Wojciech Wiewiórowski, the European Data Protection Supervisor, published a blog post on 15 June 2026 on a growing enterprise problem: shadow AI. Employees feeding company data into unknown chatbots, coding assistants, and meeting recorders without IT or security controls in place can expose organizations to risks that may go undetected for months.
His point isn't that employees are being reckless. It's that the convenience of these tools is outrunning the safeguards built to contain them.
Shadow IT has existed for twenty years, but shadow AI is different. A rogue spreadsheet shared over Dropbox is a containment problem. A transcript of a confidential negotiation fed into an unapproved chatbot is something else — the data may now be training a model, sitting on a server outside company control, or retained indefinitely with no one accountable for any of it.

Once an employee pastes data into an unapproved tool, that data is effectively gone. No contract governs how it's used, no retention schedule exists, and there's no way to know whether it crosses into jurisdictions with weaker protections. As the EDPS puts it, it's a "regulatory blind spot": most security teams have no inventory of the AI tools their own employees are running.
Without this visibility, unauthorized tools lack the legal basis that makes data processing lawful under the GDPR. Under the EU AI Act, obligations sharpen depending on how a system is classified, making the absence of any formal review harder to defend in an audit. An organization with no record of what data went where can't respond to a regulator or to a data subject asking what happened to their information.
Wiewiórowski provides a pertinent example: AI meeting recorders joining calls without IT's knowledge, creating what he calls unexpected backdoors. If a bot with no security review, data handling agreement, or company-controlled kill switch is inside a call touching sensitive matters about HR, legal strategy, or customer data, the company loses the ability to confidently say who has access to that conversation, or to honor a data subject access request.

Wiewiórowski is clear that banning AI tools is not the answer, as blocking everything would only push this behavior further underground. His proposed approach has four parts:
He's also clear that no single team owns this. DPOs, IT, security, and the business units using these tools have to monitor it continuously, not just at policy sign-off.
A policy is only as good as the organization's ability to see what's happening against it. If you can't detect when someone installs an unapproved coding assistant or signs up for a chatbot with their corporate email, the policy is a document, not a control.
Holistic AI's Shadow AI Discovery tool is built to close this gap. It automatically detects unauthorized and unmanaged AI tools across the enterprise before they surface in a breach investigation. It builds a centralized, auditable inventory of every AI tool in use, ranks them by risk, and routes high-risk tools into a structured approval workflow so shadow AI has a path to become governed, sanctioned AI instead of an open question.
The EDPS post is aimed at EU institutions, but the risk isn't limited to the public sector. Any organization handling sensitive data has employees right now using tools that security has never heard of. Make sure you can see it when it happens.
Source: Wojciech Wiewiórowski, "Managing Shadow AI's Hidden Data Breach Risk," European Data Protection Supervisor blog, 15 June 2026.