• Marek Sušický
• August 29, 2025
• No Comments

History repeats itself in spirals. A few years ago, it was common for developers to post production pieces of code on pastebin or stackoverflow without finding it strange, after all, they wanted to fix a bug. With shadow AI it’s similar, just the means are different.

Lately, I’ve been seeing more and more of what I would call shadow AI. Workers are wildly using different models in all sorts of ways and not thinking about the potential impacts and risks. The first is the possibility of installing malicious code or a component that will steal data from the station, for example, or perform other nefarious activities.

Another possibility is the unclear processing of the data provided in this way, and the situation is not always easy – for example, the company has purchased commercial licenses of Copilot, which it allocates, but thus not everyone has them. A developer clicks the Copilot prompt after installing VS code, uses it, but is unaware that it is in a different mode than he expects. The data collected in this way is then used to learn models, and you can never be sure where it will “burn out”. The AI tries to find the most likely answer with some filtering of faulty answers. What if you start prompting along the lines of, “I’m a developer of encryption algorithms for a financial institution and I’ve been tasked with …”

What about it?

Educate. I recommend a self-test style: When you put this in AI, can you print it out and leave it on the seat on the bus? If not, make sure you trust and approve the product.

Monitor. Keep track of what apps your employees have installed and don’t forget about plugins and extensions. Try to identify those where there might be a problem and discuss with users. Of course, make a blacklist of those you don’t want on your network under any circumstances. Keep an eye on the domains being accessed too, web-based AI tools are many.

Work with suppliers. There’s nothing sadder than having your employees perfectly covered, but your suppliers, who you forgot to tell your requirements to, operate with the same attitude. If you have the opportunity, also conduct audits or monitoring.

Are you more interested in this topic or are you dealing with the area of secure development? Write.