Shadow AI and unsanctioned use of AI tools
Staff adopt and use AI tools or services outside sanctioned channels, so the deployer cannot inventory, secure, assess, or govern systems it does not know are in use.
- Risk family
- Governance & process
- MIT domain
- n/a (ISO-derived)
- MIT subdomain
- n/a
- AI type
- GPAI, Agentic, Classical_ML
- Scope
- Organization
- Source standard
- ISO/IEC 23894 + 42001 (gap analysis)
Provenance
Framework crosswalk
Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.
- A.2.2 ISO/IEC 42001 Annex A A.2.2
- A.9.2 ISO/IEC 42001 Annex A A.9.2
More in Governance & process
Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.