Shadow AI in financial services: discovery without panic

Every regulated organisation we work with has shadow AI. Most of the discovery exercises we are asked to run start with the same question from the executive sponsor: we know it’s happening, but how bad is it?

The answer is almost always: less malicious than you fear, more widespread than your tooling shows, and concentrated in three or four roles where the productivity benefit is real and the work has been quietly redesigned around it.

How you run the discovery determines whether you get an honest answer or a clean answer. They are different things.

The three failure modes of a heavy-handed discovery

Before the method, the failure modes — because if you skip past these, the discovery produces a sanitised report that under-states the real exposure.

Tooling-first. Pulling DNS logs, CASB telemetry, and SaaS discovery reports first. This catches the managed devices, on the corporate network, hitting the known AI domains. It misses everything on personal phones, personal accounts, and the long tail of AI features embedded in tools you have already approved (Notion AI, Grammarly, Otter, Slack AI, the AI features in Atlassian).

Survey-first with attribution. Asking staff via a named survey what AI tools they use. The answer you get is the answer they think will not get them in trouble. The honest answer never appears.

Policy-first enforcement. Issuing a no personal AI accounts policy before the discovery. Now staff who were openly using AI to do their jobs will hide it. The exposure does not go down; the visibility does.

A staged discovery that produces an honest picture

The method we run, in order:

1. Anonymous productivity survey

Not an AI survey. A productivity tools survey, run anonymously, asking staff what they use to do their work, what helps, what gets in the way. AI tools come up naturally. Staff answer honestly because the framing is supportive, not investigative. Run this before anything else.

The point of this stage is calibration: which roles, which workflows, which kinds of tasks. Not to catch anyone.

2. Tooling sweep on managed devices

Now run the technical discovery — DNS, CASB, browser extension inventory, M365 service activity for embedded AI, Atlassian and Notion audit logs for AI feature use. This gives you the managed-side picture. Compare against the survey. The gap is the shadow AI on personal devices.

3. Targeted role-based interviews

Pick three or four roles where the survey suggested high AI use. Run forty-five minute structured interviews — not as a compliance exercise, as a workflow review. Ask them to walk you through how they actually do specific tasks. Use the language what tools help, including ones you might not be sure about.

You will hear about shared accounts, prompt libraries on personal Notion pages, GPT-4 subscriptions paid for personally and expensed as software. Write all of it down. Promise no enforcement until policy is settled — and keep that promise.

4. Customer-facing data review

Independent of staff interviews, sample customer-facing artifacts produced in the last 30 days — emails, file notes, reports, presentations. Read them with one question: does this read like a human wrote it, or like a model did? You are not trying to catch anyone. You are calibrating where AI is being used in customer correspondence so you can scope the privacy and supervision exposure.

5. Vendor and tool audit

Re-read the terms and admin settings of every SaaS tool already approved. Most have added AI features in the last twelve months, often default-on, often with separate data handling. The exposure here is real and frequently larger than the discovered shadow AI.

What you actually find

Across the engagements we have run, the pattern is consistent:

• Heavy use in three or four roles: contact centre, marketing, internal IT, sometimes underwriting analysts.
• Most of it is via personal ChatGPT or Claude accounts on personal phones — outside any corporate visibility.
• A small but real volume of customer information being pasted into personal accounts, almost always without malicious intent and almost always in roles where the staff member is overloaded.
• Substantial use of embedded AI features in already-approved SaaS tools, typically without anyone having reviewed the data handling.
• One or two cases of impressively elaborate workarounds — a finance analyst running a reconciliation flow through GPT-4 via a personal account, a contact centre lead with a Notion page of refined prompts shared with the team.

What to do with what you find

Discovery is the easy part. The harder part is the response, which has to be calibrated to the finding without destroying the underlying productivity gain.

The productive sequence:

1. Provide a sanctioned alternative within 30 days. Microsoft 365 Copilot, ChatGPT Enterprise, or Claude Enterprise — properly configured, with the data handling actually documented. The shortest path off shadow AI is a managed equivalent that does the same work.
2. Issue acceptable use guidance, not just a prohibition. What is OK, what is not, what to do if you are unsure. Specific examples beat principles.
3. Address the privacy exposure. Where customer information went into personal AI accounts, the Australian Privacy Principles (specifically APP 6 and APP 11) apply. This is a notifiable issue when the exposure is material; the assessment is fact-specific and should involve legal.
4. Do not punish the staff who used the tools. Punish the absence of a sanctioned alternative — which was a leadership failure, not an employee failure. Staff who used AI to keep up with their workload will respond well to being given a managed tool. They will respond badly to being disciplined for it.

The discovery work is the entry point to the governance work. Run it as an investigation and the governance will be ignored. Run it as a productivity review with an enforcement option held in reserve, and you will get the honest picture you need.

If the discovery is where you are stuck — particularly the customer-facing data review and the privacy exposure assessment — the posture assessment covers both as part of a fixed-fee engagement.