Payment Center
Get in Touch
Client Portal Payment Center
Get in Touch
Insights

The Board's Shadow AI Problem

Published on June 16, 2026 5 minute read
Practical ERP Solutions Background

Boards and audit committees are asking the right question: is artificial intelligence being used responsibly across the organization? In most cases, management responds confidently. They point to approved AI tools, governance committees that oversee them, and policies that prohibit unsanctioned use.

This answer is correct within its limits, because it explains how the organization governs the AI it has approved. However, it does not address how AI is actually being used day to day across the workforce.

Unsanctioned AI use is widespread across many organizations. Employees rely on public models to draft analyses, summarize documents, write code, and support professional decisions. The volume of this activity is meaningful, yet much of it remains invisible to leadership. Management is not being misleading when it reports on AI governance. It is simply describing the portion it can see, which often represents only a small part of the full AI footprint.

This gap is not primarily a technology issue. It is a governance and reporting challenge that exists even in organizations that believe they have addressed AI risk.

What Management Is Reporting

When boards ask about AI, management typically focuses on the sanctioned environment. This includes approved tools, governance frameworks, acceptable use policies, training programs, and controls designed to protect data.

Each of these elements is valid. Together, they form a credible governance structure for the AI the organization has formally adopted. This is also the portion that management can measure, document, and report on with confidence including how AI is reshaping controls and compliance reporting.

What Management Often Cannot Report

The gap becomes clear when deeper questions are raised. Most organizations cannot fully answer these questions today because monitoring is limited, inventories are incomplete, and reporting structures were not built to capture this type of activity.

Common blind spots include:

  • The extent of unsanctioned AI use across the organization
  • Which functions rely on these tools most heavily
  • What types of information are being entered into public platforms
  • How AI-assisted work is documented, reviewed, or validated
  • Whether approved tools meet the needs employees are trying to address elsewhere

As a result, boards receive accurate information, but only about a narrow slice of overall AI exposure.

Questions Boards Should Be Asking

Effective oversight requires moving beyond whether AI is governed to understanding how management knows what is happening in practice. Directors and audit committee members can strengthen oversight by asking targeted questions such as:

  • What is the estimated level of unsanctioned AI use, and how was that estimate developed?
  • What evidence supports the conclusion that sensitive data is not being shared in public tools?
  • How is AI-assisted work identified and reviewed before it is used in client deliverables, regulatory filings, or internal decisions?
  • Where do gaps exist in approved tools that are pushing employees toward alternatives?
  • How will the board be informed if exposure changes?

These questions help establish a foundation for meaningful, ongoing oversight.

What Effective Reporting Looks Like

AI reporting is improving, but in many organizations it still lags behind actual usage. Effective reporting should address both sanctioned and unsanctioned environments. It should also clearly distinguish between what is known and what is estimated, supported by a governance foundation built on recognized frameworks.

Strong reporting connects AI use to specific risk categories rather than treating it as a single issue. It highlights where approved tools fall short of business needs and provides a basis for informed follow-up discussions. Achieving this level of reporting requires thoughtful inventory, assessment, and governance design work that many organizations have not yet completed.

The Next Step

Risk advisors are well positioned to help organizations close the gap between what management can report and what boards need to understand. The process begins with a clear assessment of the AI footprint, both sanctioned and unsanctioned, followed by the development of a reporting framework that provides meaningful visibility.

If you have questions about whether your organization has full visibility into its AI use, start with a focused conversation with our Risk Solutions team to gain clear insight into your exposure and strengthen board-level oversight.

Related Topics

Risk Solutions
AI Solutions and Consulting

Authored By

2026 400x500 Habib Fawzi Desktop Transparent

Fawzi Habib

Director, Citrin Cooperman Advisors LLC

View Full Bio

Latest Articles

Insights Published June 16, 2026

The Board's Shadow AI Problem

Read More
Insights Published June 16, 2026

Why Law Firms Must Strengthen Trust Account Controls as Regulatory Scrutiny Intensifies

Read More
Insights Published June 11, 2026

GASB 103 and 104: What State and Local Government Entities Need to Know

Read More
Insights Published June 11, 2026

Franchise Alert: SBA Extends Franchise Certification Deadline to June 30, 2026

Read More