A few months ago, a friend who runs platform security at a mid-size fintech told me something that stuck with me: "We blocked ChatGPT in March. By April, our DLP logs showed zero AI-related incidents. I genuinely thought we'd solved it."
Then someone on the data team flagged that a contractor had been pasting customer records into Claude for three weeks. Nobody had blocked Claude. Nobody had even thought to.
This is the story playing out in engineering orgs everywhere right now, and it's worth talking about honestly, because most of the advice floating around treats it as a policy problem when it's really an architecture problem.
The DNS Block Is Security Theater
Here's the thing about blocking chat.openai.com at the network layer: it stops exactly one access path to exactly one tool. That's it. It doesn't touch the underlying reason people reached for AI in the first place, which is almost always "this manual task is slow and AI makes it fast."
So what happens? Engineers don't stop using AI. They just stop using the AI you can see.
- They switch to Claude, Gemini, or Perplexity, none of which were on the blocklist
- They install a VS Code extension that proxies prompts to an LLM API under a personal key
- They use Copilot, Cursor, or Tabnine — tools that were already approved for "productivity" and never had their data flow audited
- They tether to a phone hotspot for five minutes when they need something the corporate network won't allow
None of this is malicious. It's just what happens when a restriction shows up without a viable alternative. If you've ever worked somewhere that blocked Slack and watched the whole team migrate to a WhatsApp group within a week, you already understand the mechanism. AI is following the identical pattern, just with a much scarier data exposure profile attached.
Why This Is Worse Than Shadow IT Used to Be
Shadow IT has always existed — unsanctioned SaaS tools, personal Dropbox accounts, that one engineer running a side server under their desk. Security teams have decades of muscle memory for dealing with it.
Shadow AI breaks that muscle memory in two specific ways.
The exposure is instant and content-rich. Uploading a file to an unauthorized cloud drive is a discrete, loggable event. Pasting a stack trace that contains a customer's API key into a chatbot is not a file transfer — it's a string typed into a text box. Most DLP tooling was built to catch files leaving the building, not sentences. It simply doesn't recognize the prompt as a transfer event at all.
The surface area is nearly impossible to enumerate. A rogue Dropbox account is one app. AI is now embedded inside your IDE, your email client, your CRM, your ticketing system, and half the browser extensions your team has installed. A developer using GitHub Copilot, a PM using Notion AI, and a support engineer using an AI summarizer baked into Zendesk are all "using AI" — and none of it looks remotely similar from a network monitoring standpoint.
What Shadow AI Actually Looks Like in an Engineering Org
If you map it out, Shadow AI usually shows up in three layers, and most security teams only have visibility into the first one.
Layer 1: The tools you already blocked
ChatGPT, Claude.ai, Gemini — accessed through a browser, on a managed device, on the corporate network. This is the layer DNS-level blocking actually addresses, and even then only partially. Anyone on a home network or personal hotspot walks right past it.
Layer 2: AI quietly added to tools you already approved
This is the layer that catches most security teams off guard. Salesforce Einstein, Microsoft 365 Copilot, Notion AI, GitHub's native AI features — these often shipped as updates to platforms that were procured and approved long before the AI capability existed. Nobody re-reviewed the data processing agreement when the vendor flipped on a new feature flag. Technically, employees using it are following policy. Practically, nobody knows where that data is going.
Layer 3: The stuff nobody's looking at
Browser extensions that summarize pages or rewrite emails by silently forwarding content to a third-party API. Locally installed coding assistants pulling from personal API keys. A developer's .env file accidentally pasted into a prompt while debugging at 11pm. This layer is invisible to network monitoring almost by definition — it doesn't generate the kind of traffic pattern anyone's watching for.
Why Your Existing Stack Doesn't Catch This
It's worth being specific about why DLP, CASB, and SIEM tooling — the stack most orgs already trust — struggles here. It's not that these tools are bad; they were just built for a different shape of problem.
- DLP is tuned to catch files and structured transfers, not interactively typed prompt text. A paragraph pasted into a chat window rarely trips a rule designed around file movement.
- CASB platforms are strong on known SaaS apps but have inconsistent coverage of AI features bolted onto those apps after the fact, and almost no visibility into browser extensions.
- SIEM only knows what's logged. Most consumer AI tools don't generate logs that feed into your SIEM at all, so from the SIEM's perspective, the usage doesn't exist.
- Network monitoring only covers the corporate network. Remote work made this gap enormous — a developer on a home network using a personal AI account is completely outside the perimeter.
Tuning these tools harder doesn't close the gap. They weren't designed to look at this kind of signal in the first place.
Visibility Beats Banning — Here's the Practical Version
The teams handling this well aren't the ones with the strictest blocklists. They're the ones that can actually answer questions like: which AI tools are people using, what data is going into them, and is that appropriate given the user's role and the sensitivity of what they touch.
That's a discovery and monitoring problem, not a firewall problem. A few concrete things that move the needle:
- Run an AI asset inventory before writing policy. You can't govern what you haven't mapped. Catalog SaaS AI features, browser extensions, IDE plugins, and any AI APIs your engineering team is calling directly.
- Classify tools by risk, not by name. An enterprise Copilot deployment with proper data residency controls is a different risk category than the same employee using a personal ChatGPT account on a home laptop. Treat them differently.
- Use role-based access instead of blanket bans. A developer touching production credentials needs tighter AI guardrails than someone working in a sandboxed repo. One policy for everyone is either too loose or too restrictive for most of your org.
- Get prompt-level audit logging in place. This is the actual enforcement mechanism. A written policy that nobody can verify is just a PDF. Logging what's being submitted to AI tools — and flagging when sensitive data categories show up — is what turns policy into something real.
- Give people an approved alternative. Every Shadow AI story starts the same way: someone needed to move fast and the approved path was slower than the unapproved one. If you don't offer a sanctioned tool that's actually good, you've just guaranteed people will go find one themselves.
The Real Takeaway
Blocking ChatGPT isn't wrong, exactly — it's just answering the wrong question. The question isn't "how do we stop people from using this one tool." It's "what AI is actually running across our systems, who's using it, and with what data."
You can't answer that with a DNS rule. You answer it by building visibility into how AI is actually used across your stack, then layering governance on top of what you find — rather than guessing and hoping the guess holds.
Shadow AI isn't really a story about employees ignoring the rules. It's a story about engineering orgs that haven't built the visibility to know what's happening in their own environment yet. That's a fixable problem, but it starts with looking, not blocking.
Must read, Why Blocking ChatGPT Won't Stop Shadow AI
Top comments (0)