One of the more realistic and overlooked uses of shadow AI may be security questionnaires, not because employees are trying to bypass security controls, but simply because they are trying to avoid delaying customers.
Consider a 2 person accounts department in a small B2B SaaS company. An internal accountant and a part-time assistant dealing with invoicing, subscription changes, payment enquiries, suppliers and even managing the companies payroll and HR. An existing customer urgently needs a new account set up following internal restructuring. What initially appears to be a straightforward admin request suddenly arrives with a lengthy supplier questionnaire attached. The spreadsheet contains tabs for general supplier information, invoicing details, insurance, financial stability, ESG, company policies, data privacy and information security. Most of it looks administrative rather than technical. The accounts team are already responsible for much of the relationship with the customer, so it feels natural for them to begin completing the document. This type of workflow is not unusual in smaller companies. Supplier due diligence questionnaires often arrive as part of wider onboarding or procurement processes rather than standalone security reviews handled exclusively by technical staff.
Historically, this often created a natural point of escalation. Someone without security experience would reach the information security section, realise they didn't understand the terminology and involve technical or security staff. AI changes that dynamic. Nowadays, an employee can paste unfamiliar questions into an AI tool and immediately receive polished, professional sounding responses. Technical terminology is explained instantly and entire questionnaires can be completed in minutes. The employee is not trying to bypass process or behave irresponsibly. They are simply trying to keep things moving and avoid delaying the customer.
The obvious concern is confidentiality. Employees may upload customer names, internal policies, architectural details or supporting documentation into external AI services without any formal approval process or direct confidentiality agreement with the AI provider. In some cases, this may also create GDPR or data sovereignty concerns if personal data or customer information is included in prompts or uploaded files. However, the more significant risk is often contractual rather than purely technical. Security questionnaires are not simply requests for information. They frequently contain representations about how an organisation operates, so responses may be relied on later during procurement reviews, audits, incident investigations or disputes.
AI can help generate professional sounding answers, but it cannot determine whether those answers accurately reflect reality inside the organisation. This becomes especially risky when the employee using AI doesn't have sufficient knowledge of the organisation’s actual controls, processes or architecture. A user who is not a specialist may unintentionally overstate the maturity of the security processes in place, describe controls that only partially exist, imply that reviews or monitoring activities are formally documented when they are informal, commit the company to processes that are not operationally sustainable, or overlook valid compensating controls because they do not understand them well enough to describe them to the AI system. In many cases, the AI output may not be 'wrong' in a technical sense. It may simply describe what a mature or standardised answer typically looks like.
That creates a subtle but important problem. The less security experience the employee has, the harder it may be for them to recognise when an AI generated response sounds plausible but doesn't accurately reflect the reality. Ironically, AI can remove the very signals that previously triggered escalation. Before AI, uncertainty often caused people to stop and ask for help. With AI, uncertainty can be replaced by fluent, confident output that creates the impression the questionnaire has been handled correctly.
None of this means AI should never be used to assist with security questionnaires. AI can genuinely help explain terminology, summarise policies and accelerate drafting. But questionnaires that contain security, privacy or operational commitments still require review by someone knowledgeable, as well as clear approval boundaries. AI does not remove the need for expertise. But it can remove the signals that expertise is missing.