You've had this conversation before, just with a different product name.
An employee needed to move fast. The sanctioned tool was slow, locked down behind a six-month procurement cycle, or simply not yet available. They used what worked. IT found out later — usually during an audit, sometimes during an incident — and the conversation about policy versus practice began. The policy said one thing. The practice said another. The gap between them was where the risk lived.
That's the Dropbox story from 2011. It's the personal Gmail story from 2013. It's the consumer SaaS story that played out in waves across every enterprise and agency for the better part of a decade. And it is now, with minimal variation in the behavioral driver, the ChatGPT story.
Federal employees are using personal accounts on ChatGPT, Claude, Gemini, and a rotating cast of other consumer AI products to meet delivery pressure when agency-sanctioned alternatives aren't available or aren't fast enough. The pattern is structurally identical to every shadow IT wave you've watched before. The consequences are not.
The Analogy That Works, and Then Doesn't
The shadow IT analogy earns its keep here. The behavioral driver is the same: a capable person facing a deadline, holding a tool that works, and a policy that says wait. The governance vacuum is the same: no provisioning, no deprovisioning, no access review, no audit trail. The organizational dynamic is the same: the people doing the work know about it, the people responsible for governance don't, and the gap closes only when something goes wrong.
If you've sold identity governance or CASB or DLP into federal agencies over the last decade, you've explained this pattern to buyers more times than you can count. You know how to describe it. You know what the buyer nods at. You know the moment when they say "we have a policy for that" and you have to gently surface the difference between having a policy and having instrumentation.
That part of your intuition transfers directly. Use it.
A Dropbox folder doesn't learn from your files. When a GS-13 analyst at a civilian agency drafts a policy brief using personal ChatGPT credentials, the exposure isn't just "sensitive document left in an ungoverned location." Consumer AI products have data handling terms that are structurally different from a file sync service. OpenAI's consumer tier and enterprise tier operate under materially different terms: the enterprise API and ChatGPT Enterprise explicitly commit to not using inputs for model training; the consumer free tier has historically included provisions that allow input data to be used for model improvement, subject to opt-out mechanisms that most users never configure. (OpenAI's current consumer data policy is publicly available and worth reading before your next conversation — the terms have evolved, but the structural distinction between consumer and enterprise handling remains.)
Claude and Gemini have analogous tier distinctions. The details vary. The pattern holds: the free consumer account that an employee uses because it's fast and available does not carry the data handling commitments that a procured enterprise agreement would.
The audit trail problem is worse than the Dropbox version, not just equivalent. With a shadow Dropbox account, you can eventually reconstruct what files were stored, when, and by whom. With a consumer AI session, you cannot reconstruct what was submitted as a prompt, what the model returned, or what the employee did with the output. The session is gone. If the employee's account is ever subpoenaed, or if a data incident triggers a forensic review, the agency's ability to understand what information transited that channel is essentially zero.
The Identity Governance Failure Mode
The identity governance failure here is structurally identical to every shadow SaaS scenario: accounts created outside any provisioning workflow, no lifecycle management, no deprovisioning trigger when the employee separates or changes roles.
Deprovisioning is the one that actually bites. When a federal employee leaves an agency — voluntarily or otherwise — the offboarding process is supposed to revoke access to systems holding sensitive information. That process works, imperfectly but measurably, for systems the agency knows about. It cannot work for a personal ChatGPT account the employee created with their personal email address to draft agency documents. The account doesn't appear in any directory. There's no deprovisioning hook. The employee takes it with them, along with whatever conversation history the consumer product retains.
OMB M-24-10, issued in March 2024, requires agencies to designate Chief AI Officers and establish AI governance structures, including risk management for AI use. It creates the policy architecture for governing AI tool adoption. What it cannot create, by itself, is the instrumentation layer that tells a CAIO which AI tools employees are actually accessing. Policy and visibility are different things, and M-24-10 advances the former without mandating the latter in any technically specific way.
CISA's guidance on deploying AI systems securely, published in collaboration with international partners in 2024, addresses configuration and deployment risks for AI systems agencies are intentionally running. It is not, and was not designed to be, a framework for detecting consumer AI usage by employees operating outside sanctioned channels. The guidance assumes the agency knows what AI systems it's running. Shadow AI usage breaks that assumption at the foundation.
A 2025 survey of federal IT and security professionals — conducted by a major public sector research firm, sample size approximately 400, results published in Q1 2025 — found that roughly 60 percent of respondents believed employees at their agency were using personal AI accounts for work tasks, while fewer than a quarter said their agency had technical controls in place to detect or restrict that usage. Survey data from a single study shouldn't carry too much weight, but the directional finding is consistent with what identity and security teams are reporting anecdotally: the policy exists, the visibility doesn't.
The Question That Surfaces the Gap
When you're in a discovery conversation with a CAIO or CIO, skip the question about whether the agency has a policy governing employee use of personal AI accounts.
Every buyer will say yes. Most of them will mean it. The policy probably exists. It may even be well-written. It tells you nothing about whether the agency has visibility into what's actually happening.
Ask this instead: "If an employee in your agency accessed ChatGPT or Claude with a personal account on an agency device or network today, would you have a way to know that happened?"
That question separates policy from instrumentation. It surfaces whether the buyer has CASB coverage that logs AI tool traffic, whether their endpoint management has any visibility into browser-based AI usage, whether their network monitoring distinguishes AI service endpoints from general web traffic. Most buyers, when they sit with the question for a moment, realize the honest answer is no — or "we think so, but we haven't tested it."
The buyer doesn't need a lecture about shadow IT risk; they've heard it. They don't need a recitation of data handling terms; they'll read those later. They need the question that makes them realize the gap between what their policy says and what their instrumentation can see.
The Dropbox moment taught a generation of IT leaders that policy without visibility is a document, not a control. That lesson is available to your buyer. Your job is to ask the question that makes them reach for it.