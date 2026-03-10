Natali_Mis/istock via Getty Imag
Managing shadow AI risks as healthcare embraces innovation
At HIMSS, experts spoke about managing shadow AI risk with governance, education and technical safeguards.
LAS VEGAS -- Alongside the positive use cases of AI across healthcare in clinical, operational and administrative settings, shadow AI, or the unsanctioned use of AI by employees, lurks beneath the surface of many organizations.
Approximately 40% of surveyed healthcare workers reported encountering unsanctioned AI tools in their workplaces, and nearly 17% reported using the unapproved tools themselves, according to a report from Wolters Kluwer.
A recent Netskope Threat Labs report found that while the adoption of organization-managed generative AI tools rose from 12% to 56% over the past year, the proportion of users switching back and forth between personal and enterprise accounts rose from 5% to 10%, suggesting a desire for certain functionalities that were not offered by their company's internal tool.
Managing shadow AI risk is a challenge, several experts acknowledged in interviews at the HIMSS conference. But it can be managed through good governance, AI education and foundational technical controls, they suggested.
Using foundational governance strategies to curb shadow AI risk
Enthusiasm for AI is high, especially in healthcare, where it is being applied to everything from clinical documentation to revenue cycle management. Healthcare workers who share this enthusiasm for AI might take matters into their own hands, using personal AI tools to improve workflow efficiency.
"As an organization, if you don't define what your acceptable uses of artificial intelligence are, people will still just use artificial intelligence," said Dave Bailey, vice president of consulting solutions and strategy at Clearwater.
"The great news is, for the most part, that [AI] can be very successful, very rewarding and bring a lot of advancements to an organization," he continued. "But unless you put boundaries around it, people are going to use their own subscriptions, their own tools, and the larger an organization is and the more at scale, the more shadow AI is a problem."
This advice for managing shadow AI is not groundbreaking, he noted. It's simply to establish guiding principles and governance around AI use in the workplace.
"Once you do that, then you can say what acceptable uses are, and once you have those, you can say what you don't want people to do. They have to have that as a starting point," Bailey said.
Promoting AI literacy, sanctioned AI use
Putting foundational principles into practice is not easy, but it doesn't have to be overly complicated either.
Jane Moran, Mass General Brigham's (MGB) chief information and digital officer, similarly highlighted the importance of AI governance in an interview. However, she also noted that shadow AI is not an entirely new frontier.
"Shadow AI is a huge risk, but it's not unlike 15 years ago, when it was shadow cloud computing, shadow data environments," said Moran, who also presented on MGB's AI strategy at a HIMSS session on Monday. "So, to me, this is just another technology that's ahead of the curve that we need to put governance and structure around for obvious reasons."
Those reasons include security and safety, as well as financial implications, given that AI involves high compute and storage costs. Since allowing employees to freely use public-facing AI was not an option, MGB created an internal platform, called AI Zone, that allows its employees to use any approved LLM within MGB's network infrastructure.
"We can keep the data safe, we can keep the compute safe and they can store the results in a safe environment," Moran said.
Moran stressed the importance of employee education when it comes to AI -- another potential antidote to shadow AI use.
"That is an ongoing effort to make sure that our employees are educated around how they go about doing AI and what the processes are. We've created all kinds of AI literacy campaigns," Moran said.
MGB currently offers an AI certification specifically for clinicians that is recommended but not required. What's more, all employees, not just clinicians, are required to take a basic AI class. Moran said she envisions getting to a point where the organization requires additional AI training for all employees, especially as more technologies become AI-enabled.
Maintaining a lifecycle governance strategy
Skip Sorrels, field CTO and CISO at Claroty, also emphasized the importance of fundamental governance strategies.
"The thing about any AI, and it's no different for shadow AI, is that it's like vulnerabilities; you don't know what you have until you understand the asset inventory. And so, with technology and software, you've got to know what the inventory is," Sorrels said in an interview.
"You have to have a lifecycle governance strategy -- something laid out that says, 'in order to do X, you must do Y, and it must be approved.' And then, that's where the opportunity comes in to say, 'we don't have a problem with using that, but we just need to make sure that we have the right security controls in place, so it doesn't get outside the house.'"
Governance alone doesn't completely solve the problem of shadow AI, Sorrels warned. Establishing guardrails and rules around appropriate use does not mean that it will stop completely. However, proper governance provides a foundation of expectations and rules to follow, so that organizations can create some assurances that it will be used safely.
What's more, technical controls like blocking external AI tools can bolster a strong governance strategy and prevent improper use.
"It's not rocket science. It's really proper simplicity. Let's say you have a legacy med device, something that can't be patched, and it's vulnerable. The thing that you can do on the network is micro-segmentation. Prevent it from talking to anything that it shouldn't," Sorrels said.
"And AI is no different. We don't allow it out. We only allow it to go here or there, but nowhere else, and so that's the same technical control that applies to the assets and vulnerabilities."
As healthcare organizations and employees continue to embrace AI, leaders are tasked with encouraging innovative, enterprise-approved AI use cases while simultaneously educating employees about the dangers of misuse and protecting sensitive data.
Jill Hughes has covered health tech news since 2021.