Employees are already using AI tools in their daily work — often without official approval. And perhaps that represents not only a risk, but also an overlooked opportunity for organizational learning.
Thomas was just trying to solve an Excel problem
Thomas works as a controller at a large company. Every month, he spends hours working through complex Excel files, adjusting formulas, preparing reports, and trying to consolidate data across multiple systems.
A few months ago, he started using his private ChatGPT account to help.
Not officially. Not because he wanted to break rules. But because he wanted to understand faster why certain formulas were failing and how repetitive tasks could be automated more efficiently.
So he began copying small snippets of spreadsheets into his private account, testing prompts, asking for help with VBA scripts, and suddenly saving hours of work.
Thomas is not alone.
Most companies are still discussing AI adoption. Their employees are already using it.
The numbers are bigger than many organizations realize
Several recent studies show that AI usage inside organizations is already widespread — often outside official processes.
Research suggests that between 70 and 80 percent of employees already use AI tools without formal approval. Many rely on private or free consumer accounts outside company infrastructure. A study by Software AG and Longitude also found that more than half of employees actively hide their AI usage from their employer.
Source: Software AG / Longitude – Shadow AI Report
Other studies reinforce the same pattern. According to Cyberhaven, sensitive company information is already being entered into public AI systems on a regular basis — often without the organization even knowing it.
Source: Cyberhaven – The Rise of Shadow AI
This means organizational learning is already happening — but often invisibly.
"Shadow AI doesn't disappear through prohibition. It simply disappears from visibility."
Why organizations become cautious
From a company perspective, this caution is understandable. Risks around data privacy, compliance, intellectual property, and uncontrolled data usage are very real. Especially in larger organizations, the natural reaction is to increase control, define processes, and tighten governance.
At the same time, this creates a difficult imbalance.
Risks are easy to describe early on. Security concerns and compliance violations feel concrete and measurable. The upside of new technologies, however, often remains vague at first because it only becomes visible through actual usage.
As a result, many organizations become cautious before they have even had the chance to understand what might be possible.
"Risks feel concrete. Opportunities often feel diffuse."
What is actually changing
The real shift is not only about the technology itself, but about how organizations learn to interact with it.
The pace at which new AI tools emerge is now so fast that traditional evaluation and decision-making processes can barely keep up. By the time an assessment is completed, the landscape has often already changed again.
This creates a deeper shift: understanding no longer emerges primarily through analysis, but increasingly through usage.
Organizations have experienced a similar transformation before in project management. Agile ways of working became important once companies accepted that outcomes cannot always be fully defined upfront. Learning became part of the process itself.
We are now seeing the same shift again — this time in the way organizations interact with tools.
Working agile with tools does not mean acting without structure. It means accepting that learning does not happen after decisions are made, but during the process itself.
"Agile project management accepted that we do not know the outcome at the beginning. Working agile with tools accepts that we do not know the value at the beginning."
The real problem with Shadow AI
The real problem with Shadow AI is not the use of AI itself.
The real problem is that learning happens invisibly.
Inside many organizations, employees are already experimenting with new tools, automating processes, and building experience. Not because they were officially asked to do so, but because they are curious and trying to find better ways of working.
In an earlier article, I called these people Digital Explorers.
These employees often operate between two worlds. On one side, they drive learning and innovation forward. On the other, they work outside existing structures because organizations have not yet created visible spaces for this kind of exploration.
And perhaps this is the real misunderstanding around Shadow AI.
The tension is not between innovation and security.
It is between visible and invisible learning.
From control to safe learning environments
Perhaps the role of leadership is therefore not only to minimize risk.
Perhaps it is equally about making learning visible.
Organizations will not solve Shadow AI simply by trying to prevent every instance of AI usage. The real challenge is creating safe environments where exploration can happen openly.
This does not require less governance. Quite the opposite.
Organizations need clear guardrails, secure AI environments, transparent policies, and well-defined standards. At the same time, they also need spaces where employees can experiment, share experiences, and learn from each other.
Not every experiment will succeed. Not every use case will create value.
But this is exactly how organizational learning emerges.
What this could look like
Now imagine Thomas again.
This time, he is no longer experimenting through a private account in isolation. Instead, his company has created secure AI environments, defined clear guardrails, and opened spaces where experimentation is encouraged.
Thomas can openly share ideas, test small solutions, and discuss what works without worrying about violating policies.
And this is where the real value begins.
Because Thomas's learning no longer stays with Thomas. Other teams begin to see what works. Best practices emerge. New workflows spread more quickly across the organization.
Individual experimentation turns into collective learning.
What was previously invisible and isolated suddenly becomes an organizational asset.
Perhaps one of the most important opportunities in AI is not centrally controlling every idea, but making decentralized exploration visible and usable across the organization.
Conclusion
Shadow AI is not only a security or governance issue. Often, it is a signal. A sign that people inside organizations are already learning while processes are still trying to catch up.
The real question may therefore not be how organizations prevent Shadow AI.
But how they bring it out of the shadows and into the light.
Because the moment individual learning becomes visible, organizational learning can begin.
And that may become one of the most important leadership challenges of the coming years.
What particularly interests me is how you or your organizations are currently dealing with Shadow AI. Is the response mainly additional control and governance? Or are visible learning spaces already starting to emerge?
I have the feeling that some of the most interesting experiences in organizations are happening quietly, below the surface. What interests me most is not the perfect AI strategy on paper, but the reality of everyday work: how employees actually use new tools, how leadership reacts, and what tensions emerge along the way.
If you have experiences with Shadow AI — as a leader, employee, or Digital Explorer — I would genuinely love to hear your perspective, examples, or concrete cases. Off-the-record conversations are very welcome.