The New Shadow IT – A practical guide for Australian business owners
Your staff are almost certainly using AI tools you don’t know about. This guide explains what “shadow AI” is, why it matters for small and medium businesses in Australia, the legal and security risks it creates, and a practical, non-technical plan for getting it under control.
What “shadow AI” actually means
A decade ago, IT teams worried about shadow IT staff signing up for Dropbox, using personal Gmail for work, or installing apps that never passed through any approval process. The tools were convenient, the intentions were good, and the security holes were enormous.
Shadow AI is the same story with a faster engine. It is the use of AI tools – ChatGPT, Claude, Copilot, Gemini, plus hundreds of niche transcription, coding and “productivity assistant” apps, without your business’s knowledge, approval or oversight. An employee pastes a client contract into a free chatbot to summarise it. A developer drops proprietary code into an AI assistant to debug it. A bookkeeper uploads a spreadsheet of customer data to generate a report. None of it is malicious. All of it is invisible to you.
The difference from old-school shadow IT is speed and reach. These tools are free, require no installation and deliver results in seconds, so adoption happens quietly and almost universally before any policy exists to govern it.
This is already happening in your business
The scale is larger than most owners assume. Research across 2025-26 found that roughly 98% of organisations have employees using unsanctioned AI tools, and around three-quarters of businesses now have active “bring your own AI” usage among staff. Verizon’s 2026 Data Breach Investigations Report recorded that shadow AI detections rose fourfold in a year and have become the third most common non-malicious insider action seen in enterprise environments.
Australian businesses are squarely in this trend. Adoption figures vary by survey, but a Deloitte Access Economics report released in late 2025 found that about two-thirds of Australian SMBs are using AI, while just 5% are fully equipped to realise its benefits, meaning most usage is happening without strategy or structure behind it. A separate small-business survey put adoption or intent to adopt at 80% in 2025, spanning sectors from hospitality to professional services.
The motivation is simple and very human: people use these tools to get work done faster. Surveys consistently find that a majority of employees say they would use shadow AI if it helped them meet a deadline. You are not fighting laziness or rule-breaking, you are competing with genuine usefulness.
Why small and IT-focused businesses are more exposed
It is tempting to assume large enterprises carry the bigger risk. The data says the opposite for smaller firms. One 2025 study found that companies with 11-50 employees showed the densest shadow AI usage of all, averaging around 269 unsanctioned tools per 1,000 employees, with roughly 27% of staff actively using them.
The reason is structural. Smaller companies typically have minimal or zero dedicated security staff and lack formal tooling or policies to control unauthorised IT, so by default, everything is permitted because no one is watching. A 200-person enterprise has a CISO and a procurement process. A 15-person firm has whoever is best with computers.
For IT services businesses specifically, the exposure compounds. You hold not just your own data but your clients’ systems, credentials and confidential information. A developer experimenting with a free AI coding assistant, or a support technician pasting client logs into a chatbot, is not just risking your data, they are potentially exposing the businesses that trust you to protect them. In a sector built on credibility, that is the asset most at stake.
The real risks, in plain terms
Data leakage
This is the headline risk. Surveys found that around 38% of employees have shared sensitive company data with AI tools without permission. Breaking that down, one study found a third of employees had shared research or datasets, over a quarter had shared employee data like names and payroll, and nearly a quarter had shared financial statements. Free consumer AI tools may retain inputs and use them to train future models – so that contract or client list can effectively leave your control permanently.
Inaccuracy and fabrication
Generative AI is probabilistic – it predicts plausible text rather than verifying facts. The OAIC notes this risk is especially high with generative AI, which does not “understand” the data it handles or generates. Unreviewed AI output in client advice, code or financial documents can be confidently wrong.
Financial and reputational cost
The risk is no longer hypothetical. One in five organisations has already experienced a breach tied to shadow AI, and for firms with high shadow AI exposure, breaches added roughly US$670,000 to the average breach cost.
Intellectual property and confidentiality
Code, designs, pricing models and client deliverables fed into uncontrolled tools may lose their confidential status or breach the terms you have agreed with clients.
The Australian regulatory picture and why it just got sharper
This is where Australian businesses need to pay close attention, because the legal ground shifted recently.
The Privacy and Other Legislation Amendment Act 2024 reformed the Privacy Act 1988, with most provisions taking effect on 10 December 2024. Crucially, a new statutory tort for serious invasions of privacy commenced on 10 June 2025, giving individuals a direct right to sue for serious privacy breaches – independent of the existing Privacy Act framework. The reforms also introduced a tiered penalty regime capturing a broader range of contraventions. And there is a clock still running: provisions requiring transparency about automated decision-making carry a grace period ending 10 December 2026.
The privacy regulator has been explicit about AI. In October 2024, the OAIC published two guidance documents, one on using commercially available AI products like chatbots and writing or coding assistants, and one on developing and training generative AI models. The core message for businesses: the Privacy Act and the Australian Privacy Principles apply to all uses of AI involving personal information. Their best-practice advice is blunt; avoid entering personal information, particularly sensitive information like health, financial or identification data, into publicly available generative AI tools, and complete a Privacy Impact Assessment before introducing a new AI system.
On the security side, the Australian Signals Directorate’s ACSC has published guidance titled Engaging with Artificial Intelligence. Its practical recommendation is to apply AI-engagement advice alongside the Essential Eight framework, understand the constraints of any AI system you use, and train staff to use it securely.
The takeaway: “an employee did it without telling us” is not a defence. Liability sits with the business.
What to do about it
Take 5 minutes to see how deeply AI is already woven into your business.
The instinct to ban AI outright almost always fails – staff simply move usage further into the shadows. A governance-first approach works better. Here is a practical sequence for an SMB:
The bottom line
Shadow AI is not a passing trend or a problem you can ban your way out of it is the natural result of genuinely useful tools meeting real deadline pressure, and it is already inside almost every business. For Australian SMBs, especially those in IT who hold client trust as their core asset, the combination of tightening privacy law and accelerating adoption makes this a now-problem, not a later-one. The businesses that handle it well will not be the ones that lock AI down. They will be the ones that bring it into the light – with visibility, clear rules, safe tools and trained people.
Sources & further reading
Figures and regulatory references in this guide are drawn from the following sources (current as at June 2026):
https://www.secondtalent.com/resources/shadow-ai-statistics/
https://www.techtimes.com/articles/318438/20260615/shadow-ai-cybersecurity-risk-spikes-45-workers-use-unsanctioned-tools.htm
https://www.reco.ai/blog/popular-doesnt-mean-secure-the-2025-state-of-shadow-ai-report-findings
https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r7249_firstreps/toc_pdf/24115b01.PDF;fileType=application%2Fpdf#search=%22legislation/bills/r7249_first-reps/0000%22
https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products
- Office of the Australian Information Commissioner (OAIC) – Guidance on privacy and the use of commercially available AI products; Guidance on privacy and developing and training generative AI models (21 October 2024). oaic.gov.au
- Australian Signals Directorate’s ACSC – Engaging with Artificial Intelligence. cyber.gov.au
- Privacy and Other Legislation Amendment Act 2024 (Cth); commentary from Corrs Chambers Westgarth, Norton Rose Fulbright and Securiti on the statutory tort and reform timeline.
- Deloitte Access Economics / Amazon – The AI edge for small business (November 2025); BizCover – Australian Small Business AI Report 2025; National AI Centre adoption data.
- Verizon 2026 Data Breach Investigations Report; https://www.techtimes.com/articles/318438/20260615/shadow-ai-cybersecurity-risk-spikes-45-workers-use-unsanctioned-tools.htm
This guide is general information only and is not legal advice. For obligations specific to your business, consult a qualified privacy or legal professional.
