The Indian enterprise ecosystem is currently experiencing a hyper-charged era of artificial intelligence (AI) adoption. Driven by a highly skilled workforce and an aggressive push toward digital transformation, India leads global AI adoption metrics.
Recent industry data indicates that 92% of surveyed employees in India use generative AI (GenAI) tools at least several times per week.
However, beneath this impressive metric lies a severe vulnerability for IT governance and corporate compliance. “Shadow AI” refers to the unauthorised use of public, consumer-grade GenAI tools by employees to accelerate daily tasks without IT oversight or approval.
Research indicates that shadow AI usage in India reaches up to 58%, the highest globally. Whether a financial analyst uploads a spreadsheet to a public large language model (LLM) to generate a summary, or a software engineer pastes proprietary code into a chatbot for debugging, these actions bypass centralised enterprise security controls.
For lead investigators and compliance managers, this illusion of productivity masks a critical risk of data exfiltration. Public LLMs often retain user inputs to train future iterations of their models. Consequently, when employees use unsanctioned tools, they inadvertently disclose confidential corporate intellectual property (IP) and sensitive customer data to the public. Furthermore, incidents involving shadow AI inflate the average cost of a corporate data breach
by approximately INR 17.9 million.
The Regulatory Landscape Under the Digital Personal Data Protection (DPDP) Act, 2023
The regulatory environment in India has fundamentally shifted, transforming shadow AI from a standard IT operational challenge into a severe legal and ethical liability. Under India’s DPDP Act, 2023, the definition of a
"personal data breach" broadly encompasses any unauthorised processing, disclosure, sharing or use of personal data that compromises its confidentiality or integrity.
If an employee feeds a prompt containing a customer’s personally identifiable information (PII) into an unsanctioned public LLM, it constitutes a reportable personal data breach. The DPDP Act maintains an unyielding stance on enterprise accountability. Section 8(5) mandates that data fiduciaries must implement reasonable security safeguards to protect data. Failure to prevent a data breach due to inadequate safeguards can result in penalties of up to INR 250 crore. Furthermore, the failure to report such a breach to the Data Protection Board of India (DPBI) and the affected individuals carries
an additional penalty of up to INR 200 crore.
Beyond regulatory fines, the loss of intellectual property and the
mandate to report cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In) elevate shadow AI to a board-level risk that demands proactive investigation and/or monitoring.
The Core Governance and Investigation Challenge
Traditional cybersecurity frameworks were designed to protect organisations from external threat actors. Shadow AI, however, represents an insider threat driven by a desire for efficiency rather than malice. Banning AI tools entirely often backfires, driving usage further underground as employees pivot to personal devices or hidden accounts.
When a data leak occurs via a public LLM, investigators face significant forensic hurdles. Unlike compromised corporate email servers,
public AI platforms do not provide enterprise administrators with audit trails, making it nearly impossible to determine the exact scope of exfiltrated data. Therefore, the investigative focus must shift from reactive incident response to proactive behavioural monitoring and ethical governance.
A Practical Investigative Playbook
To protect the enterprise without stifling digital innovation, risk managers and investigation teams must adopt a structured, proactive approach to monitoring and governing AI usage.
- Map the AI Attack Surface (Discovery and Visibility)
Organisations cannot investigate what they cannot see. Relying on self-reporting or simple URL filtering is insufficient. Investigators must collaborate with the Security Operations Centre (SOC) to deploy Cloud Access Security Brokers (CASB) and data loss prevention (DLP) tools specifically calibrated to monitor outbound API calls and web traffic directed at GenAI platforms. Establishing a baseline of which unsanctioned tools are being accessed and the volume of data being transferred is the critical first step in an investigation.
- Investigate Intent Versus Negligence
When unauthorised AI use is detected, investigation teams must conduct a behavioural forensics review. The investigation must differentiate between a coordinated attempt at corporate espionage (e.g., malicious IP theft) and an employee attempting to streamline a mundane administrative task. Applying an ethical, proportionate lens to the investigation ensures that negligent employees receive targeted training and malicious actors face appropriate disciplinary action.
- Modernise the Acceptable Use Policy (AUP)
Standard confidentiality agreements drafted before the AI boom no longer suffice. The corporate AUP must explicitly address generative AI. Policies should clearly define what classes of data, such as PII, financial models, source code and unreleased product roadmaps, are strictly prohibited from being processed by external AI tools. This modernisation directly aligns with the consent and data limitation mandates of India’s DPDP Act.
- Establish Enterprise "Safe Harbors"
Enforcement-only strategies inevitably fail. To eradicate shadow AI, organisations must provide secure, sanctioned alternatives. By deploying enterprise-grade, private LLM tools, ideally hosted within localised data centres to ensure data sovereignty, companies allow employees to leverage GenAI safely. These sanctioned platforms prevent data inputs from being used to train public models and provide investigators with the vital audit logs needed to verify compliance.
Implementing Effective Frameworks for the Future
Shadow AI thrives in the operational gap between corporate security policy and employee enablement. As the Indian enterprise landscape continues to embrace digital transformation, governance and compliance professionals must guide this transition safely. By investigating unapproved AI use through an ethical compliance lens, updating regulatory frameworks in line with the DPDP Act and providing secure technological alternatives, organisations can harness the transformative power of generative AI without compromising their digital integrity.
Editor’s Note: The views and opinions expressed in this article are solely those of the author and do not represent the positions of any affiliated organization or person other than the author.
