Employees have long found ways to use software tools to get the job done, even when those tools are not approved. It’s called Shadow IT, but ever since generative Artificial Intelligence hit the scene in 2022, employees have adopted a new version: Shadow AI. The company approves Microsoft Co-Pilot, but employees opt to use their smartphones or personal laptops, along with their personal accounts with ChatGPT, Gemini, Claude, Midjourney, or whatever best suits their needs.

For most companies, this is a problem that needs to be addressed through repeated policy announcements and vigorous crackdowns. One company, though, took a different approach. In this short, midweek FIR episode, Neville and Shel outline what the company did and how communicators might advocate for a version of this approach to aiding in AI adoption and speeding up productivity gains.

Links from this episode:

The next monthly, long-form episode of FIR will drop on Monday, April 27.

We host a Communicators Zoom Chat most Thursdays at 1 p.m. ET. To obtain the credentials needed to participate, contact Shel or Neville directly, request them in our Facebook group, or email [email protected].

Special thanks to Jay Moonah for the opening and closing music.

You can find the stories from which Shel’s FIR content is selected at Shel’s Link Blog. You can catch up with both co-hosts on Neville’s blog and Shel’s blog.

Disclaimer: The opinions expressed in this podcast are Shel’s and Neville’s and do not reflect the views of their employers and/or clients.

Raw Transcript

Shel Holtz: Hi everybody, and welcome to episode number 510 of For Immediate Release. I’m Shel Holtz.

Neville Hobson: And I’m Neville Hobson. There’s a quiet tension playing out inside many organizations right now. On one side you have leadership teams, IT, legal, and compliance, all trying to put structure, governance, and control around how artificial intelligence is used at work. On the other side you have employees who’ve already moved on. They’re not waiting for official tools. They’re not sitting through pilot programs. They’re not asking permission. They’re opening ChatGPT on their phones. They’re using Claude in a browser tab. They’re experimenting quietly, often invisibly, finding ways to make their work faster, easier, and sometimes better. And in many organizations, this shadow AI behavior is still being treated as a problem — something to restrict, monitor, or shut down. It’s a topic Shel and I discussed on this very podcast in episode 419 nearly two years ago, and it hasn’t gone away.

Neville Hobson: In fact, recent data suggests it’s accelerating. A study last November by Blackfog and Sapio Research found that nearly half of employees surveyed in the UK and US are using unsanctioned AI tools. Even more striking, 60% said they would take security risks with those tools if it meant meeting a deadline. So this isn’t fringe behavior — it’s become normal. An article in the Harvard Business Review this month argues that instead of treating unauthorized AI use as a compliance issue, organizations should see it as a signal — a sign that people are already finding value in these tools, even if the organization hasn’t caught up. We’ll explore that idea in just a moment.

Neville Hobson: The article calls this the hidden demand for AI inside your company. And when you look at it through that lens, the picture changes quite dramatically. Because instead of asking, “How do we stop this?” you start asking, “What are we missing?” The piece goes further than theory. It looks at what one organization actually did when it recognized this dynamic: BBVA, a Spanish multinational financial services company with more than 125,000 employees. Rather than clamping down on shadow AI use, they moved quickly to provide a secure enterprise environment. But more importantly, they didn’t try to control everything from the center. They took a different approach. They identified and empowered what they call “champions” and “wizards” — the people already experimenting, already curious, already building things. They created a network, a community of practice, a way for ideas, use cases, and practical solutions to spread peer to peer across the organization.

Neville Hobson: And the results, at least as reported, are striking: thousands of employees actively using AI tools, thousands of internally created applications, and measurable time savings of hours per person every week. But perhaps the most interesting part isn’t the numbers — it’s the philosophy behind it. The idea that successful AI adoption doesn’t start with a perfectly designed top-down strategy. It starts by recognizing that innovation is already happening, just not where leadership expects it. So the question becomes: do you try to control that energy, or do you find a way to harness it? And that opens up a much broader conversation, one that goes well beyond technology. It touches on leadership, trust, and culture — on how change actually happens inside organizations. And, importantly for communicators, on how you surface, legitimize, and guide behavior that may already be happening under the radar.

Neville Hobson: Because if employees are already using these tools — and most evidence suggests they are — then silence or restriction alone isn’t really a strategy; it’s a gap. So in this conversation, we want to explore that gap. What shadow AI really tells us about organizations today, whether the BBVA approach is something others can realistically replicate, and where the risks still sit, because they have not disappeared. And we should be clear: BBVA may be an outlier. It’s a highly data-mature organization with strong leadership alignment. Many organizations don’t have that foundation. So the question isn’t just whether this works — it’s whether it can work anywhere else. And what that means for the future of work, and for the role communicators play in shaping that future. Shel?

Shel Holtz: Well, a few thoughts, starting with the fact that BBVA has the financial resources to provide a secure environment for those tools that employees are using. There are many organizations whose IT budgets are razor thin and don’t have those resources, so they would need to figure something else out. But I think there’s a caution here worth raising. The numbers from Blackfog are real, even if the framing from the Harvard Business Review is optimistic: 34% of employees using free versions of tools when paid, approved versions exist; 58% of unsanctioned users on free tiers with no enterprise protections. The reframing from threat to signal doesn’t eliminate the exfiltration risk — it reframes how we need to respond to it.

Shel Holtz: Communicators should be careful not to let the BBVA-style narrative become an excuse to ignore governance. The right frame is: harness the demand, don’t suppress it, and build the governance at the same time. Employees using unsanctioned tools and putting secure data and company information into them — that’s a governance risk, and I don’t think we can ignore it. I mean, I think what BBVA did is great, and I think they baked it into some governance while looking at a new approach they could afford to take. But for many organizations, governance is still a requirement.

Neville Hobson: Well, I agree. It’s important and it’s not to ignore by any means. I think, Shel, you fleshed out a little bit the survey that I mentioned, which is actually useful to have that level of detail. But the big question for me is: if this is the picture in many organizations, according to that survey — compared to data previously — this is getting worse, or rather, it’s happening more frequently. People are just going ahead and using what works for them as opposed to what’s the official thing. What is that a symptom of? Maybe a lack of trust? It’s probably a mix of things. And to me, the communicator’s role here seems to be to try and help people on the one hand understand what the tools can do for them, and on the other hand to help the organization understand that we need to address this issue. People aren’t using the approved ones. They’re doing stuff on their own, and that isn’t good.

Neville Hobson: You mentioned security risks. The Harvard article goes into some detail about that, as indeed do the people who conducted that survey. You can just picture the severe risk. We’ve seen examples in recent months of organizations that have suffered from unauthorized use of unapproved software tools — not necessarily generative AI tools, but software certainly. And it’s a big deal. So the question — do you try to control all this and look at ways to stop it? — we asked this very question two years ago in our conversation, and we could probably just insert the recording from then and replay the answer. But let’s talk about it. I don’t think they should try and stop it personally. That’s a fail. There’s no win in that at all, certainly not for the organization. So how would communicators go about that, do you think?

Shel Holtz: Well, I’m not suggesting that organizations crack down on this and become Big Brother, looking at the tools that people are using, especially when they’re using them on their personal phones or personal laptops. But there are definitely things communicators can do. The first is to surface and amplify the internal use cases — not just the fact that people are using these tools, but what they’re using them for. When the security people and the legal people find out that this is actually driving effective work product from these employees, I think there might be more appetite for figuring out a way to bake this into the governance documents and policies the organization has established.

Shel Holtz: And I think giving employees permission narratives — telling them it’s safe to experiment, letting them know how to do it, and suggesting where the guardrails are — matters. So if you are using shadow AI, here are the things to be careful about. Let them know what the risks are and how to avoid falling into those traps. Communicators can also translate the IT and legal guardrails into plain language that doesn’t read as prohibition, because prohibition just leads to negative thoughts from employees about the organization, and then they’ll just continue using what they’re using. And then there’s collecting and routing the demand signal back to leadership. Why are employees using these when there are approved tools around? What are the advantages? So that leadership can make investment decisions that match the patterns of usage employees are actually engaged in. There’s a lot of work here for communicators that goes beyond simply saying, “Don’t do this.”

Neville Hobson: Agreed. And in fact, you can learn from much of what BBVA did, even if you’re not an organization with that established foundation and 125,000 employees. They did things most companies aren’t going to be able to do. For instance, they reached an agreement with OpenAI and deployed a customized version of ChatGPT Enterprise in a secured, exclusive cloud just for the company. The reasoning is interesting. What the Harvard Business Review report says is that the strategic decision was clear: it was more dangerous to have unmanaged, hidden AI usage than to rapidly deploy a managed, secure solution that aligns with existing needs. Most companies aren’t going to be able to do that. So it comes back to perhaps what you’ve just proposed — explaining it to people, the pros and cons, the risks, and so forth.

Neville Hobson: But I think you need more than that, too. Otherwise, you’re going to have significant numbers of people who will ignore it and just go ahead anyway with what they’ve been doing. So maybe elements of what BBVA did — for instance, the network of internal champions and expert wizards to spread knowledge, rather than the formal top-down communication you might expect. You’d have people within the organization who are knowledgeable, who have a history of responsible use themselves, who can help explain to others and help them replicate that. You end up, I think, with steps toward broad compliance that everyone can buy into. That would be helpful, because I can see that the idea of anyone in an organization of whatever size just doing their own thing with whatever tool they like is not a good idea at all.

Neville Hobson: And that isn’t unique to this. We’ve had that kind of conversation in decades past about software. I remember when Hotmail first came out, and when Microsoft Network first came out, the arguments in organizations — and indeed the one I worked for at the time — was, “You’re not allowed to use this on your company laptop, so use it on your own,” stuff like that. That’s definitely not a good thing. So you need to act to address issues like that so that people trust you and respect you and are willing to follow a restriction — or a behavior change, if you like — that would help. It’s interesting, the learning you can get from BBVA’s example, even though you’re not an organization that size with a budget to match. It’s a lot about education. It’s trusting employees, absolutely, as you pointed out, Shel. But I think that’s a two-way street. You need to have a quid pro quo: if you have these freedoms to use whatever you want, you need to do it responsibly. Share your learnings with others in the organization. Things like that. To me, that seems like a really good place to communicate.

Shel Holtz: Yeah, there’s communication happening at BBVA. They have 11,000 active users and 4,800 custom tools being used by those folks. That didn’t happen because the communications department posted an article about them. This was peers talking to their peers about what was working. It validates something you and I have been talking about for years, which is that authentic, lateral, employee-to-employee storytelling beats top-down cascades every time.

Neville Hobson: Precisely.

Shel Holtz: But it is communication. And why wouldn’t that be something the internal communications department jumped on and helped to facilitate — providing the channels for that, rather than the sneakernet that’s probably happening now? And also, because they’re engaged and trying to keep this from happening below the surface, they’re in a position to identify the use cases worth taking to leadership. The Blackfog survey you referenced found that almost 70% of C-suite executives believe speed is more important than privacy or security. So if people are getting things done faster — if you can demonstrate that there actually is productivity improvement happening, and it’s because of the tools employees are using that aren’t approved — I think that’s motivation for leadership to look at either approving those tools or finding ways to allow people to use their own accounts while protecting the integrity of their data.

Neville Hobson: Yeah. The results the Harvard Business Review reports from BBVA are worth noting, even though the scale isn’t what many companies would experience. They talk about 80% of usage of the system they set up coming through direct chat prompting, and the remaining 20% through employee-created GPTs. Now, this is not shadow AI — it was part of the rollout of what they did. But these numbers are quite impressive. Over 83% of employees now use the system every week, averaging 50 prompts per week. That’s above comparable enterprise deployments, says the review, quoting OpenAI. Users report average time savings of two to five hours per week — a number worth noting. More than 4,800 custom GPTs have been created internally, and they’re used three times more frequently than the enterprise average. So they’re ahead of the game in that regard. The article goes into more detail about which departments are more active than others, and so forth.

Neville Hobson: It also prompted a thought in my mind: the other surveys I’ve seen and other reporting on the resistance from leadership in organizations — that isn’t minor. It’s not a little thing. It happens, unfortunately, too frequently. I’m thinking of keystroke logging on employee usage, auditing computers surreptitiously and covertly without telling them, watching which apps they’ve installed — and indeed, probably more common, your company laptop refusing to install things that aren’t on an approved list, or reporting to IT that you tried to install stuff. This is a dreadful situation in organizations. It’s common, but we’re going to see more of it, I think, because that seems to be the way of the world these days on distrust. This is a diminished-trust environment we’re talking about. So in all of that, where do we sit in terms of enabling stuff like this? We can see the advantages of allowing employees to use tools like this. I think the better way is to try to do something within the framework of the organization — not, “Oh sure, go ahead and use ChatGPT whenever you want on any device, no big deal.” I wouldn’t be keen on that. I wouldn’t stop it, but I would look at ways of weaning people off that approach. We have to help them and encourage them to do this. And that, I suspect, is a hard task for communicators — to persuade leadership to do that if the climate in an organization is resistant to it anyway.

Shel Holtz: Well, I think it is a hard sell to leadership, but we have data. We’re supposed to be engaging in two-way communication and facilitating two-way communication. One of the roles of internal comms is listening. And it doesn’t have to be through direct information that you get from people through focus groups or surveys — it could be this Blackfog survey. When 49% of employees are using unsanctioned tools, and 63% think that’s fine as long as there’s no approved option for what they want to do, you may look at that as rogue behavior, but you can also look at it as market research. And communicators are the people in the best position to translate that data into something actionable for leadership. You take that to leadership and say, “Look, this is what’s happening. We’re the ones who can interpret what the behavior means and pass that along to leadership.”

Shel Holtz: I think part of our role is that listening through the data that’s already out there — and maybe what we can determine is going on in our own organizations — and taking that to leadership and saying, “Look, this isn’t going to go away if you crack down on it. It’s not going to go away if you block installation on company laptops. People have their own phones. People have their own laptops and tablets. This is going to continue.” And this isn’t new. I mean, this goes back to the earliest days of computers. I think I’ve mentioned this once or twice on the show, but I needed to produce charts and graphs in the mid-‘80s, and I wanted to use Harvard Graphics because somebody had shown it to me and it was what worked, and the company had a different program that was terrible. So I just used Harvard Graphics. I bought my own copy and installed it. There were no blocks back then — you put the floppy disks in the drives and it installed. People are going to do what they need to do to get the job done. Maybe some will pay attention to what the official rules are, but I think the governance needs to be flexible enough to adapt to this. I applaud BBVA for what they did. Again, I don’t think every organization is in a position to replicate it, but I think you can take lessons from what they did.

Neville Hobson: You can. Not everyone can roll out what they rolled out — enterprise licenses and so forth — but some of the things they went about, and how they went about them, definitely. One thing the review article points out quite strongly — a very, very good thing — is that they say, toward the end of their conclusions, that in whatever you do, there must be a hard human-in-the-loop rule. Human employees should always own the work. There should not be direct writes to core systems. Internal GPTs need quality scores and guardrails. They specify scope and context, include samples, and so on. This is simple, scalable, and non-bureaucratic.

Neville Hobson: So that’s something that kind of ties back into this emerging phrase — if it’s even emerging — of human-centered AI. Let’s look carefully at this. It’s about people first, technology second, and the human needs to be in the loop. The “hard human,” as the review calls it — I interpret that as meaning someone who’s actually cognizant, aware, and able to act upon things that matter, to keep humans in the loop, to own the work, not the technology. You’ve got to think about things like that. And I think for communicators, that’s an important aspect of what they do — having in mind that element that is about the people first. So when you’re trying to persuade leaders to take a course of action you’re recommending, this needs to be in your mind too: that the humans need to be in control.

Neville Hobson: I have to say, this is great. I love stories and examples like this. I love them more than the ones that talk about disasters, although those are useful to know about as well. Yet I feel, as communicators, we have a constant, constant task on our hands to explain this to people in organizations, to help others understand. I think this is a good example — the shadow AI element. For me, if I were actively involved in an organization as the communications person, I’d be looking at: how do I persuade people not to do that? How do I persuade people to use the approved stuff? But at the same time, how do I persuade the leaders to make sure they offer employees stuff that actually works, that’s in line with their expectations, all that kind of stuff? There’s a bit of a job on their hands. And if budgets get in the way, then you’ve got an even harder job. But hey, that’s what we’re here for. That’s part of what we have to do.

Neville Hobson: These are good examples you can learn from. There are elements you could start on. And I think, like most things, Shel, you need to say, “OK, fine — this idea has a dozen constituent elements, and let’s just start with two.” So you don’t try to think, “Oh my god, this is a massive project. How on earth can we do this?” You look at just a couple of things. I like another point the Harvard Business Review makes: ensure that managers know what they’re doing. You can’t expect managers to be persuasive in encouraging others to use AI if they’re not good at it themselves. So there’s another element — you need to train them well, says the Harvard Review. At a minimum, they should learn how to write staffing notes, sensitive communications, and KPI reviews with AI help. So there are some things you could do straight away as a communicator in an organization. I’d say: good luck and godspeed, and it’ll all work out in the end.

Shel Holtz: Yeah, a manager’s role in all of this is probably an episode in its own right. I would just reiterate the point you made about the human in the loop. This is a governance element that should be overarching — not applying just to shadow AI, but to all use of AI in the organization. It should be a primary consideration in governance, not to turn things over to AI. Otherwise, you end up with fake citations going out to clients that paid a million dollars for your work — another little slap on Deloitte’s wrists. And that will be a 30 for this episode of For Immediate Release.

The post FIR #510: Should Companies Embrace Shadow AI? appeared first on FIR Podcast Network.