How the help desk can fight shadow AI

As if the help desk wasn’t busy enough with resetting passwords and setting permissions, now there’s a new challenge: educating employees about the risks of shadow AI, which is the unauthorized use of AI tools in an organization’s workflows.

Experts like CEO of Unthread Tom Bachant suggest that IT professionals use device monitoring and other tactics to stay ahead of employees who might deploy shadow AI. Others, like Will Adams, president of B2B technology strategy and software development company Tarkenton, told IT Brew that understanding why employees are using AI tools can unlock organizational innovation and efficiency.

So, what happens next? Adams said if the help desk identified an employee using shadow AI, and that use resulted in a security or data loss issue, the organization’s IT professionals should have a conversation with that employee about why they used that model. What were they hoping to achieve?

Additionally, the help desk should assess damage and identify if sensitive information has leaked. Exposing critical data is one thing, he said, but discovering shadow AI usage that doesn’t expose valuable information is an opportunity to teach rather than punish.

Taking a “heavy-handed approach” through punishing someone who has been guilty of using shadow AI, Adams added, could drive employees to hide their AI usage from the organization. Instead, understanding that employees are already using AI could be the first step in learning how the organization can better integrate the technology into workflows.

“One large factor is many employees have already made their choice of what type of AI that they’re using and that they’re comfortable with, and they already have so much information already loaded into their AI tool of choice,” Adams said. “These companies have to be able to create a very similar experience for the employees, and the only way to do that is to understand what they’re doing.”

Technically, what are the options? Enterprises can encourage employees to discuss how they’re interested in using technology, Adams said: “Let’s learn from our employees, because most of them are not being malicious.”

Worse comes to worst, help desk pros can put a stop to unauthorized AI usage. Depending on the severity of the use case of shadow AI, Bachant said, IT pros may remotely kill a device “at any time” through administrative settings: “That’s the nuclear option, in case it seems like things are getting a little bit out of hand.”

Jim Dolce, CEO of mobile threat detection company Lookout, told IT Brew that if the IT department detects an unsanctioned AI app, it may have to consider approving that app for official use. But with a growing number of AI-enabled apps, it’s difficult for the help desk and other IT pros to keep up with everything employees could potentially use.

“This problem becomes a very big problem for the help desk, because if the employee takes the initiative to ask permission, which they generally don’t, then the help desk doesn’t even have a tool to be able to answer the question and give the permission,” Dolce said.

Like Bachant, Dolce suggested that IT departments can restrict access to corporate data and systems for those employees who have an unauthorized AI tool running on their personal or professional devices.

“When [someone] inadvertently downloads this cool, new GenAI app that somebody recommended, you as the IT department are signaled immediately that this has occurred,” Dolce said. “You have visibility to it, and you also have a knowledge base that says, ‘Here’s what this app is capable of doing.’”

Experts noted that IT professionals should constantly monitor their tech ecosystem to ensure shadow AI never becomes an issue for an organization’s privacy and security. Monitoring an environment can look different for every organization, and industry leaders point to developing customized metrics for tracking, depending on needs.