Start with what it gets right, because it gets a lot right.
The Causes Are Identical
Shadow IT happened because sanctioned tools couldn't keep pace with what people needed to do. The approved word processor didn't have the collaboration features. The agency-managed file share was too slow to share with contractors. The procurement cycle for a better solution ran eighteen months, and the deadline was in six weeks. So someone stood up a Dropbox account, or a Slack workspace, or a Google Doc shared with a personal Gmail address, and the work got done.
Federal shadow AI is running the same script. OMB M-24-10, issued in March 2024, directed agencies to designate Chief AI Officers and establish governance frameworks for AI use — but governance frameworks don't ship productivity. The employees writing acquisition documents, processing FOIA requests, summarizing congressional testimony, and drafting policy memos are under the same delivery pressure they've always been under, and now there's a category of tool that can genuinely help them move faster. The sanctioned alternatives, where they exist, are often still in pilot. The unsanctioned ones are a browser tab away.
A 2024 survey by Gartner found that roughly 41% of employees at large enterprises reported using AI tools not approved by their IT departments — and that number was rising. (Gartner's sample skews private sector; treat this as directional context, not a federal baseline.) The federal workforce dynamic is structurally similar but worth flagging: significant agency restructuring through 2025 has left many offices doing more with fewer people, which is a tailwind for shadow AI adoption, not a headwind. The delivery pressure argument gets stronger, not weaker, as headcount contracts.
The organizational dynamics transfer too. Shadow IT adoption clustered around mission-critical functions where the productivity gap was largest — program offices, acquisition teams, communications shops. Shadow AI is clustering in the same places. If your buyer's agency has a backlog of contract documents to review or a pile of public comments to synthesize, that's where the unsanctioned ChatGPT usage is happening. The CAIO probably knows this. The question is what they can do about it.
What the Identity Layer Gets You
The governance insight that emerged from cloud migration — identity is the control layer, not the network perimeter — applies directly to shadow AI. You can't govern what you can't see, and you can't see it if you don't know who's using it.
The federal identity posture, at least in principle, is well-positioned for this. Agencies with mature PIV-based authentication and centralized IdP infrastructure have the foundation to enforce conditional access policies that could restrict AI tool usage to approved applications. The same SSO architecture that brought shadow SaaS under governance control is the right architecture for shadow AI governance. That's a real and accurate thing to say in a CAIO conversation, and it will land.
The analogy has load-bearing limits, though, and they show up in three specific places.
Break Point One: The Exposure Happens Before You Know About It
Shadow SaaS created a data governance problem that was, in most cases, recoverable. An employee stored sensitive files in an unauthorized Dropbox account. You discovered it, you deprovisioned the account, you requested deletion, and depending on your data classification and the vendor's data handling terms, you had a reasonable path to remediation. The exposure window was the period between adoption and discovery. Close the account, close the window.
Shadow AI tools don't work this way. When an employee pastes a draft acquisition strategy, a personnel action memo, or a set of source selection criteria into a commercial AI interface, that content is processed immediately. Depending on the tool and its data handling terms, it may be retained for model improvement, logged for abuse detection, or accessible to vendor support staff. The OWASP Top 10 for LLM Applications flags sensitive information disclosure as a primary risk category precisely because the input-output dynamic of AI systems creates exposure pathways that don't exist in traditional SaaS.
The structural implication for identity governance: knowing who used the tool is necessary but no longer sufficient. In shadow SaaS governance, identity told you where the data was — find the account, find the files. In shadow AI governance, identity tells you who submitted content, but not what they submitted, when, or what the model did with it. That requires a different kind of logging, at the application layer, that traditional IAM infrastructure doesn't provide. The CAIO who asks "do we know what our employees are submitting to these tools" is asking a question that identity governance alone cannot answer.
Break Point Two: The Detection Signals Are Different
Shadow SaaS got caught. Network traffic to unknown domains, OAuth authorization flows to unrecognized applications, expense report line items for "productivity software," and eventually the SaaS vendors' own enterprise discovery tools all created detection signals that fed into SIEM workflows. The signals were imperfect but they existed, and the security operations community built playbooks around them.
Shadow AI usage is harder to see. Most commercial AI tools operate over HTTPS through browser interfaces that look like normal web traffic. There's no OAuth flow to flag if the employee is using a personal account. There's no unusual domain if the tool is a well-known consumer service that the agency's network already allows for other purposes. A federal employee using Claude or Gemini through a browser looks, at the network layer, like a federal employee reading a news article.
The GAO noted in its 2024 review of federal AI governance that most agencies lacked the monitoring capabilities to detect unsanctioned AI tool usage across their workforce — not because the agencies hadn't tried, but because the detection architecture for this problem doesn't yet exist at scale in the federal environment. (This predates significant 2025 agency restructuring; treat it as a pre-disruption baseline that likely understates current gaps rather than overstates them.)
In a CAIO conversation, that shifts the detection posture discussion considerably. The relevant question isn't "are your SIEM rules catching shadow app registrations" — it's "do you have any visibility into AI tool usage at the endpoint or application layer, and if not, how are you establishing a baseline." That's a harder conversation, and a more honest one.
Break Point Three: Deprovisioning Doesn't Remediate
This is the one that tends to land hardest with CAIOs who've been through cloud migration. The shadow SaaS remediation playbook is clean: deprovision the account, revoke the tokens, notify the user, document the incident. The data that was stored in the unauthorized service can be requested for deletion. GDPR and state privacy frameworks created legal mechanisms for this. It's not painless, but it's a defined process.
There is no equivalent process for AI model ingestion. If a federal employee submitted controlled unclassified information to a commercial AI tool in January, and the agency discovers this in April, the remediation options are not "deprovision and delete." The options are: understand what the vendor's data retention and training policies were at the time of submission, assess whether the content was retained or used for model improvement, determine whether any outputs derived from that content are accessible to other users, and document the incident for whatever reporting obligations apply.
None of those steps involve identity infrastructure. They involve vendor contracts, data handling agreements, and incident response processes that most agencies haven't built yet because the scenario didn't exist at scale until recently.
What this reframes is what "governance" means for AI tools. In shadow SaaS, governance meant: know who has accounts, enforce policy through provisioning, remediate through deprovisioning. In shadow AI, governance means: know who is using what tools, enforce policy before submission (because after submission is too late), and ensure that any sanctioned AI tools have data handling terms that support the agency's security posture. The control point moves upstream. Identity is still part of it, but the remediation lever is contractual and architectural, not just administrative.
What to Ask Before You Leave the Room
The shadow IT framing gets you into the conversation. These questions are what you're listening for on the other side of it.
"Do you have visibility into which AI tools your workforce is actively using, or are you working from policy attestations?" The gap between those two things is where the risk lives, and most agencies are still in attestation mode.
"When you say you've restricted AI tool usage to approved applications, what's the enforcement mechanism — is it policy, network controls, or endpoint controls?" Policy without enforcement is a documentation exercise. The CAIO who's thought this through will have an answer. The one who hasn't will pause.
"What are the data handling terms for the AI tools you've sanctioned, specifically around training data and retention?" This is the question that separates agencies that have done the vendor governance work from agencies that have approved a tool without reading the terms. The answer tells you where the real exposure is.
"If you discovered tomorrow that employees had been submitting sensitive content to an unsanctioned AI tool for the past six months, what's your incident response process?" Not a gotcha — a genuine diagnostic. The agencies that have worked through this scenario are ahead of the problem. The ones that haven't are going to be working through it reactively.
The shadow IT playbook built real intuition about why people adopt tools outside the governance lane and how identity infrastructure can bring them back in. That intuition is the right place to start. The three places it runs out — ingestion exposure, detection gaps, and remediation asymmetry — are the places where the conversation gets interesting, and where the seller who's done this thinking earns the next meeting.