EDPS warns Shadow AI creates hidden data protection risks

Shadow AI risks require cooperation between data protection, IT, security and business teams.
EDPS warning about Shadow AI, unauthorised AI tools and personal data breach risks

The European Data Protection Supervisor (EDPS) has warned that Shadow AI can create hidden data protection and breach risks when employees use unauthorised AI tools without organisational approval. The warning was published in a blog post by EDPS Wojciech Wiewiórowski on 15 June 2026.

The EDPS said Shadow AI can include tools such as generative AI chatbots, coding assistants and automated note-taking applications. While employees may use them as shortcuts to improve productivity, unauthorised AI tools can bypass data protection and security safeguards.

According to the EDPS, data entered into unapproved AI tools can fall into a regulatory and compliance blind spot. Unauthorised tools may lack formal agreements governing the legal basis for processing, data retention periods and safeguards for international data transfers.

The EDPS also warned that Shadow AI can create a transparency gap, making it difficult for organisations to determine where information is stored, how it is processed or whether it is used to train AI models. Such tools can also introduce security vulnerabilities, including automated meeting recorders joining meetings without oversight from IT security teams.

The blog post argues that organisations should address these risks proactively rather than attempting to ignore or prohibit them outright. Instead, they should adopt proactive AI governance policies that define authorised AI use, establish data classification rules and set approval processes for new technologies.

The EDPS said policies should be backed by technical controls and monitoring, including blocking unapproved AI domains, enforcing data loss prevention rules and restricting the installation of unauthorised AI software. The EDPS also recommended that organisations provide approved AI platforms that are secure, compliant and capable of meeting employees’ operational needs.

The EDPS said reducing Shadow AI risks requires cooperation between data protection officers, IT departments, security teams and business functions. The aim, it said, is to protect data subject rights and institutional information while enabling responsible AI adoption.

Why does it matter?

Shadow AI turns everyday workplace AI use into a data protection and cybersecurity issue. Employees may use unauthorised tools to save time, but organisations can lose visibility over personal data, legal compliance, retention, international transfers and model training.

The warning also shows that responsible AI adoption depends on more than staff guidance. Organisations need approved AI tools, technical controls, monitoring and cooperation between data protection, IT, security and business teams to reduce breach risks without blocking useful innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.