The rise of ChatGPT – a cautionary tale for shadow IT

A computer being guarded by cybersecurity.
(Image credit: iStock)

The launch of the AI chatbot ChatGPT marked one of the most heavily utilized software application releases in history. Developer OpenAI said that ChatGPT acquired 1 million users within five days of its debut in November 2022. By comparison, Instagram took 2.5 months to reach 1 million registrations.

ChatGPT became an immediate sensation due to its remarkable ability for natural language processing that mimics human speech and writing. Very quickly, workers everywhere started downloading the app to help with professional tasks such as drafting marketing content and writing software code.

As a result, companies have witnessed a dramatic spike in the use of ChatGPT across customer environments since the tool was launched, with some reporting increases of 560%. In turn, this widespread wave of registrations has challenged IT teams to enforce policies for shadow IT, in which employees directly utilize software-as-a-service (SaaS) applications to do their jobs without approval from the IT department. Such unauthorized SaaS usage makes it hard for central IT to monitor all those shadow apps, prevent sensitive data from being leaked into those apps, and ensure compliance and security.

John Harden

John Harden is Auvik's Senior Product Marketing Manager.

Security risk

In a recent egregious case, engineers at Samsung fed proprietary software code into ChatGPT to suggest some fixes for software bugs. In so doing, they accidentally leaked that same confidential code to the chatbot, which then included the lines of software in future responses to others outside Samsung.

Such a misstep by a major global tech leader only highlights the fact that these new AI technologies are coming into widespread business use much faster than internal controls. Employee education is critical, whether these AI tools are adopted as shadow IT or sanctioned IT. An open dialogue should be encouraged between the business stakeholders who procure SaaS apps, and the IT teams who help their organizations stay safe. Only in this way can IT teams maintain critical software and account inventories to ensure IT compliance.

It is often said that the only company without shadow IT is a one-person company. The remote workforce has only accelerated this trend. The shadow IT impulse is understandable because SaaS apps help people do their jobs better. Whether it is a collaboration tool like Slack or Microsoft Teams, or a file-sharing app like Dropbox or WeTransfer, new SaaS apps are driving workforce productivity and efficiency.

However, this dynamic makes it dangerous for employees to sign up for SaaS apps on their own without notifying IT, due to cybersecurity risks and regulatory compliance gaps. IT leaders need to implement processes and policies that proactively address shadow IT adoption so employees clearly understand which apps are approved or not, and how their access might introduce cyber threats.

Mitigating the opaque dangers of Shadow IT

Of course, we know that most employees do not pursue shadow IT options based on some malicious intent. It comes more from a lack of recognizing the implicit threats, and from the basic need to perform in their jobs. As employees input information into these new AI systems, the AI engine incorporates the data into its own learning models. That is why it is so crucial for employees to recognize what types of data they are inputting, especially when the data is sensitive or confidential. Just ask Samsung!

By applying the proper documentation through SaaS management, companies can save time and money while also increasing security. For instance, internal IT teams at many companies rely on credit card statements or web traffic analysis to track software usage. However, modern SaaS management systems can monitor shadow IT usage based on employee access to SaaS collaboration platforms such as Dropbox. That step alone can help identify more cases of shadow IT, rather than relying on cost management tools that only recognize the use of Dropbox based on the costs of periodic upgrades.

In addition, regular training sessions can help workers understand their responsibilities to partner with IT and choose the right apps that meet the company’s checklist for the adoption of new software vendors. IT and security leaders should schedule periodic training sessions for employees to discuss approved AI tools and how inputs can be used to train AI data models. At the same time, IT managers need to reinforce the value of employees coming to IT first before trying to solve a new business problem, rather than resorting to shadow IT.

For all these reasons, IT leaders need to develop processes and policies that proactively address shadow IT adoption. Employees should understand which apps are approved, how they can access them for different purposes, and how that access might impact company security. In the best cases, IT can offer alternative SaaS options to avoid shadow IT. In the worst cases, such access should be banned.

Clearly, there is no way to completely halt the explosion of shadow IT today. Therefore, the strategy should be to allow employees to become change agents in their own jobs while educating them on the SaaS apps available to them, and urging their support to ensure compliance and security across their larger organizations.

We've featured the best IT infrastructure management service.

John Harden is Auvik's Senior Product Marketing Manager. He has spent 15+ years in the IT/MSP industry, with experience in MSP NOC as well as software engineering and operations.