TOKYO — Artificial intelligence (AI) is now widely deployed in business operations, but the risks of “hidden AI” are often overlooked. That is, AI slips into an organization without the organization’s or management’s approval, and external partners use AI in ways that the company is unaware of. This includes individuals using professional AI tools without permission, commonly referred to as “shadow AI.”
If left unchecked, such usage can lead to data breaches and other serious issues, which will definitely make some businesses nervous. How are companies responding to the reality of this situation?
Minutes bot that went “out of control”
The Tokyo-based AI Governance Association highlighted concerns about AI use in a report on creeping “inconspicuous AI” published in late January. Case studies ranged from “runaway minutes bots” to “AI abuses discovered on social media.”
This report is based on what is believed to be the first systematic investigation of its kind. The survey was conducted in August and September 2025 among 115 member companies, of which 47 responded. Industries ranged from IT to telecommunications, finance, and manufacturing, and approximately 40% were large companies with 5,000 or more employees.
In the case of the runaway minutes bot, an employee personally installed an AI-powered minutes app on a company computer. I didn’t plan on using it during online meetings with business partners, but by default, when integrated with online meeting tools such as Zoom, it was set to run in every meeting and notify all participants. Now, minutes are automatically created during meetings with business partners and notifications are sent to all participants. The company said it was busy explaining the situation to its partners.
The “unauthorized use of AI discovered on social media” highlights the difficulty in understanding the actual state of AI use throughout the supply chain. Responding companies had developed guidelines to monitor the use of AI by external partners and required their partners to comply. However, in reality, a subcontractor was using generative AI without informing the company. This was discovered through a post on social media, and a third party who saw the post pointed it out, and it became clear that the AI had been used without permission.
There were also concerns that “AI functions were forcibly implemented after the system update, and it was unclear what kind of data was being used.” There seems to have been concern that a tool that was previously used safely for business could suddenly become a “gateway for siphoning corporate information” after the update.
Research from the AI Governance Institute shows the scale of the oversight gap. When asked if their employees were using shadow AI, 30% said they were “not fully aware” of the situation, 13% said they had “virtual knowledge” and 17% said they “didn’t conduct any research.” Regarding “AI use by external partners,” nearly 90% of companies reported issues with monitoring, and about half did not even attempt monitoring.
Creating rules
Experts emphasize the importance of establishing and enforcing rules. Kazuhiro Nakanishi, an “evangelist” at Akamai Technologies LLC, a major internet infrastructure company with extensive knowledge of cloud security, uses shadow AI as an example, pointing out that “there is a tendency for people to access free AI tools for convenience and even enter confidential company information.” At technology companies, employees may create their own AI applications and connect them to internal systems without permission.
“We first need to educate employees about the use of AI and put governance in place,” Nakanishi said. “There may still be employees who use AI, and there may be cases where it is unclear what information they can input.” As a countermeasure, we proposed setting access restrictions for each AI service within the company’s internal systems. When using external AI services, consider a corporate agreement that ensures input data is not used to train general-use AI systems. Development of an in-house closed network AI system.
[Yuki Machino]
