ARTICLE
6 May 2026

A Silently Growing Corporate Risk: Shadow AI

CL
Canpolat Legal

Contributor

Canpolat Legal logo
Canpolat Legal is a tech-savvy specialist law firm with an agile mindset, located in Istanbul. Canpolat Legal, which has been ranked by Chambers&Partners and World Trademark Review, especially take pride in dealing with complex Fintech and IP matters, and also legal issues of emerging technologies.
Explore Firm Details
A marketing manager uploads a client list to ChatGPT to segment the database. An HR specialist uses AI to summarize candidate CVs. A finance team member tasks generative AI with drafting a quarterly presentation.
Turkey Technology
Yasar K. Canpolat
Your Author LinkedIn Connections
Yasar K. Canpolat’s articles from Canpolat Legal are most popular:
  • with readers working within the Media & Information industries
Canpolat Legal are most popular:
  • within Intellectual Property topic(s)

A marketing manager uploads a client list to ChatGPT to segment the database. An HR specialist uses AI to summarize candidate CVs. A finance team member tasks generative AI with drafting a quarterly presentation. These actions are well-intentioned and driven by a desire for efficiency—yet, they often occur without the company’s knowledge.

This is a daily reality in almost every organization following the integration of Generative AI (GenAI) into professional life.

In literature, this phenomenon is dubbed "Shadow AI." It refers to the individual use of artificial intelligence that bypasses corporate oversight, audit trails, and established protocols.

Türkiye’s Personal Data Protection Authority’s (“the Authority”) document titled “The Use of Generative AI Tools in the Workplace,” published in March 2026, serves as a stark warning: the fact that AI use remains invisible to the corporation does not absolve the company of legal liability. On the contrary, it allows liability to silently accumulate upon the organization.

The Authority’s document focuses on the workplace use of third-party, publicly accessible GenAI tools. It aims to foster corporate awareness, highlight potential risks, and encourage informed utilization.

In this article, we will examine:

  1. The risks Shadow AI poses to companies.
  2. The Authority’s recommendations for managing these risks.
  3. The essential components of an internal AI policy.

A Six-Axis Risk Map

The Authority classifies the risks associated with Shadow AI under six main headings:

  • Intellectual Property and Trade Secrets: Sharing source code, product designs, business strategies, or competitively sensitive data with external tools can lead to the loss of corporate control. In many cases, this data may be ingested to train public models.
  • Auditability and Accountability: When outputs are generated via tools outside of corporate logging mechanisms, it becomes difficult to determine which data was processed for what purpose. If there is no traceability during a breach, there is no defense.
  • Information and Cyber Security: Tools used outside corporate control expand an organization’s attack surface through insecure APIs, personal devices, or unmanaged integrations, increasing the risk of unauthorized access and data loss.
  • Decision Quality and Automation Bias: Tools used without corporate vetting may produce erroneous or inconsistent outputs. The document specifically highlights "automation bias"—the tendency of employees to accept machine outputs without sufficient questioning, which can eventually marginalize human judgment.
  • Protection of Personal Data: Personal data transferred to third-party systems via prompts may be processed unlawfully, used for purposes beyond the original intent, or become accessible to others through generated outputs. The document explicitly clarifies that Law No. 6698 (KVKK) applies regardless of the technology used.
  • Corporate Reputation: Relying on unverified AI outputs can damage a company’s credibility with stakeholders through misinformation or low-quality content.

To illustrate these risks, one need only look at common real-world scenarios:

  • A procurement team uses a public AI tool for competitor analysis; the entered data is stored on third-party infrastructure.
  • A legal intern uploads a contract addendum containing sensitive personal data; client confidentiality and international data transfer regimes are instantly compromised.
  • An HR manager uses AI recommendations as a filter for recruitment rankings; automation bias creates a risk of discrimination, and the rationale for the decision cannot be explained later.

The common thread is striking: none of these stem from malice. They are all the result of a policy vacuum.

Framing, Not Banning

One of the most strategic insights in the Authority’s document is the explicit assessment that prohibitory approaches do not work in practice.

The Authority states that attempting to completely ban GenAI tools is unrealistic and often reinforces Shadow AIusage as employees seek workarounds. Instead, the KVKK suggests managing risks through an approach built on five pillars:

  1. A clear corporate policy framework.
  2. A vigilant corporate stance regarding personal data.
  3. The preservation of human oversight.
  4. Technical security measures.
  5. Employee awareness training.

The primary corporate instrument to implement these pillars is an “AI Policy.”

Anatomy of a Policy

Based on our experience and the Authority’s guidelines, a functional AI policy should include the following:

  • Scope and Definitions: Clearly define who (employees, consultants, third parties) and what (GenAI, traditional AI, agentic AI) the policy covers. Agentic AI systems should be a distinct category; these systems can take multi-step actions without human approval and possess significantly different risk profiles.
  • Risk Classification: Not all AI use carries the same risk. Categorize use cases into Low (e.g., grammar checks), Medium (e.g., public data analysis), and High (e.g., analysis involving personal data or critical decision support), with distinct oversight for each.
  • Rules for Personal Data and Trade Secrets: Provide an explicit "Never Share" list: customer/employee data, special categories of personal data, trade secrets, and unannounced strategic plans. Use practical examples for anonymization; abstract bans are rarely effective.
  • Mandatory Corporate Accounts: Explicitly mandate the use of corporate-licensed accounts and prohibit personal free accounts. Corporate contracts typically include guarantees that prompts will not be used for model training—a layer of protection absent in personal accounts.
  • The Principle of Human Oversight: For decisions affecting individuals or business processes, AI output must only be a supportive input. The final decision must rest with a human. This is a critical defense against discrimination claims and is vital for protecting rights under Article 11 of the KVKK.
  • Transparency and Disclosure: If AI systems interact directly with employees or customers, those individuals have a right to know they are communicating with an AI. Disclosure obligations under KVKK remain fully applicable.
  • Development Life Cycle: For internally developed systems, document Privacy by Design, Data Protection Impact Assessments (DPIA), red teaming, and phased deployment. For third-party integrations, mandatory legal and technical evaluations must precede procurement.
  • Allocation of Roles: Define a map of authority and responsibility for Legal, IT, developers, business units, and executive management. Otherwise, "everyone’s responsibility" often becomes "no one’s responsibility."
  • Reporting and Sanctions: Establish channels for reporting suspicious outputs, a periodic audit mechanism, and a disciplinary framework for policy violations.

The Luxury of Delay is Gone

Generative AI has evolved from a future vision into a permanent fixture of corporate infrastructure. For companies that leave this transition unmanaged, the consequences are clear: legal sanctions, reputational damage, loss of information, and a subsequent loss of market share.

The Authority’s proactive approach and the timing of this document are commendable. Furthermore, we believe two key conclusions can be drawn from this publication:

  1. A New Standard: In any future KVKK investigation or data breach litigation, the benchmark for "generally accepted practice in the industry" has shifted. The Authority has now formally put in writing its expectation for a corporate approach and policy regarding AI.
  2. Accountability: In the event of a breach, an active AI policy will serve as a critical document to prove that necessary technical and administrative measures were taken.

Finally, customer and investor expectations are being reshaped by these developments. Corporate buyers are increasingly structuring supplier evaluations around data management standards. The question, "Do you have an AI usage policy?" is becoming a standard checkpoint in large-scale tenders and investment rounds.

CONCLUSION

The AI-specific regulatory framework in Turkey is still in its formative stages. The Authority’s document should be viewed as a foundational resource for this framework. Companies that establish their own order before formal regulations arrive will enjoy a positioning advantage rather than the pain of forced compliance later.

We strongly recommend that organizations begin their alignment efforts by drafting an AI policy based on the framework provided by the Authority.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Yasar K. Canpolat
Yasar K. Canpolat
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More