Shadow AI in healthcare: An emerging threat 

Artificial intelligence now plays a central role in clinical operations, supporting documentation, decision-making, and administrative workflows. Yet alongside this progress, a quieter risk is growing: shadow AI, the intentional or unintentional use of unapproved or unauthorized AI tools by healthcare staff. 

A Wolters Kluwer Health survey of healthcare professionals, published in January 2026, found that 17% of healthcare workers use unauthorized AI tools, and two in five have encountered them in their environment. This behavior is rarely malicious: It stems from unclear policies, rapid technology changes, and the ease of accessing consumer AI tools. Most healthcare organizations have processes in place to ensure AI solutions are safe to use with sensitive healthcare data. The result is a growing set of risks that healthcare leaders can no longer ignore. 

Why shadow AI is expanding 

Shadow AI is fueled by several converging factors. Clinicians often blur the line between personal and professional AI use, assuming familiar tools are acceptable in clinical settings. Clinicians have a tendency to use these tools to reduce documentation burden and save time. In addition, many workplace platforms now embed AI features without clear labeling, allowing unvetted capabilities to slip into daily workflows.  

When clinicians paste PHI into consumer AI tools, data may be retained or used for model training, creating immediate HIPAA exposure. Meanwhile, browser extensions, mobile apps, and workflow shortcuts increasingly incorporate AI, operating outside enterprise monitoring and expanding the attack surface. 

The risks: Safety, privacy, and compliance 

The risks associated with shadow AI are significant and immediate. When protected health information (PHI) is entered into AI tools that are not covered by the organization’s Business Associate Agreements, it creates HIPAA and privacy exposure. Patient safety is also threatened when clinicians rely on unvalidated outputs or when AI‑generated content influences documentation. 

Security teams face blind spots because unauthorized tools bypass logging, monitoring, and access controls. These gaps undermine compliance efforts and prevent organizations from maintaining consistent oversight of AI use. 

The risks identified above do not diminish AI’s potential–they simply underscore the need for disciplined AI governance. 

Closing the gap with strong AI governance 

Shadow AI is ultimately a governance challenge. Kodiak helps healthcare organizations establish the structures, controls, and monitoring needed to manage AI responsibly. 

Our approach begins with governance frameworks aligned to the NIST AI Risk Management Framework and ISO 42001, ensuring consistent oversight across the AI lifecycle. Using the NIST functions—govern, map, measure, and manage—we help organizations define roles, document data flows, test reliability and security, and implement continuous monitoring. 

Kodiak also recommends the following steps for implementing strong AI governance: 

• Operationalize governance through privileging. We recommend treating each AI tool like a new team member requesting access. Organizations define what the tool is allowed to do, where human oversight is required, and who supervises its use. When a vendor updates capabilities or expands functionality, privileges are reevaluated and reapproved. This mirrors clinical credentialing and ensures AI adoption scales safely. 
• Adopt continuous monitoring with Risk Cubes. Kodiak’s Risk Intelligence methodology uses Risk Cubes to provide continuous, audit-anchored visibility into AI risk. Each Risk Cube is a multidimensional model that consolidates key risk indicators, controls, policies, and baseline audit measurements into a single framework. Beyond assessing likelihood, impact, financial exposure, vendor dependencies, and privacy and security controls, Risk Cubes track remediation progress and risk trends over time. They serve as a leave-behind monitoring tool that transforms point-in-time audits into ongoing assurance, enabling scalable, automated oversight and actionable insights for healthcare leaders. 
  

The path forward for healthcare leaders 

The 2025 survey results reinforce that clinicians will use tools that make their work easier, policies must be explicit, and shadow AI is already present in most organizations. Without proactive governance, privacy and safety incidents are inevitable, especially when sensitive data can be inadvertently exposed through seemingly harmless actions like pasting ePHI into online AI tools.  

By pairing clear policies with strong data loss prevention controls and responsible AI guardrails, healthcare organizations can reduce risk while still enabling meaningful, safe innovation. 

How Kodiak supports responsible AI adoption 

Kodiak’s AI governance and risk intelligence approach helps organizations achieve stronger regulatory alignment, clearer visibility into AI use, improved patient safety, and scalable oversight through Risk Cubes. We help leaders position AI to support clinical excellence without introducing hidden risk. 

If your organization is unsure where AI is helping, or quietly creating exposure, Kodiak can help you strengthen your AI inventory and build the governance foundation needed for safe, responsible, and risk intelligent AI innovation.