Shadow AI: why governance needs to catch up with your team

Advisers have always been quick to spot a useful tool. Anything that saves time, improves client service or makes the working day easier is going to get attention. That is exactly why artificial intelligence has moved so quickly from novelty to normality across advice firms.

It might be helping draft a client email, summarise meeting notes, write a social media post or get a first cut of a presentation. None of this is problematic. In most cases, it is simply good operators trying to work smarter and move faster.

When informal adoption becomes a risk

But APRA’s latest letter is a useful reminder that the tools quietly appearing across a business can quickly become a risk if they sit outside normal governance and compliance frameworks. The regulator noted that AI adoption is moving quickly across industries, while governance and assurance practices are not always keeping pace.

A big part of that conversation is “shadow AI”.

The term sounds dramatic, but it simply means staff using AI tools that have not been approved, checked or properly integrated into the business.

For advice practices, that could mean client information being pasted into open AI tools without visibility over where that data is stored, AI-written content being sent without review, or file notes being summarised in ways nobody can later explain.

The opportunity around AI is still enormous. The point is not to shut it down, but to bring how staff are using it into the light.

Where the industry conversation started

At The Inside Network, we have been talking about AI with advisers for a while now.

Back in 2023, Michael Kollo and I launched a national masterclass exploring how AI would eventually touch almost every part of the adviser workflow. The event sold out within days, which probably said everything about where the industry was heading. At the time, it felt like the start of something significant. Looking back, it clearly was.

Since then, the conversation has moved quickly. The community has shifted from asking “what is ChatGPT?” to much more practical questions around governance, process and accountability. Which tools are approved? Who reviews the output? How is the work documented?

That is a healthy shift.

Governance needs to be intentional

The best firms are no longer questioning whether AI is good or bad. They are trying to work out how to use it responsibly inside a business.

APRA’s broader message is that AI governance cannot sit informally with “whoever is interested in tech”. Leadership teams need visibility, accountability and clear ownership over how AI is being used across the team.

For advisers, the plain-English version is simple. Do not make AI a secret, make it a team conversation. Protect client data. Ensure a human review anything leaving the practice. Keep records and revisit the rules regularly because the tools are evolving quickly.

The same habits that have always mattered

That may sound like another job on the already long practice management list, but it is really the same muscle advisers have been building for years. Through INPractice webinars and community sessions, we have kept coming back to the same themes: better documentation, stronger compliance habits, smarter tech stacks and more confident business owners.

For example, The Inside Network’s INPractice session on documenting the investment process, focused on the importance of getting the discovery and documentation process right, because good advice depends on good records.

AI does not change that. If anything, it makes those habits even more important.

A practical starting point

Importantly, none of this needs to become a 40-page policy document nobody reads. One of the best things about the adviser community is how willing people are to share what is working, what is not and what they wish they had known six months earlier.

That has always been the spirit behind The Inside Network and our Insiders community, sharing ideas, practical lessons and working through business challenges with like-minded professionals.

Shadow AI is exactly the kind of issue that benefits from that approach. One adviser might be using AI for client emails while another is using it for research summaries or process notes. None of that is necessarily wrong, but businesses still need a shared understanding of what tools are being used, what data can go into them and what requires review before it reaches a client.

A simple AI register, a short team policy and a few agreed use cases are a good place to start. The aim is not to eliminate experimentation. It is to build safe habits around it.

The firms that get this right

APRA’s message should be taken as a nudge, not a scare campaign. AI is already here. Clients are using it, staff are using it, and the best advice businesses will learn how to use it well. The firms that get ahead with AI will not necessarily be the fastest adopters. They will be the ones building the clearest habits around how these tools are used across the business.