Shadow AI: transparency is key when it comes to agents
According to Sharp Europe, 45% of SME employees use templates and chatbots without telling their management
Until not long ago, this was regarded as a phenomenon confined to the most enterprising employees who experiment independently with new artificial intelligence tools. Today, however, ‘shadow AI’ also involves senior management, revealing a paradox that goes beyond technology: organisations are investing more and more in artificial intelligence but are still struggling to create an organisational framework capable of properly managing its use. This is the picture that emerges from a study by Sharp Europe conducted amongst 2,500 executives from small and medium-sized enterprises across ten European countries, shedding light on an issue set to become even more pressing with the spread of AI agents that act autonomously on business processes and data. Let’s take a look at the report’s most significant indicators.
Who is responsible?
45 per cent of employees use templates and chatbots without telling management, whilst 44 per cent of managers admit to using these tools without informing their colleagues in order to appear more competent. What are the reasons behind this lack of transparency? It is often the fear of the consequences, with one in three executives fearing they will be perceived as unprofessional (if they were to openly admit to using AI) and an identical proportion recognising the risk to which the company is exposed through unregulated use of the technology. According to Olivier Massonat, CEO of Sharp DX France, Italy & Spain, however, there is no single, direct person responsible for ‘shadow AI’. “In most cases,” he explained to *Il Sole 24 Ore*, “employees are not trying to circumvent corporate governance maliciously, but are reacting faster than companies can adapt. AI enables people to be more productive, to analyse data more quickly or to automate repetitive tasks, whilst security policies and toolchains inevitably take longer to adapt.”
The research does indeed highlight a growing gap between the pace of AI adoption and companies’ ability to embrace it, with 35 per cent of executives stating that they do not yet possess sufficient technical skills to use these tools with confidence, and the same proportion of respondents continuing to be wary of the reliability of the results produced by generative models.
Pragmatic governance
This is an important issue because the phenomenon of ‘shadow AI’ is becoming systemic, reminiscent of other well-known phenomena in the digital sphere such as BYOD or ‘shadow IT’. There is, however, one substantial difference: artificial intelligence is not merely an application installed without authorisation, as it interprets information, generates content, makes decisions and interacts with other business systems. ‘Complete transparency,’ emphasises the CEO of Sharp DX, ‘is probably unrealistic, especially if AI is embedded in browsers, productivity suites, SaaS platforms and personal devices. The aim should not be absolute control, as this would slow down usage and create even more behaviour that is difficult to monitor, but rather pragmatic governance: approved AI environments, clear data policies, identity and access controls, monitoring, audits and practical guidelines on what employees can and cannot do. In this way, ‘shadow AI’ can be transformed into a visible and scalable asset.”
The liability of agents
This is no easy goal to achieve, however, as it requires data classification, the verification of cybersecurity procedures and new operational models, not to mention the implications of the gradual evolution of agent-based AI. In future, the issue will no longer concern only those who use a chatbot without authorisation, but also those who will be held accountable for any errors attributable to the machine. ‘If an unauthorised AI agent,’ Massonat explains, ‘negotiates with a client, writes code, approves expenditure or makes operational decisions, the responsibility falls on the company, on those in charge of the processes and on the governance model that regulates its operations. The agent-based era is changing the framework: we are moving from AI as an assistant to AI as an actor.” The picture is clear, and whilst the AI Act may serve as a catalyst for developing appropriate governance models, many European companies (including Italian ones, of course) are still in the early stages and need time to define approval workflows, human-in-the-loop controls, data scope and incident management. Once again, the challenge is not (merely) technical, but cultural and organisational.

