Shadow AI: What Your Employees Actually Use – and How Swiss SMEs Must Respond

It's Monday morning, 8:15 AM. Your accountant opens ChatGPT and enters a client list to draft a payment reminder. Your sales manager has Claude write a proposal — including pricing calculations. The intern uses Midjourney for social media posts with your company logo. Nobody informed IT. Nobody considered the data protection implications.

Welcome to the world of Shadow AI — the uncontrolled use of AI tools by employees without the knowledge or approval of management. For Swiss SMEs, this isn't an abstract risk but daily reality. And it's growing exponentially: since ChatGPT launched, an estimated 30–50% of all office workers regularly use at least one AI tool — mostly without IT knowing.

The problem isn't that your employees use AI. The problem is that you don't know which tools they use, what data they input, and where that data ends up. For a Swiss SME subject to the FADP (Federal Act on Data Protection), this can become an existential threat.

What exactly is Shadow AI — and why is it more dangerous than classic Shadow IT?

Shadow AI is the use of AI tools and services by employees that are neither approved nor monitored by the IT department. The crucial difference from classic Shadow IT: with traditional Shadow IT (e.g., an unauthorized project management tool), data mostly stays within the tool. With Shadow AI, company data is actively sent to external models — and potentially used for training.

The most common Shadow AI scenarios in Swiss SMEs include accounting staff entering client data into ChatGPT, sales teams generating proposals with pricing strategies, HR analyzing CVs with external AI tools, and management drafting strategy papers with competitive intelligence.

How to uncover Shadow AI in your company

The good news: if you use Microsoft 365, you already have the tools — they're just not activated. Most Swiss SMEs pay for M365 licenses that include powerful governance features that were never turned on.

Three key steps: First, audit Entra ID (Azure AD) app registrations to see every third-party app connected to corporate accounts. Second, enable Microsoft Defender for Cloud Apps to monitor which AI URLs employees visit. Third, conduct an honest employee survey about AI tool usage.

Concrete measures to protect your Swiss SME

Create a one-page AI usage policy with a traffic light system (green/yellow/red). Activate Microsoft Purview DLP to prevent sensitive data from being pasted into external AI tools. Set Conditional Access policies via Entra ID. For critical data, evaluate Swiss-hosted AI alternatives where data never leaves Switzerland.

A realistic roadmap for SMEs with 20–50 employees

Week 1: Inventory (Entra ID audit + employee survey). Week 2: Policy (traffic light system, team communication). Week 3: Technical measures (Defender, DLP rules, Conditional Access). Week 4: Alternatives (approved tools, Copilot setup, Swiss-hosted evaluation, training).

Shadow AI isn't an IT problem — it's a leadership issue. The FADP doesn't accept "we didn't know" as an excuse. Responsibility lies with management. The first step is always the same: look. Open your Entra ID Admin Center. Check which apps are connected. You'll be surprised.