Risk
Shadow AI Deployment
Description
AI systems or components are developed and/or deployed informally without official oversight, sanction, or adherence to governance policies.
Example
A marketing team uses a no-code AI platform to build a customer sentiment analyzer with company data, bypassing IT and security review.
Assets Affected
Notebook
Coding agent (config)
Agentic platform (no code)
AI platform
Mitigation
- Enforce clear AI governance policies and approval processes for any AI experimentation or deployment
- Promote awareness of AI policies
- Use discovery tools to identify unauthorized AI activities
Standards Mapping
- ISO 42001: A.3.2, A.2.2
- NIST AI RMF: GOVERN 1.3, GOVERN 4.3