Author: Lourdes Rojas, Founder & CEO, Eunoia Consulting Co. Published: May 18, 2026.
Shadow AI — employees using unauthorised AI tools outside IT oversight — is creating serious HIPAA, EU AI Act, and patient safety risks across healthcare organisations. This article covers how to detect shadow AI adoption, assess the risks, and build governance frameworks that enable safe AI use without stifling innovation.
Shadow AI refers to AI tools and applications used by clinical or administrative staff without formal IT approval, security review, or governance oversight. Common examples include using consumer LLMs to summarise patient notes, AI transcription tools not covered by a Business Associate Agreement, and AI-powered scheduling or billing tools adopted at the departmental level without enterprise review.
Shadow AI creates HIPAA liability when PHI is processed by unapproved vendors, patient safety risk when unvalidated AI outputs influence clinical decisions, and regulatory exposure under the EU AI Act and FDA SaMD guidance. The risk is compounded by the speed of AI adoption — most healthcare organisations have more shadow AI than they realise.