Shadow AI in Organisations: A Practical Framework for Detection, Risk Classification, and Governance

Shadow AI—the unsanctioned use of artificial intelligence tools, models, or services within organisational processes—introduces governance, security, and privacy risks that extend beyond traditional shadow IT. This communication proposes a practical framework to (i) define and classify shadow AI use cases, (ii) detect shadow AI activity through multi-layer technical signals, and (iii) govern risk through an obligations-to-evidence mapping that supports compliance and auditability. The framework aims to balance innovation and productivity with proportionate controls, offering clear remediation paths (block, replace, or regularise with evidence). We also outline a validation plan based on a PRISMA-informed literature review and triangulation (expert feedback, case studies, and survey) to support subsequent empirical evaluation.