Why Are My Best Staff Using AI We Never Approved? (And What That’s Really Telling You)

Medora Advisor’s Summary

Shadow AI in healthcare usually gets framed as a security failure. We think that’s the wrong read. When your staff quietly turn to unapproved AI tools, they’re not breaking rules for fun — they’re telling you the official path is too slow, or doesn’t exist yet. This piece looks at shadow AI as a governance signal, not a discipline problem, and what providers can actually do about it.

→ Find out what this means for me.

More Information

Let’s break this down, because the standard conversation about shadow AI tends to go straight to fear. The breach numbers, the HIPAA exposure, the lawyers. All real. But starting there misses the more useful question: why is a smart, busy nurse manager pasting a patient summary into a consumer chatbot in the first place?

The answer is less sinister than most leadership decks assume. In a December 2025 survey of more than 500 healthcare workers, Wolters Kluwer Health found that 17% admitted to using unauthorized AI tools at work — and among providers who did, 45% said the reason was simply a faster workflow. Not malice. Not laziness. People reaching for a faster way to get through documentation that’s burying them.

That reframes the whole problem. Shadow AI isn’t your staff going rogue. It’s your staff telling you something about the gap between the work you’ve asked them to do and the tools you’ve given them to do it. When the sanctioned option is slower than the unsanctioned one — or when there’s no sanctioned option at all — people route around the obstacle. They always have. This is the same instinct that produced the shared spreadsheet nobody in IT knew about, just with higher stakes.

And the stakes here are genuinely higher. When PHI lands in a consumer tool with no Business Associate Agreement behind it, you’ve created an unmonitored data flow outside your governance perimeter. Most consumer platforms aren’t built for healthcare and don’t offer a BAA, which is why a single careless paste can become a reportable event. For the specifics on what a BAA covers and when it’s required, HHS keeps the authoritative guidance on HHS.gov — worth pointing your compliance team to it directly rather than relying on summaries.

Here’s what often gets overlooked: punishing the behavior doesn’t remove the pressure that caused it. Block one tool and the workaround migrates to another. The demand was never for that specific app — it was for relief from a workflow that doesn’t fit the day. Treat shadow AI as a discipline problem and you’ll spend a year playing whack-a-mole while the underlying friction stays exactly where it was.

The more honest move is to read the signal. Where is shadow usage clustering? Documentation? Prior auth? Patient messaging? Those are your unmet-need heat maps, drawn for free by the people closest to the work. Most organizations would pay a consultant good money for that data. Their staff are handing it over, one unauthorized login at a time.

Shadow AI Isn’t a Security Problem. It’s a Workflow Problem in Disguise

The instinct to lead with lockdown is understandable, but it tends to backfire. A blanket ban tells your staff that the organization would rather they struggle with a compliant-but-slow process than get help. That’s a hard message to send to people already stretched thin — and it rarely survives contact with a 2 a.m. charting backlog.

There’s evidence the constructive path works better. Research from security firm Vectra points to organizations that simply provided an approved, secure alternative seeing unauthorized AI use drop by roughly 89%. The behavior didn’t need to be policed out of existence. It needed a legitimate destination. Give people a sanctioned tool that’s actually faster than the workaround, and the workaround mostly disappears on its own.

This is where governance has to be designed in from the start, not bolted on after an incident. A workable approach usually includes a few things:

• A published, living list of approved AI tools — with BAAs in place — so “is this one okay?” has a clear answer.

• A plain-language boundary for what counts as PHI and where it can and can’t go, written for clinicians, not lawyers.

• Real-time guidance and gentle warnings at the point of use, rather than hard blocks that just push people to the next unmonitored option.

Notice that none of these start with surveillance. They start with making the right path the easy path.

What Health Systems Get Wrong When They Try to Stop Shadow AI

The common mistake is measuring the wrong thing. Leadership tracks how many unauthorized tools IT detected, then declares progress when the number drops. But a falling detection count can mean people got better at hiding, not that the pressure eased. The metric that matters is whether the friction that drove the behavior is gone.

A second mistake is treating this as a one-time cleanup. Tools change weekly. Anchoring your governance to specific products means you’re always a step behind. Anchoring it to data boundaries — what PHI is allowed to leave your controlled systems, and under what contractual terms — gives you something durable that survives the churn.

Honestly? This one surprises a lot of the leaders we talk to. They come in expecting a technology fix and leave realizing the real work is operational: closing the gap between what staff need and what they’ve been handed. That’s harder than buying a monitoring platform. It’s also the only thing that actually works.

The Takeaway

Shadow AI is uncomfortable, but it’s also unusually honest feedback. Your people are showing you exactly where your workflows fail them and exactly where they’d accept help if you offered a safe version of it. The systems that come out of this period in good shape won’t be the ones that locked everything down hardest. They’ll be the ones that listened to what the workaround was trying to say, then built a better-sanctioned path before the next breach forced the issue. Only your own teams can really tell you where their pain points are — and right now, they’re telling you for free.

Conversation Starters

• “Where is shadow AI actually clustering in our organization, and what does that reveal about our workflow gaps?”

• “Do we have an approved, faster alternative ready — or are we just asking people to live with the slow path?”

• “Is our governance anchored to specific tools, or to where our PHI is allowed to go?”

Ready to talk it through?

Book a discovery call with Medora Advisors: Schedule here