Shadow AI: Is governance keeping up as staff adopt their own tools?
AI governance experts are finding themselves between a rock and a hard place after new survey results from Wolters Kluwer reveal that the use of “shadow AI” is reaching worrisome levels in the healthcare environment.
Clinicians and administrative staff alike are adopting their own set of unauthorized AI tools to make their workflows easier, the poll found, and may be circumventing governance boards to speed up processes and complete tasks according to how they see fit.
The survey says that 40% of respondents have encountered an unauthorized AI tool being used in their organizations, and close to one in 5 (17%) have personally used them.
This could indicate that the strong desire to leverage AI for efficiency is butting up against the need for solutions to go through a rigorous (but time consuming) vetting process to ensure that AI functionalities are secure, trustworthy, and appropriate for the use case at hand.
“Shadow AI isn’t just a technical issue; it’s a governance issue that may raise patient safety concerns,” said Yaw Fellin, Senior Vice President and General Manager, Clinical Decision Support and Provider Solutions, Wolters Kluwer Health. “Leaders must act now to close the policy gap around AI use, develop clear compliance guidelines, and ensure that only validated, secure, enterprise-ready AI tools are used in clinical care.”
Key findings from the survey
The poll of more than 500 clinicians and administrators exposed gaps in how different roles view and use shadow AI in their daily operations. Notable findings include:
Clinicians are more likely to experiment with shadow AI than administrative staff – Providers are significantly more likely to experiment with shadow AI out of a sense of curiosity, with 26% of providers saying they’ve tried an unauthorized tool just to learn about it compared to 10% of administrators.
However, administrators use AI tools more frequently – Whereas 37% of providers said that they “frequently” use AI to improve efficiency, 60% of administrative staff said the same – and a further 17% said they rely on AI for “most” aspects of their job. Administrative users were more likely to use AI for analyzing data and completing admin tasks, while providers skewed toward patient scheduling and engagement use cases.
Organizations are struggling to communicate around policies and governance – There are concerning gaps in communication when it comes to AI policies and governance procedures. Just over 40% of administrators believe that policies are being communicated clearly compared to a mere 30% of providers. The difference between the roles is notable, but the fact that less than half of employees overall are aware of the AI policies in place is perhaps even more of a red flag.
Policy making is centralized in the administrative sphere – The gap could be partially explained by the fact that providers are rarely involved in the policy-making process. While 30% of administrators say they’ve been part of the review, development, or updating of AI policies, only 9% of providers could say the same. The lack of participation from the clinical side of the house could be one reason why providers are less likely than their administrative peers to feel that privacy, security, compliance, and even patient safety are major issues that need to be addressed.
The risks of using unapproved AI in the healthcare setting
It might appear clever and enterprising for staff to get creative with AI tools that can make them more efficient, especially as the gospel of automation spreads among business leaders. But in healthcare more than anywhere, the risks of bringing unapproved AI into the ecosystem outweigh the benefits of quickly powering through to-do lists.
Misuse of AI has already rocketed to the top of the venerable ECRI Technology Hazards risk list due to the potential for bias, hallucinations, and inaccurate outputs. And when it comes to compliance, privacy and cybersecurity, shadow AI is a nightmare in the making.
Uploading sensitive data into AI systems is a recipe for a patient privacy disaster, and can also have implications around intellectual property disputes and other business issues.
And even more fundamentally, any time a user accesses an unauthorized system on the hospital network, it exposes the entire enterprise to an unmonitored threat vector that could turn into an open door for cybercriminals.
Data from a 2025 IBM report shows that the average cost of an AI-related data breach now tops $7.4 million, adding a very tangible component of risk to the equation.
When shadow AI turns into whack-a-mole for the governance committee
Unfortunately, governance panels are having an extremely hard time keeping up with users who are being pressured to do more with less, but feel like they aren’t being given the tools they need to make it happen fast enough.
Evaluating and thoroughly testing an AI solution takes time, and not everything that seems attractive and useful on the surface is going to make the grade when scrutinized by experts in compliance, security, safety, and trustworthiness.
When users circumvent this process and adopt their own tools, it turns governance leaders into the bad guys who are just creating roadblocks instead of actively helping users meet their goals.
This adversarial outlook can poison the process from the beginning, leading to conflicts within the organization and a lack of trust between those who are setting the policies and those who are being asked to abide by them.
In addition, it forces governance boards to waste scarce time and precious resources on hunting down and eliminating rogue AI usage, which furthers slows down their important work of architecting an effective AI infrastructure across the enterprise. With organizations already struggling to put basic governance in place, they simply cannot afford to divert their attention to stamping out shadow AI.
Helping governance keep pace with AI adoption so everyone wins
The solution for the mismatch between adoption and approval will require organizations to double down on their governance work, communicate more effectively with staff members, and invite ambitious users into the circle instead of keeping them out of it.
The first step, if not completed already, is to create a diverse and representative governance group that includes both clinical and administrative users, as well as representatives from legal, compliance, and cybersecurity. This group should be fully aligned with the organization’s overarching business goals and have a strong sense of any cultural challenges that might impede the communication and enforcement of policies across the user base.
Next, this governance board should evaluate existing solutions and identify areas where AI-enabled tools can truly make a difference in translating everyday workflow efficiencies into broader clinical, financial, or operational gains. Developing a repeatable, structured, and data-driven process for evaluating specific tools can help to speed up adoption of promising products and create transparency around decision-making to encourage trust and buy-in.
During these processes, leaders should work with champions from the clinical and administrative teams to develop and disseminate policies to maximize awareness and create a shared sense of accountability for sticking to the rules. Organizations might consider an AI amnesty period where users can voluntarily report their use of shadow AI and get advice on alternative options that have been greenlit by the governance committee.
Last but not least, governance must become an ongoing investment at the core of all technology adoption. By consistently providing education, awareness, and meaningful guardrails that help spur safe and effective AI use, organizations can avoid the proliferation of shadow AI and support their workforce in delivering fast, efficient, high-quality services.
Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system. She can be reached at [email protected].