The TL;DR:
A new survey from Nutanix, the 2026 Enterprise Cloud Index, puts a number on something most leaders have suspected but couldn't prove. Shadow AI isn't an edge case anymore. It's the default. 79% of IT leaders say they've encountered AI tools running inside their organization that were never approved, and more than two thirds of employees using AI at work are doing it on personal accounts instead of anything the company sanctioned.
The finding underneath that one is the part worth sitting with. 97% of IT decision makers see shadow AI as a significant risk. 91% of employees see little risk, no risk, or figure the reward is worth it either way.
That's not a story about reckless employees. It's a story about two groups inside the same company looking at the exact same behavior and seeing two completely different things.
Most leaders hear "shadow AI" and picture someone dodging the rules on purpose. That's rarely what's happening.
Your team isn't rebelling. They're just finishing the job faster than your policy can keep up.
The root cause is simple. When the approved tool is slower, clunkier, or doesn't exist yet, people don't wait around for procurement to catch up. They open whatever gets the task done and move on. That's what 79% of IT leaders are running into: not a security breakdown, but a gap between what's officially available and what people need to actually do their jobs.
The 57% number is where that gap turns expensive. That's not employees testing a new tool out of curiosity. That's real company information, the kind that shouldn't leave the building, going into products nobody vetted, with no idea where it's stored or who else can see it.
Here's the data point that reframes the whole conversation.
The "aha" isn't that employees are careless and IT is careful. It's that each side is looking at a different picture. IT sees the aggregate exposure, every unapproved tool, every account, every place company data could be sitting, added up across the whole organization. An employee sees one task, done faster, with no visible downside. Neither view is wrong. They're just measuring completely different things.
That's why a ban rarely works. It's aimed at a risk calculation almost nobody making the choice is actually running.
Here's the approach that closes the gap instead of just restating it.
Tier 1: Replace the Workaround, Don't Just Prohibit It
The Concept: People don't use unapproved tools because they enjoy the risk. They use them because the workaround is faster than the alternative, which is often nothing. Banning it without replacing it just pushes the same behavior further out of sight.
The Application: Pick one or two approved AI tools that are genuinely good enough to replace what people are already reaching for, and get them into people's hands fast. A tool like Cowork, set up with the right guardrails, gives teams a sanctioned option that's actually as fast as the workaround. Don't wait for a perfect rollout plan. An 80% solution live today beats a perfect one six months out.
Tier 2: Write the One-Page Version
The Concept: Most employees aren't ignoring a data policy. They've never seen one written for AI specifically. A 40-page acceptable-use document buried in a shared drive doesn't count as guidance if nobody reads it before the moment they need it.
The Application: Publish a single page. What's safe to paste into an AI tool, what isn't, and which tools are approved. Plain language, not legal language. Put it somewhere people will actually see it, not just somewhere it technically exists.
Tier 3: Make It a Conversation, Not a Crackdown
The Concept: Shadow AI usage changes month to month as new tools show up. A one-time policy announcement can't keep pace with that, but a recurring conversation can.
The Application: Build a short, regular check-in where you literally ask your team what they're using and why. That's how you find the next workaround before it becomes the next incident, and it signals that the goal is support, not surveillance.
Banning the tools instead of replacing them. A ban with no faster alternative doesn't remove the behavior, it just removes your visibility into it. People still find a way to get the work done. You just stop knowing how.
The fix: Every restriction needs a replacement in the same breath. If you're taking something away, hand people something that actually works instead.
Treating this as an IT problem to solve alone. The 97% versus 91% gap isn't a technology issue. It's a communication gap between leadership and the people doing the work. Handing the whole thing to IT to police guarantees it stays that way.
The fix: Leaders need to own this conversation directly with their teams, not delegate it to a department nobody on the floor talks to.
Waiting for a perfect policy before rolling anything out. While legal and IT spend months drafting the ideal governance document, your team keeps using whatever they already found. Every week of delay is another week of ungoverned data going somewhere you can't see.
The fix: Ship an imperfect, one-page version this week. Improve it as you learn what your team actually needs.
Before this survey, shadow AI was easy to write off as an IT hygiene problem. After it, the real story is clearer. It's a trust and communication gap between leadership and the people actually doing the work.
A better policy document doesn't close that gap. A better conversation does.
The companies making progress here aren't the ones with the strictest bans. They're the ones giving their teams a fast, approved path and treating AI adoption as a people decision, not just a tools decision. That's the whole idea behind Biggest Goal: implement AI in a way your team actually gets behind, instead of one they quietly work around.
If you want to stay ahead of stories like this one, Micah curates the AI News Brief every day. No hype, no fluff, just what's actually changing and what it means for how you run your team.
Subscribe at your.biggestgoal.ai
The TL;DR:
A new survey from Nutanix, the 2026 Enterprise Cloud Index, puts a number on something most leaders have suspected but couldn't prove. Shadow AI isn't an edge case anymore. It's the default. 79% of IT leaders say they've encountered AI tools running inside their organization that were never approved, and more than two thirds of employees using AI at work are doing it on personal accounts instead of anything the company sanctioned.
The finding underneath that one is the part worth sitting with. 97% of IT decision makers see shadow AI as a significant risk. 91% of employees see little risk, no risk, or figure the reward is worth it either way.
That's not a story about reckless employees. It's a story about two groups inside the same company looking at the exact same behavior and seeing two completely different things.
Most leaders hear "shadow AI" and picture someone dodging the rules on purpose. That's rarely what's happening.
Your team isn't rebelling. They're just finishing the job faster than your policy can keep up.
The root cause is simple. When the approved tool is slower, clunkier, or doesn't exist yet, people don't wait around for procurement to catch up. They open whatever gets the task done and move on. That's what 79% of IT leaders are running into: not a security breakdown, but a gap between what's officially available and what people need to actually do their jobs.
The 57% number is where that gap turns expensive. That's not employees testing a new tool out of curiosity. That's real company information, the kind that shouldn't leave the building, going into products nobody vetted, with no idea where it's stored or who else can see it.
Here's the data point that reframes the whole conversation.
The "aha" isn't that employees are careless and IT is careful. It's that each side is looking at a different picture. IT sees the aggregate exposure, every unapproved tool, every account, every place company data could be sitting, added up across the whole organization. An employee sees one task, done faster, with no visible downside. Neither view is wrong. They're just measuring completely different things.
That's why a ban rarely works. It's aimed at a risk calculation almost nobody making the choice is actually running.
Here's the approach that closes the gap instead of just restating it.
Tier 1: Replace the Workaround, Don't Just Prohibit It
The Concept: People don't use unapproved tools because they enjoy the risk. They use them because the workaround is faster than the alternative, which is often nothing. Banning it without replacing it just pushes the same behavior further out of sight.
The Application: Pick one or two approved AI tools that are genuinely good enough to replace what people are already reaching for, and get them into people's hands fast. A tool like Cowork, set up with the right guardrails, gives teams a sanctioned option that's actually as fast as the workaround. Don't wait for a perfect rollout plan. An 80% solution live today beats a perfect one six months out.
Tier 2: Write the One-Page Version
The Concept: Most employees aren't ignoring a data policy. They've never seen one written for AI specifically. A 40-page acceptable-use document buried in a shared drive doesn't count as guidance if nobody reads it before the moment they need it.
The Application: Publish a single page. What's safe to paste into an AI tool, what isn't, and which tools are approved. Plain language, not legal language. Put it somewhere people will actually see it, not just somewhere it technically exists.
Tier 3: Make It a Conversation, Not a Crackdown
The Concept: Shadow AI usage changes month to month as new tools show up. A one-time policy announcement can't keep pace with that, but a recurring conversation can.
The Application: Build a short, regular check-in where you literally ask your team what they're using and why. That's how you find the next workaround before it becomes the next incident, and it signals that the goal is support, not surveillance.
Banning the tools instead of replacing them. A ban with no faster alternative doesn't remove the behavior, it just removes your visibility into it. People still find a way to get the work done. You just stop knowing how.
The fix: Every restriction needs a replacement in the same breath. If you're taking something away, hand people something that actually works instead.
Treating this as an IT problem to solve alone. The 97% versus 91% gap isn't a technology issue. It's a communication gap between leadership and the people doing the work. Handing the whole thing to IT to police guarantees it stays that way.
The fix: Leaders need to own this conversation directly with their teams, not delegate it to a department nobody on the floor talks to.
Waiting for a perfect policy before rolling anything out. While legal and IT spend months drafting the ideal governance document, your team keeps using whatever they already found. Every week of delay is another week of ungoverned data going somewhere you can't see.
The fix: Ship an imperfect, one-page version this week. Improve it as you learn what your team actually needs.
Before this survey, shadow AI was easy to write off as an IT hygiene problem. After it, the real story is clearer. It's a trust and communication gap between leadership and the people actually doing the work.
A better policy document doesn't close that gap. A better conversation does.
The companies making progress here aren't the ones with the strictest bans. They're the ones giving their teams a fast, approved path and treating AI adoption as a people decision, not just a tools decision. That's the whole idea behind Biggest Goal: implement AI in a way your team actually gets behind, instead of one they quietly work around.
If you want to stay ahead of stories like this one, Micah curates the AI News Brief every day. No hype, no fluff, just what's actually changing and what it means for how you run your team.
Subscribe at your.biggestgoal.ai