The article explains that “shadow IT” (unsanctioned hardware/software/cloud services used without IT’s knowledge) is now being joined by “shadow AI”—unauthorized AI tools, agents, or platforms that bypass policy and oversight. In industrial environments, the risk is amplified by IT/OT convergence: once systems that were historically separated become connected, shadow tools quietly expand the attack surface and can create a single point of failure. The author also highlights non-technical risk: shadow AI can trigger legal and compliance issues (e.g., copyright, data exposure), operational risk (hallucinations or deceptive outputs), and reputational damage—often without defenders even knowing the tool exists.

It then focuses on why people do this and what to do about it. Workers may route around official tooling due to “AI resentment” and autonomy concerns, or because they feel under-trained and under-guided—yet still use AI anyway. The recommended response is a mix of governance and pragmatism: make approvals fast and visible (so users have a safe path), increase visibility with automated monitoring, create a reporting framework that informs decisions rather than punishes, use lifecycle/contract management to control vendors and renewals, and harden the underlying IT/supply-chain foundations because human error and tool sprawl are inevitable.

Source: https://gca.isa.org/blog/managing-shadow-ai-and-it-in-industrial-settings