Shadow AI Is Inevitable. Here’s How Enterprises Can Stay in Control

Gizel Gomes, June 22, 2026 | 9 min read

Responsible AI: Shadow AI in enterprise is reshaping risk and governance. Learn how to balance innovation, accountability, and trust in AI adoption.

AI adoption is moving faster than most governance frameworks can keep up. Across departments, employees are increasingly turning to AI tools to write content, analyze information, automate tasks, and accelerate decision-making—often without formal approval or oversight. The result is the rise of Shadow AI: the use of AI systems that operate outside established organizational controls.

For enterprises, the risks extend beyond simple policy violations. Sensitive data can be exposed to third-party models, inaccurate outputs can influence business decisions, and compliance obligations can become harder to enforce. Yet attempting to eliminate Shadow AI entirely is neither practical nor likely to succeed. As AI becomes a standard workplace tool, organizations must find ways to channel its use rather than suppress it.

This shift is forcing technology leaders to rethink how governance works in the AI era. Instead of focusing solely on restrictions, many are exploring how to create frameworks that provide visibility, accountability, and guardrails without slowing innovation.

Neal Gottsacker, CTO of UserTesting, has spent years helping organizations adopt emerging technologies while balancing security, scale, and user needs. In his view, the most effective response to Shadow AI is not tighter control alone, but a combination of clear governance, workforce education, and a culture that encourages responsible experimentation. As enterprises move from AI pilots to organization-wide adoption, these principles are becoming increasingly important.

Framing the Shift: Shadow IT to Shadow AI

The shift from Shadow IT to Shadow AI is changing the nature of enterprise risk. Beyond traditional security concerns, Shadow AI is introducing new challenges around accountability, oversight, transparency, and trust.

Shadow AI is generally harder to detect than traditional Shadow IT. And it’s spreading faster than expected. What are your thoughts on this when it comes to managing risk? How does this shift redefine the enterprise risk model at a fundamental level?

Gottsacker: Shadow AI raises the stakes because it produces confident, plausible answers that teams can accept without inspection.

We address that through inspectable AI outputs that link back to underlying human evidence, because the real risk is false confidence at scale. The model has to shift from controlling access to ensuring outputs are transparent, inspectable, and tied back to real evidence.

Based on your experience scaling R&D at Nintex, do you see Shadow AI as a natural extension of Shadow IT, or as a break that demands entirely new governance frameworks?

Gottsacker: There’s a clear lineage from Shadow IT, but Shadow AI can directly influence decisions, not just create fragmentation.

That becomes especially important with synthetic feedback, which can be useful for directional learning but shouldn’t be treated as a replacement for real human validation. The governance challenge is making sure teams understand that distinction.

Speed vs Control: The Adoption Paradox

As organizations race to unlock the benefits of AI, they face a delicate balancing act between innovation and governance.

The challenge is to give employees the speed and flexibility they need while maintaining the visibility, security, and accountability required for responsible AI adoption.

How do you design internal AI platforms that are as easy and powerful as external tools, so governance doesn’t get bypassed?

Gottsacker: If internal systems don’t match the speed and usability of external tools, people will work around them. The goal is to deliver insight where decisions happen.

That’s why embedding AI into existing workflows matters. For example, our team recently launched UserTesting for Figma, which lets teams access customer feedback without leaving their design environment. It lets them prioritize feedback and make changes in the moment, without bouncing off the platform to test and back again to edit. Lower friction means they’re more likely to seek feedback in the first place and actually act on it.

Many enterprises struggled when they approached Shadow IT with restriction-first mindsets. Today, what specific mistakes should CTOs avoid repeating with Shadow AI?

Gottsacker: The biggest mistake is treating Shadow AI like a control problem instead of a signal. When teams reach for unsanctioned tools, they’re telling you exactly where the friction is.

CTOs who lead with restriction will watch adoption happen anyway, just without visibility. The ones who lead with enablement, providing supported pathways grounded in real customer and workflow insight, get speed and decision quality.

Restriction-first thinking has already lost this fight once. No reason to lose it twice.

As an experienced leader, how do you create guardrails that evolve at the pace of model innovation, rather than becoming obsolete within months?

Gottsacker: Guardrails have to be anchored in principles rather than specific models, because the technology is evolving too quickly.

A critical guardrail is to ensure outputs are inspectable and link back to underlying evidence, such as video, audio, transcripts, or behavioral data. The tooling will change, but validation and human accountability shouldn’t.

Platform Strategy and Control Points

Effective AI governance requires more than centralized policies. It demands control mechanisms that fit naturally into everyday workflows. Leaders should now rethink where governance should reside and how it should be enforced.

Do you believe the control plane for AI should sit in centralized platforms, embedded governance layers, or distributed across workflows?

Gottsacker: The control plane is not best located in a single place. On the one hand, centralized governance is necessary for security and governance teams to see what models are being used, what data is being accessed, and what costs look like.

On the other hand, governance needs to exist alongside the work and data layer to simplify the employee experience. Distributed enforcement with lightweight approval inside the tools in use will change behavior.

How critical is it for organizations to provide sanctioned “AI pathways” (internal copilots, governed APIs) to counter Shadow AI, versus trying to detect and restrict it externally?

Gottsacker: Providing sanctioned pathways is critical because if teams don’t have a trusted internal option, they’ll default to external tools.

The goal is to make the approved path just as fast, but more reliable by grounding it in enterprise-grade data quality and governance systems. Capabilities like UserTesting Verified™ help ensure the people and data behind insights are authentic. That scales much better than restricting usage from the outside.

Experimentation at Enterprise Scale

Managing AI successfully is as much a cultural challenge as it is a technological one. Leaders must foster innovation and experimentation while building the discipline needed to ensure responsible and secure AI use.

Having founded a startup earlier in your career, how do you balance the instinct for rapid experimentation with the discipline required for enterprise-grade AI governance?

Gottsacker: It depends on the startup’s stage.

Early-stage startups often require a heavier focus on rapid experimentation to validate product-market fit. Assuming the enterprise as a target market, many enterprise-grade requirements such as authentication and data protection can no longer be deferred.

Fortunately, the pace of development with AI tools has changed the velocity of delivering on all of the above.

Skills and talent for Responsible AI Adoption

As AI becomes embedded in everyday workflows, technical expertise alone is no longer enough. Leaders need to upskill teams so that they can critically evaluate AI outputs and make informed decisions.

Does managing Shadow AI require a different kind of workforce – one that is not just AI-literate, but AI-critical? How do you build that at scale?

Gottsacker: AI literacy is becoming a baseline, but it’s not sufficient on its own. Teams also need an AI-critical mindset, knowing how to question outputs and recognize their limitations.

That’s especially important in areas tied to customer understanding, where decisions need to move from assumptions to evidence.

What new roles or capabilities do you see emerging in tech at the intersection of AI, governance, and product development?

Gottsacker: We’ll see a shift to decision accountability. For example, a quality role whereby someone assesses the implications of a model hallucination or drift.

A process design role that focuses on where a human should remain in the loop. Leadership roles that oversee decisions made, how to track them, and remediate them if something goes wrong.

As you lead the next phase of AI-driven R&D at UserTesting, what does “responsible scale” look like in practice?

Gottsacker: Responsible scale means increasing the speed of insight and decision-making without losing confidence in the outcome.

At UserTesting, a big part of that is combining AI with real human feedback from a verified participant network, so teams can move faster while ensuring decisions remain grounded in real human experience. That balance between acceleration and accountability is what makes scale sustainable.

Looking Ahead: The Next Phase of AI Governance

The future of AI governance will be shaped by how effectively organizations integrate AI into their operating models. Those who can innovate with confidence and control will stand out from the rest.

Over time, do you expect Shadow AI to normalize into standard workflows, or will it remain a persistent edge phenomenon that organizations must continuously manage?

Gottsacker: Some Shadow AI use will normalize as organizations build stronger governance and more structured ways to use AI. But the challenge remains that teams are moving faster than traditional validation processes can keep up.

The focus should be on embedding AI into core enterprise workflows so insight is available where decisions are made, while still ensuring outputs are grounded in real evidence.

If we look three to five years ahead, what will distinguish organizations that successfully manage Shadow AI in enterprise, from those that don’t?

Gottsacker: Those organizations that successfully manage Shadow AI will deliver value to customers more quickly than competitors, have more engaged employees, have fewer internal escalations due to governance violations, and ultimately have greater trust placed in them from their customers.

Key Takeaway:

Shadow AI in enterprise is unlikely to disappear, but it doesn’t have to become a liability. What matters is how organizations respond. Those that embrace AI’s potential while putting the right guardrails in place will be the real winners.

About the Speaker: Neal Gottsacker is Chief Technology Officer at UserTesting, where he leads the company’s global R&D organization and technology strategy, focused on advancing AI-powered customer insight and accelerating platform innovation. Previously, he held senior leadership roles at Nintex, leading R&D through significant growth, and earlier led a division of HP Software and founded his own startup. Gottsacker holds a Bachelor of Science in computing and information science from McKendree University.

AI in the Industry, Cybersecurity, In Conversation Q&A

Why Security Assumptions Can Be Riskier Than They Appear

AI & Machine Learning, AI in the Industry, In Conversation Q&A

Shadow AI Is Inevitable. Here’s How Enterprises Can Stay in Control

Gizel Gomes

Gizel Gomes is a professional technical writer with a bachelor's degree in computer science. With a unique blend of technical acumen, industry insights, and writing prowess, she produces informative and engaging content for the B2B leadership tech domain.

Subscribe to the CTO Magazine Newsletter

Shadow AI Is Inevitable. Here’s How Enterprises Can Stay in Control

Framing the Shift: Shadow IT to Shadow AI

Shadow AI is generally harder to detect than traditional Shadow IT. And it’s spreading faster than expected. What are your thoughts on this when it comes to managing risk? How does this shift redefine the enterprise risk model at a fundamental level?

Based on your experience scaling R&D at Nintex, do you see Shadow AI as a natural extension of Shadow IT, or as a break that demands entirely new governance frameworks?

Speed vs Control: The Adoption Paradox

How do you design internal AI platforms that are as easy and powerful as external tools, so governance doesn’t get bypassed?

Many enterprises struggled when they approached Shadow IT with restriction-first mindsets. Today, what specific mistakes should CTOs avoid repeating with Shadow AI?

As an experienced leader, how do you create guardrails that evolve at the pace of model innovation, rather than becoming obsolete within months?

Platform Strategy and Control Points

Do you believe the control plane for AI should sit in centralized platforms, embedded governance layers, or distributed across workflows?

How critical is it for organizations to provide sanctioned “AI pathways” (internal copilots, governed APIs) to counter Shadow AI, versus trying to detect and restrict it externally?

Experimentation at Enterprise Scale

Having founded a startup earlier in your career, how do you balance the instinct for rapid experimentation with the discipline required for enterprise-grade AI governance?

Skills and talent for Responsible AI Adoption

Does managing Shadow AI require a different kind of workforce – one that is not just AI-literate, but AI-critical? How do you build that at scale?

What new roles or capabilities do you see emerging in tech at the intersection of AI, governance, and product development?

As you lead the next phase of AI-driven R&D at UserTesting, what does “responsible scale” look like in practice?

Looking Ahead: The Next Phase of AI Governance

Over time, do you expect Shadow AI to normalize into standard workflows, or will it remain a persistent edge phenomenon that organizations must continuously manage?

If we look three to five years ahead, what will distinguish organizations that successfully manage Shadow AI in enterprise, from those that don’t?

Key Takeaway:

Related

Gizel Gomes

Related posts

Why Security Assumptions Can Be Riskier Than They Appear

The Biggest Gen AI Myths Enterprises Still Believe

How AI Meeting Assistants Are Evolving From Note-Takers to Teammates

What It Takes to Operationalize AI in Real Estate

How Explainable AI Helps Solve the Black Box AI Dilemma

Why Continuous Security Validation Is Becoming a Security Imperative

The Operational Blueprint for an AI-Driven Logistics Enterprise

How AI-Rewired Enterprises Are Winning the Competition

How to Compete in the AI Era When Everyone Has Access to the Same Technology

Why AI ROI Is Becoming a Leadership Priority for CTOs

AI Governance by Design Is Becoming an Enterprise Imperative

AI in Retail: What Walmart and Amazon Reveal About Scale

Building AI Infrastructure for Real-Time Financial Crime Prevention

Why AI Governance and Trust Are Becoming Institutional Challenges

AI in Manufacturing: Why Manufacturers Are Betting Future on AI

Target’s AI Revolution and the Future of Intelligent Retail

AI Trading Systems: Who’s Responsible When It All Breaks?

Inside Google I/O 2026: Gemini Spark and the Rise of Autonomous AI Agents

How JPMorgan Chase Reduced Fraud Alerts with Fintech AI Fraud Detection

ING AI Chatbot: Building Smarter and Faster Banking Support

AI in Global Trade: How Enterprises Are Navigating Tariffs and Supply Risk Faster

Inside EY’s Enterprise Playbook of Engineering AI at Scale

The AI Value Gap: What Leaders Are Missing

How Retailers Are Using AI Inventory Management to Keep Shelves Stocked

AI in R&D Through the Lens of Ryo Matsushima

Managing Shadow AI: Best Practices CTOs Need to Put in Place Now

Shadow AI Risks are Already in Your Enterprise: What CTOs Are Missing

AI Workforce Transition: Humans, Agents, and Robots to Coexist

Human in the Loop AI Systems: Insights from Senthil Kumaran

Data Governance in AI-driven Organizations

Inside Google’s AI Red Teaming Strategy for Cybersecurity

AI Regulatory Compliance: How Shadow AI Creates Untraceable Risk

Why Discipline, Not Speed, Will Define Future Leadership

Bill Gates on AI and Future Jobs: Three Roles That Will Survive

The Real Cost of Robotics Isn’t Deployment — It’s Downtime

RPA vs Hyperautomation: From Task Automation to System-Level Intelligence

Tax Technology through the Lens of CTO Sal Visca

AI and Future of Work: From Job Displacement to Reinvention

Physical AI: What CTOs Must Rearchitect for Robotics-first Enterprises

Designing Data Platforms for Speed, Scale, and Trust

Building AI Operating Model That Delivers: Inside a CTOs Playbook

Unlocking True AI Business Impact: Lessons from CTO Andrew Sales

Rethinking Workforce Strategy in the Age of Intelligent Systems

Rethinking Enterprise AI Listening with ELM

Designing an Effective Cyber Defense Architecture

Engineering Discipline for AI-Driven Software Development: Insights from Divyesh Patel

Agentic Commerce: the Next Evolution of AI-driven Shopping

Web Scraping for AI: Strategic Advantage or Governance Liability?

The Invisible Engine: How Operational Healthcare AI Is Redefining Hospital Efficiency

Examining Localization and Operating Edge Insights from Kirit Goyal

AI Transformation is a Problem of Governance

Search Revolution: From Google Rankings to AI-Curated Answers

AI Strategy to Drive Impact by Chief AI Officer Burhan Sebin

Quantum and AI in Healthcare: Smarter, Safer, Predictive Care

Why AI-Powered Voice Is Replacing IVR as the Enterprise Interface