Tag:Shadow AI

Shadow AI refers to the use of unapproved or unmanaged AI tools, including third-party generative AI services, outside organisational governance and security controls. This introduces risks such as sensitive data exposure, lack of visibility and potential non-compliance. Using Microsoft controls including Microsoft Purview, Microsoft Entra and Defender, organisations can detect, monitor and reduce Shadow AI risk across both Microsoft 365 Copilot and external AI environments.

Workplace Ninjas Norway 2026: My Sessions on Shadow AI and Data Security

Posted on Updated on by Nikki Chapple

Event: Workplace Ninjas Norway 2026
Location: Oslo, Norway
Format: Conference Sessions
Date: 27 May 2026
Sessions:

  1. Evaluating AI Risk with Microsoft’s Security Dashboard for AI
  2. Preventing Data Leaks to Shadow AI: Managing Generative AI Apps in Your Organisation

At Workplace Ninjas Norway 2026, I delivered two sessions focused on a challenge that many organisations are only just starting to fully understand: the impact of Shadow AI on data security.

These sessions were designed to reflect the reality organisations are facing today.

AI adoption is already happening.
Often without visibility.
Often without governance.

The question is no longer whether people are using AI.

It is whether you understand what is happening to your data when they do.


Read More

Shadow AI Governance: You Can’t Stop AI. But You Can Control the Risk

Posted on Updated on by Nikki Chapple

Shadow AI governance is now a critical challenge for organisations.

Shadow AI is already inside your organisation.

Employees are using AI tools every day to summarise documents, improve emails, analyse spreadsheets, generate presentations, and draft proposals. Most are not trying to break policy. They are trying to work faster and smarter.

That is exactly what makes Shadow AI such a serious governance risk.

This is no longer a question of whether AI is being used at work. It is a question of whether your organisation has visibility into which AI tools are in use, what data is being shared, and which controls are in place to reduce risk.

The urgency is real. Microsoft’s 2026 Data Security Index report says that 32% of surveyed organisations’ data security incidents involve the use of generative AI tools, while only 47% of surveyed organisations are implementing controls focused on generative AI workloads. More than 80% of surveyed organisations are implementing or developing Data Security Posture Management strategies to improve visibility and governance.

AI adoption is accelerating.

Governance is still catching up.

This article explains the practical control model I use with organisations to understand Shadow AI risk, improve visibility, and apply effective governance at scale.


Read More

How to Govern Shadow AI with Microsoft Purview, Defender and DSPM

Posted on Updated on by Nikki Chapple

Most organisations are already dealing with Shadow AI, whether they realise it or not.

Employees are using ChatGPT, Claude, Gemini, AI-powered browser extensions, meeting assistants, coding tools, and countless other generative AI services to work faster.

The challenge is not stopping people from using AI.

The challenge is governing where organisational data goes.

In my previous article, Shadow AI Governance: Why You Must Control AI Data Risk In Microsoft 365 I explained why Shadow AI has become one of the fastest-growing data security challenges facing IT and security teams.

This article focuses on the next question:

How do you actually govern it?

Microsoft recently published a deployment model called Prevent Data Leak To Shadow AI, which combines Microsoft Purview, Microsoft Defender for Cloud Apps, Microsoft Entra, and Microsoft Intune into a unified approach for managing AI risk.

Microsoft’s guidance is excellent.
But in practice, I simplify it into two control layers:

  • Control the Apps
  • Control the Data

Everything else supports these two decisions.

Because successful AI governance is not about blocking AI.
It is about enabling AI safely.

You cannot stop users using AI.
But you can control what happens to your data.


Read More

How to Deploy Microsoft Purview DLP for Copilot and Generative AI

Posted on Updated on by Nikki Chapple

Organisations adopting Microsoft 365 Copilot and generative AI are facing a common challenge. Data is no longer static. It is constantly moving, reused, and now being surfaced and generated by AI.

This changes the risk profile.

The questions I hear most often are:

  1. What are the real data security risks with AI?
  2. Which controls actually make a difference?
  3. How do we deploy them effectively in Microsoft Purview?

This guide builds on my ECS 2026 session and focuses on the controls that provide the greatest practical value. It cuts through the noise and shows how to use Microsoft Purview DLP for Copilot and generative AI, with a practical approach to reducing real-world data leakage risk across both internal and external AI tools.


Read More

Governing AI Shadow IT with the Microsoft Purview Browser Extension

Posted on Updated on by Nikki Chapple

AI tools like ChatGPT, Bard, and Claude are transforming the workplace. From customer service to content creation, employees are increasingly turning to them as productivity boosters. But with this innovation comes a challenge:

⚠️ How do you protect sensitive company data from being unintentionally exposed, while still enabling the benefits of AI?

The answer: the Microsoft Purview Browser Extension — a lightweight, privacy-first tool that gives organizations visibility and control over browser activity without becoming intrusive. When combined with Endpoint DLP, Insider Risk Management (IRM), and Data Security Posture Management (DSPM) for AI, it provides a powerful way to govern risky behavior, including shadow AI.

  • A four‑step guide to using DSPM for AI to monitor and manage risky behaviour — without compromising privacy
  • What the Purview Browser Extension is and why it matters
  • How it works alongside Endpoint DLP and Insider Risk Management (IRM)

Read More