One day, there was a malfunction. While waiting for the vendor’s repair crew to arrive, some of the assembly line workers tried dismantling the machines and discovered the microphones. The asembly line manager was livid that the vendor never informed — let alone asked — before installing what he saw as spy devices in his environment.
GenAI tools are being snuck into products at a far greater pace. To be fair, vendors are generally announcing that they are now using AI — especially when they are indeed not using it. But they are rarely sufficiently specific for an enterprise IT team to make an informed decision. And it’s certainly not specific enough to answer the questions of any regulator.
From the perspective of IT, the difference between Shadow AI and Sneaky AI is vast. IT can demand that employees and contractors not use unauthorized systems, but IT management does not have the tools nor the time to investigate Shadow abuses. Candidly, if an employee grabs their phone, accesses ChatGPT and then uses that answer in their document, how could anyone in IT possibly know?
But Sneaky AI involves vendors IT is paying. Although IT can imply a threat for employees to be fired if they engage in Shadow AI, few employees believe that threat. If, however, a vendor gets the enterprise into compliance trouble because they didn’t deliver on all contractual disclosures and other obligations, the fear of not being renewed (and maybe getting sued) is quite real.
I have heard a wide range of vendors describe this SneakyAI problem, but they label it ShadowIT. Beyond the clear definitional issue, by falsely lumping the two together, vendors are making it more difficult to find a way to fix it. Maybe doing so is already beyond scope, but let’s at least try to minimize the nightmare slightly.
The possibility of Sneaky IT should be directly addressed in vendor contracts. The goal is to get enterprise IT decision-makers back to a place where they know what they are buying and installing in their systems. That means going well beyond notification and demanding early notification and seeking permission.