Many compliance risks arise from formal firm decisions. AI is different because a large portion of risk may arise from informal employee behavior. This is the problem of shadow AI. Shadow AI occurs when employees, advisors, contractors or representatives use unapproved AI tools for firm business outside the firm’s governance framework. It may involve a personal ChatGPT account, a free AI assistant, a browser plug-in, a transcription tool, a personal Copilot account or an AI feature inside a consumer application.
The exposure is especially significant for firms with decentralized workforces, remote employees, independent contractors or advisors using their own devices and networks. Historically, firms have often relied on questionnaires asking independent representatives whether their devices were patched, encrypted and free of unauthorized applications. The weakness of that model is obvious: firms wind up relying heavily on self-reporting.
AI creates a similar challenge, but with broader implications. Think of how easy it now is for:
- an employee to copy client data into a public AI tool,
- an advisor to use a personal AI account to generate a client report or paste account information into a chatbot to prepare a meeting summary, or
- a contractor to use an AI notetaker without understanding whether the transcript is being stored or used to train a model.
If the firm does not know this activity is happening, how can it properly evaluate privacy, recordkeeping, supervision or data security implications?
The ability to detect shadow AI use is becoming one of the most important practical challenges for compliance and technology leaders.
Attestations Are Not Enough
Firms may be tempted to solve shadow AI with an annual certification. Employees can be asked to confirm that they are not using unauthorized AI tools or entering client data into public platforms. Certifications are useful, but they are not sufficient in this case.
Regulators have already shown skepticism toward compliance programs that rely entirely on certifications without testing. The same concept applies to off-channel communications, outside storage, personal devices and other areas where employee behavior can occur outside firm-approved systems. A certification may help show that expectations were communicated, but regulators have made it clear that it does not prove a firm had a reasonable supervisory process.
A defensible AI control framework should include multiple touchpoints:
- policy prohibitions and permitted use standards
- training on what is and is not allowed
- employee certifications
- vendor and application inventory
- technical monitoring where feasible
- reviews of metadata, documents, communications and system logs
- exception reporting
- escalation and remediation procedures
- periodic testing of whether controls are working
The firm should not rely on a single control like self-certification. A policy without training will not be enough. Training without testing will not be enough. Testing without documentation will not be enough. Real defensibility of a framework comes from the combination of many elements.
Employees Need Practical Training, Not Abstract Warnings
AI training should not be generic. Employees need to understand the specific types of information that should not be entered into unapproved tools. They need concrete examples of prohibited conduct.
For example, a firm should train employees not to paste the following into public or unapproved AI systems:
- client names and contact information
- account numbers
- holdings or balances
- financial plans
- risk profiles
- tax information
- Social Security numbers
- internal supervisory notes
- compliance reviews
- trade blotters
- due diligence files
- confidential firm strategy
- non-public business information
Employees may not understand what qualifies as non-public information or personally identifiable information (PII) unless the firm explains it clearly. Firms must train staff on what PII means, what confidential information means and why client or firm information cannot be entered into unapproved AI tools.
Training should be tailored to specific roles, because an advisor, portfolio manager, client service associate, operations analyst, CCO, CIO or CEO may each use AI differently. The firm should explain AI risk in the context of real workflows.
Shadow AI Can Shift From Mistake To Intentional Circumvention
Training and documentation also matter because they help distinguish between an employee who made a mistake and an employee who intentionally circumvented firm controls.
If an individual goes around the firm’s systems, sets up a separate account or tries to avoid monitoring, the behavior can move from negligence to intentional avoidance.
This distinction is important. While a firm cannot prevent every rogue action, it can reduce firm-level exposure by showing that it had reasonable procedures, communicated them clearly, trained employees, collected certifications, tested compliance and used sound methods to detect violations.
If an examiner asked how your firm knows employees are not entering client information into unapproved AI tools and your response is to simply highlight policy language and annual attestations, you may have a problem.
A defensible AI program should therefore document not only what the firm prohibits, but how the firm communicates, monitors, tests and enforces those prohibitions.
Sid Yenamandra is the Founder and CEO of SurgeONE.ai, a compliance, cybersecurity and data services platform for wealth management that unifies the offerings of RegVerse, Kovair, Security Snapshot and MGL Consulting.