Approved AI tools and shadow AI
Not every AI tool is equal. Some have signed data-protection agreements with your company and keep your work private. Others train their public models on every prompt you send. Knowing which is which is the foundation of safe AI use.
The three tiers of AI tools
Sanctioned
Approved for company use, often with an enterprise contract that keeps your data out of training. Examples: your company-approved AI tool. Use these freely within policy.
Restricted
Allowed for specific tasks or specific data classifications only. Often these are public tools you can use for low-risk work — brainstorming, public-info summaries — but not for confidential data.
Forbidden
Tools not on the approved list. They may train on your inputs, store them indefinitely, or expose them to other users. Don't use them for anything related to work.
Shadow AI is the new shadow IT
When employees use unsanctioned AI tools to get work done faster, that's shadow AI. It feels harmless until a customer's data ends up in a model your company doesn't control.
If you wish a forbidden tool was approved, ask your security team. Don't just use it.
How to ask for a new tool
- Check the approved-tools list before you sign up for anything new.
- If the tool you want isn't there, submit a request through your IT or AI governance channel.
- Don't paste company data into a free trial just to see if it works.
- Browser extensions that add AI to other apps count as AI tools and need approval too.
Knowledge check
Your team has a deadline and your company-approved AI tool doesn't have a feature you need. A free public tool would do it in five minutes. What should you do?