Tuesday, I wrote about the gap between what enterprise software demands and what AI can handle in seconds. That gap is real, it's growing, and your employees already know it.
They also already know the fix. They've been implementing it on their own, one workaround at a time.
The unofficial migration
A Salesforce survey found that more than half of generative AI users at work use tools their employer hasn't approved. A WalkMe study puts the number at 78%.
These are your operations analysts uploading spreadsheets to ChatGPT because your BI tool takes twenty minutes to do what AI does in ninety seconds. Your procurement team pasting vendor letters into Claude because your onboarding form has thirty-seven fields they can already see in the PDF. Your claims processors using personal accounts to summarize documents your system still expects them to read line by line.
They're doing this on personal accounts, on uncontrolled infrastructure, with data your security team would prefer stayed inside the perimeter. And the volume is growing every month.
The policy reflex
Most organizations respond with restrictions. Publish a policy. Block domains. Remind everyone about data governance.
The policy gets published. The behaviour continues. Every organization that's tried to ban shadow AI has learned the same lesson as the ones that tried to ban personal smartphones in 2012: behaviour follows the path of least friction, regardless of policy.
The signal underneath
Every spreadsheet an employee uploads to ChatGPT is a feature request. Every document pasted into Claude is a prioritized use case. Every workaround duct-taped together with a personal AI account is a map coordinate.
Plot them and you have a heatmap of your highest-value automation targets, generated by people solving real problems under real constraints. An analyst with a deadline and a slow tool will use a faster one. Every time.
This is better data than any use-case workshop produces. Workshops surface what's easy to demonstrate. Shadow AI surfaces what people actually need. The workshop use case is "we could summarize meeting notes." The shadow AI use case is "I'm losing ninety minutes a day because this system makes me retype data I can see in the next tab." One is a nice-to-have. The other is costing you salary hours and talent.
At one organization, the CTO commissioned a formal AI use-case prioritization exercise. It took three months and produced a ranked list of 40 candidates. When they finally surveyed what employees were already doing with personal AI accounts, the top five shadow workflows matched none of the 40.
What the heatmap reveals
Look at where your people are routing around your systems and you'll find a pattern. The workarounds cluster in three places.
Data entry that should be extraction. Forms where people copy data from documents into fields. The AI alternative reads the document and pre-fills the form. This is the most common shadow AI use case because it's the most obviously wasteful: a human acting as a bridge between two systems that should talk to each other.
Analysis that should be instant. Reports that take hours to compile from raw data. Spreadsheets that require manual cleanup before they're usable. The AI alternative ingests the messy data and produces the summary directly. Your BI platform has this on its roadmap somewhere. Your employees needed it last quarter.
Search that should be conversational. Knowledge workers hunting through wikis, shared drives, and email threads for a specific answer. The AI alternative takes the question in plain language and returns the answer with sources. This workaround stays hidden the longest because it looks like "just Googling something."
Each cluster is a map of where automation delivers the most value. Each one has employees who can describe the ideal workflow in detail, because they've already built the rough version themselves.
The risk is real
Shadow AI creates genuine risk. Sensitive data in uncontrolled environments. Outputs nobody can verify or reproduce. Compliance exposure nobody's tracking. A regulated organization has every reason to take this seriously.
The response that works is competition. Make the official path faster than the unofficial one. Take the top three workflows from your shadow AI heatmap and build sanctioned versions: sandboxed, auditable, connected to your actual systems. When the official tool is faster than the workaround, the workaround disappears on its own. The answer the board needs is "we've converted the risk into a governed capability."
Three small agents that do one thing well, running on infrastructure you control. An invoice reader. A document pre-filler. A contract term extractor. Each one scoped to a single workflow, each one faster than the ChatGPT workaround it replaces.
The people building the workarounds are the same people who can spec the replacement. They've already figured out the inputs, the outputs, and the edge cases. That's months of requirements gathering, done for free, by the most motivated users in your organization.
The compounding loop
When you close one gap, something useful happens. Employees start telling you about the next one.
The first sanctioned AI tool proves you're paying attention. The operations analyst who was quietly uploading spreadsheets starts asking "could we do something like this for the monthly reconciliation?" The claims processor who was pasting documents into Claude walks into a meeting with a list of five other workflows that would benefit from the same treatment.
The heatmap gets richer. Each improvement generates more signal. The cycle compounds.
The organizations that end up furthest ahead will be the ones that looked at what their employees were already doing and made it official, one workflow at a time.
Bill Sourour
Founder, Arcnovus
25 years in enterprise technology. Writes about AI strategy for CTOs.
'/%3e%3c/g%3e%3cuse%20xlink:href='%23h'%20transform='rotate(180)'/%3e%3c/svg%3e)