Shadow AI: The Invisible Cost Your Finance Team Can't See

There's a line item missing from your company's accounts. It doesn't show up in your IT budget. It's not in your software subscriptions report. Your finance team doesn't know it exists.

It's your AI spend. And it's growing every month.

What is shadow AI?

Shadow AI is the AI equivalent of shadow IT — employees adopting AI tools without the knowledge or approval of management, IT, or finance. And it's happening in almost every business right now.

Five years ago, the problem was SaaS sprawl. Departments signing up for project management tools, CRM systems, and collaboration platforms without telling anyone. Companies would discover they were paying for three different tools that did the same thing, with nobody tracking the total cost.

Shadow AI is the same pattern, but worse. Because AI tools don't just cost money — they process your company's data. Customer emails, internal documents, financial figures, employee information. All flowing through systems nobody is monitoring.

How it happens

It starts innocently. A developer signs up for ChatGPT Plus to help with code reviews. A marketer uses Claude to draft campaign copy. Someone in HR discovers an AI tool that summarises CVs. A salesperson starts using a transcription service for client calls.

Each person solves their own problem. Each person pays on their own card or expenses it without anyone asking questions. Each person assumes someone else knows about it.

Nobody does.

Within a few months, a typical 50-person company has seven to ten AI tools in active use. The business owner thinks they have two or three. Finance has no idea the rest exist.

The cost problem

Every one of those tools has a subscription. ChatGPT Plus is £20 per month per person. Claude Pro is the same. Copilot, Jasper, Midjourney, Perplexity, Grammarly — they all add up.

It's not uncommon to find four people in the same company each paying for ChatGPT Plus individually — £80 per month total — when a Team plan would cost £48. Same access, 40% less money, and nobody had thought to consolidate because nobody knew everyone was using it.

Then there's API usage. If your developers are calling OpenAI or Anthropic APIs directly, that spend is even harder to track. It's billed per token, shows up on a cloud bill or a separate provider invoice, and grows quietly in the background. A team running GPT-4o when GPT-4o-mini would do the job is spending 15 times more than they need to — and nobody's checking because nobody can see it.

Add it all up and the real AI spend in most SMBs is two to three times what anyone thought.

The data problem

Cost is the visible problem. Data is the dangerous one.

Every time an employee pastes something into an AI tool, that data is sent to a third-party provider. It leaves your building. It's processed on someone else's servers. And depending on the tool's terms of service, it might be used to train future models.

Your developer pastes proprietary code into ChatGPT to debug it. Your marketer feeds a client brief into Claude to generate ideas. Your HR team uploads CVs to an AI screening tool nobody in IT has heard of. Your sales team runs customer calls through a transcription service that stores audio on servers in the US.

None of this is malicious. All of it is risky. And none of it is being tracked.

The compliance problem

The EU AI Act lands on August 2, 2026. If your business serves EU customers — and most UK businesses do — it applies to you.

The Act requires businesses to catalogue their AI systems, classify them by risk level, and maintain audit trails. For high-risk systems — AI that makes decisions about people, like recruitment screening or credit assessments — the obligations are substantial. For limited-risk systems — chatbots, AI-generated content — you need transparency and disclosure at minimum.

You can't comply with regulations about AI systems you don't know exist. Shadow AI makes compliance impossible because the first step — knowing what AI your business uses — is the step nobody has taken.

Why finance can't see it

Traditional spend tracking doesn't catch AI costs because they don't look like AI costs.

Individual ChatGPT subscriptions appear as "OpenAI" on expense reports — if they appear at all. Some employees pay personally and never claim it back. API costs show up on AWS or provider bills under account numbers that nobody in finance recognises. Embedded AI features are bundled into existing software subscriptions that increased in price without anyone reading the changelog.

Finance categorises what it can see under "software" and moves on. The rest is invisible.

How to surface it

The first step is the simplest and the hardest: ask your team what AI tools they're using. Not what's been approved — what they're actually using. Every department, every role, every personal account being used for work.

Check expense reports for the last three months. Search for OpenAI, Anthropic, ChatGPT, Claude, Copilot, Midjourney, Grammarly, Perplexity. Check personal card claims. Check company card statements.

Review your existing software subscriptions. How many have added AI features or AI tiers in the last year? Are you paying for AI capabilities you didn't ask for?

For API usage, log into each AI provider dashboard and check the usage page. Look at which models are being used, how many tokens are flowing through, and what it's costing.

How to track it going forward

A one-off audit helps, but AI adoption doesn't stop. New tools get discovered, new employees bring their own preferences, new features appear inside existing software. Without ongoing visibility, you're back to square one within months.

For API-based AI — the calls your developers make to OpenAI, Anthropic, Google, and others — SpendLil tracks everything automatically. One header added to your API calls and every request is logged with full metadata: provider, model, tokens, cost, tags, and timestamps. Your API keys are never stored, requests are never blocked, and if SpendLil goes down, your AI keeps running.

It won't track your SaaS subscriptions yet — that's on the roadmap. But for the API channel, which is typically the fastest-growing and least visible part of AI spend, it's handled from the moment you connect.

The bottom line

Shadow AI isn't a future problem. It's happening in your business right now. People are using tools you don't know about, spending money you can't see, and sending data to providers you haven't approved.

The cost is real. The compliance risk is real. And with 91 days until the EU AI Act kicks in, the window for getting visibility is closing.

Start by asking your team one question: "What AI tools are you using?"

The answer will surprise you.