads should take to mitigate Shadow AI risks, Chadenga proposed three actionable measures:
1. Discover*: Conduct an environmental audit to identify which AI tools employees are using. Existing security technologies can monitor and track data flows to external AI applications, providing visibility into unsanctioned usage.
2. Classify: Categorize organizational data by sensitivity level. Distinguish between internal team reports, executive-level documents, and competitively sensitive information. Classification enables risk-appropriate controls.
3. Policy Alignment: Develop AI usage policies mapped to data classification tiers. Permit sanctioned tools for lower-sensitivity tasks while requiring enhanced security protocols for high-risk data access. This approach enables targeted oversight without broadly restricting productivity.
“Governance becomes far more effective when organizations understand both what they are protecting and how tools are currently being utilized,” Chadenga concluded. “Discovery must always be the foundational step.”
As AI integration accelerates across African enterprises, experts emphasize that proactive, collaborative, and risk-proportionate governance—rather than blanket prohibition—offers the most sustainable path to harnessing innovation while preserving organizational integrity and public trust.



