Shadow AI is the AI tooling employees buy on corporate cards and personal accounts to ship work this quarter. It does not show up in the EA. It shows up in the bill, the data risk, and the 2027 plan procurement is about to build.
Shadow AI is the AI tooling employees buy on corporate cards or personal accounts to ship work this quarter. It does not show up in the EA. It does show up in the bill, in the data risk, and in the 2027 budget that procurement is about to build.
About this report
This report is a directional benchmark, not a price list. It draws on three inputs.
We report bands and directions, not precise discounts. Where a single number appears, treat it as the middle of a range, not a guarantee.
Bigger than the EA suggests, and bigger than the formal AI line in the IT plan. In our advisory file the off books AI bill typically ran between 4 and 9 percent of total enterprise software spend by mid 2025, often two to three times the line that finance had budgeted for AI.
The headline understates the issue, because it lumps small experiments with material recurring cost. Once a tool clears six months of card renewals, it is a budget line in everything but name. By that point the EA has no record of it.
Small enterprises see a smaller absolute number but a similar share. Mid market estates often run a higher share, because they lack a centralized AI roadmap that absorbs the demand. The largest enterprises see the largest absolute bill, even when the share looks modest.
Treat any single number as the middle of a range. Estate by estate, the spread between the formal AI line and the card category ran from a low multiple to nearly ten times in the cases we audited.
The EA is a procurement instrument. It books what was negotiated, not what is being used. AI tooling that arrived after the last renewal sits outside it by construction, and most AI tools have arrived in the last 24 months.
This is why a finance leader who reads only the EA sees a small AI line. The bill is real. It is just sitting in a different ledger.
Four families show up in almost every audit. They are not obscure. They are the most used AI tools in the consumer market, layered onto enterprise card programs that procurement never sized for them.
ChatGPT and Claude lead the category. They land on personal accounts, on small team plans bought by a manager, and on individual Plus or Pro subscriptions paid by card. Each seat is small. The aggregate is meaningful.
Vendor terms on these plans are not the enterprise terms procurement would negotiate. The data handling on a personal ChatGPT account differs from an ChatGPT Enterprise contract, and the same applies to Anthropic for enterprise. The contract gap is the real exposure.
Cursor, GitHub Copilot for Business sold individually, and a small cluster of similar tools dominate the developer side of the shadow AI bill. Engineering leaders often buy them per team rather than through the EA because the seat price is below the approval threshold.
Public pricing is straightforward. Cursor pricing lists Pro and Business plans that any developer card can buy. The friction to procure is low, which is most of the reason these tools spread quickly.
Perplexity Pro and a handful of competitors show up across knowledge work functions. Marketing, strategy, and consulting style teams use them for daily research. They are usually billed monthly on individual cards.
The cost per seat is modest. The category becomes visible only when finance aggregates it across functions, which most card programs do not do by default.
A surprising share of Microsoft Copilot and Google Gemini usage runs on individual or small team subscriptions bought outside the EA. These are often pilots that never got migrated, or seats added during a department initiative that finance never absorbed.
The enterprise contracts exist, the discounts are there to be won, and the seats are usually compatible with the SSO and data controls the EA already covers. What is missing is the migration.
The buyers are line managers and senior individual contributors with a corporate card and a real productivity problem. They are not rogue actors. They are people trying to ship work inside the quarter.
A manager with a discretionary budget and a card can authorize a seat or a team plan in minutes. The seat sits below most card approval thresholds. The decision feels small at the time it is made.
Multiplied across a function, those small decisions become a category line item. By the time anyone aggregates them, the bill is a recurring cost the business already plans around.
AI coding tools are bought on developer or engineering cards faster than any other category. The productivity gain is visible per day, and the seat price sits comfortably below team budget thresholds.
The procurement gap here is not awareness. It is contract motion. Engineering moves faster than the EA cycle, and the tool is in production before procurement starts the negotiation.
Knowledge work functions buy AI search and assistant seats on personal style accounts. The use case is daily research and drafting. The seat counts add up across teams, but each individual subscription looks small.
Most shadow AI is paid from departmental opex through corporate cards. Some lands as personal expense reports. A small share rides on a vendor invoice into accounts payable that no one mapped to AI.
None of these paths run through the EA. None of them carry the data terms a negotiated enterprise contract would include. That is the cost behind the cost.
Because the EA was built to control sizable, planned commitments. Shadow AI runs on small, opportunistic ones. The friction the EA needs to function is exactly what makes a card subscription feel easier.
An EA cycle is months. A card subscription is minutes. When the productivity gain is felt today and the approval costs a quarter, the rational buyer pays the card.
This is not a failing of procurement. It is a structural mismatch between how AI tools come to market and how enterprise software is bought. The market moved. The instrument has not caught up yet.
Most AI tools price at a level that sits comfortably below the threshold at which a card needs procurement involvement. The category grows one seat at a time, beneath the radar that was designed to stop large purchases.
The fix is not a lower threshold. A lower threshold paralyzes the entire card program. The fix is a category sweep that aggregates the small purchases and brings the total under management.
Once a few people in a team use an AI tool, the rest follow. Attach behavior inside a team runs faster than any procurement cycle, because the productivity gain is visible in shared work product within a week.
This is why the shadow AI bill compounds quarter by quarter. The first seat anchors the team. The next seats arrive on the back of the first, on the same card program, with no fresh approval needed.
The standard procurement reaction is to ban shadow AI to control it. We disagree as a default. In the enterprises we have audited, blanket bans pushed shadow AI deeper into personal accounts and out of any governance, while the underlying productivity demand kept growing. The buyer side move is to consolidate the high value shadow tools into enterprise contracts with data controls, govern the rest with a clear acceptable use policy, and treat the corporate card category as the real meter rather than the EA. The ban removed the audit trail. It did not remove the spend.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
A blanket ban does not stop shadow AI. It removes the receipts. The off books bill keeps growing on personal accounts where the security team cannot see it and the contract never reaches.
The data risk is the larger story, and the harder one to put back together later. Cost can be repriced at the next renewal. A leak that traveled into a model cannot be recalled.
Personal account terms differ from enterprise terms in ways that matter for confidential work. Vendor enterprise contracts often exclude prompts from training and add audit rights. Personal account terms generally do not.
An employee pasting an internal document into a personal ChatGPT account is doing useful work. They are also placing that document on a vendor account that was never reviewed by security and carries no enterprise data handling commitments.
AI coding tools require source access to be useful. On a personal subscription, that means proprietary code sitting on a vendor account no security team has signed off. Even where vendors offer enterprise tiers with stronger controls, the personal tier is what got bought first.
The retrofit is consolidation, not a ban. Move developers from personal subscriptions to an enterprise contract with the data controls security needs, and the productivity is preserved while the exposure is closed.
Regulated industries carry record retention and audit obligations that shadow AI quietly breaks. A regulator does not care that the seat was bought on a card. The obligation sits with the enterprise.
For financial services, life sciences, and the public sector, this is the part of shadow AI that has to be closed first, ahead of the cost discussion. The compliance exposure compounds faster than the bill.
By doing it as a category, not as a tool list. The pattern that works in our advisory file is consolidate, contract, and govern, with finance reading the card data as the true demand signal.
The fastest path to the off books bill is a category sweep of the corporate card data. A short list of vendor name patterns and merchant categories surfaces 80 percent of the bill in a single afternoon.
The output is not a witch hunt. It is a category map that finance and procurement can read together and use as the input for the contract round.
Three or four enterprise contracts usually cover the bulk of the bill. One general assistant vendor, one AI coding contract, one AI search contract, and one negotiated Copilot or Gemini line typically close most of the exposure.
Consolidation has to keep at least one credible alternative alive in each category. Without an alternative, the next renewal is priced against a buyer with no leverage, which is the standard advice the contrarian section warned about.
The long tail of tools that does not warrant a contract still needs governance. A short acceptable use policy and a budgeted central AI line give finance a place to plan the spend and security a place to set the rules.
The policy should be one page. It should name the approved categories, the prohibited uses, the data classes that may not leave the enterprise account, and the path to request a new tool. Anything longer will not be read.
Consolidate the high value tools, contract by category, govern the rest with a policy, and budget AI as its own line sized from the card data. Repeat at every renewal cycle and at every quarterly card review.
Sector and size shape the off books bill more than the headline number suggests. Regulated industries carry more compliance risk per dollar. Mid market estates carry more fragmentation. Large enterprises carry larger absolute dollars on smaller percentages.
Financial services sees the highest compliance exposure from shadow AI, because record retention and customer data handling rules apply equally on the card and in the EA. The bill is usually moderate. The risk is high.
Life sciences carries similar exposure on patient and research data, with additional pressure from regulators reviewing AI used in clinical workflows. The category sweep here usually surfaces less spend and more risk to close.
Technology firms carry the largest absolute card category for AI tools, with developer tools and general assistants both heavy. The compliance risk is lower for most use cases, but the cost story is larger.
Public sector estates often have the lowest absolute spend and the strictest rules. The shadow AI conversation in these estates is usually about closing personal account use entirely, not about contract consolidation.
Below is the comparison table we use with finance leaders to size the off books bill against the formal AI budget. Treat each row as a typical band, not a per estate number.
Shadow AI category map: formal AI line against the card category
| Category | Typical formal line | Typical card category | Multiplier, card over formal | Dominant buyer |
|---|---|---|---|---|
| General assistants, ChatGPT, Claude | Single EA pilot, often under 0.5% | 1 to 3% of software spend | 3 to 6x | Line managers |
| AI coding, Cursor, individual Copilot | Often zero in the EA | 0.5 to 2% of software spend | Effectively infinite | Engineering leads |
| AI search, Perplexity, similar | Rarely a formal line | 0.3 to 1% of software spend | 5 to 10x | Knowledge workers |
| Individual Copilot or Gemini seats | Inside the EA, but undersized | 0.5 to 1.5% of software spend | 2 to 4x | Department pilots |
| Image, audio, video AI tools | Rarely contracted | 0.2 to 0.7% of software spend | 5 to 8x | Creative and marketing |
| Long tail, 50 plus tools | Effectively zero | 1 to 3% of software spend | Effectively infinite | Mixed across functions |
Up materially, with the planning input coming from card data rather than the request queue. Procurement teams that size 2027 AI from formal asks will understate by the same multiplier the off books bill shows today.
The base case is that the four dominant tool families remain dominant. Pricing will rise modestly on the general assistants, faster on the AI coding tools, and the AI add ons embedded in the EA will keep attaching seats.
For most enterprises this means an AI line that runs at 6 to 10 percent of software spend by mid 2027, depending on how much of the card category gets consolidated into negotiated contracts.
The faster moving risk is in attach. Once a department lights up an AI add on, the seat count expands inside the next two quarters. A 2027 plan needs an attach assumption, not a fixed seat count.
Gartner has flagged AI spend as the fastest growing line in IT, and our card data is consistent with that view. Gartner IT and AI spend commentary shows the same direction at the market level that we see inside individual estates.
The prep work is the category sweep done now, not at budget time. A finance team that runs the sweep in the second quarter of 2026 has a real number to plan against. A team that runs it in November is reacting, not planning.
Three anonymized patterns from the engagement file show how the sweep plays out in different estates. The figures are bands. Details are generalized to protect confidentiality.
A large financial services buyer ran the card sweep against a 2025 quarter and found AI vendor spend roughly four times the formal AI line in the IT budget. The largest single category was AI coding tools across the engineering function.
The remediation was an enterprise contract with the dominant AI coding vendor, data clauses signed by the security team, and a parallel review of two personal account general assistant tools that handled customer data. The formal AI line in the next budget cycle absorbed the consolidation.
A technology firm found that its off books AI bill, while large in absolute terms, sat within the boundaries the security team was already comfortable with for the tools in use. The exception was a long tail of newer vendors no one had reviewed.
The fix was a one page acceptable use policy that distinguished the approved tools from the long tail, plus an SSO requirement on the approved set. The category total barely moved. The risk dropped sharply.
A public sector estate found a small but unacceptable use of personal account AI tools for handling case data. The card spend was minor. The compliance exposure was material.
The response was to consolidate to one enterprise contract with the strictest data clauses in the market, run a brief training session on the new tool, and block personal account access at the network layer. The total spend rose. The exposure closed.
The same mistakes appear in most sweeps we run. None of them are obvious in advance. All of them are easy to fix once they are named.
The most common mistake is sizing the AI budget from the formal request queue. The queue captures what was asked through the right channel. The card data captures what is actually being used, which is a larger and more honest number.
A budget built from the queue will understate. A budget built from the card data will be defensible at the next finance review.
The second common mistake is signing a single AI contract on the theory that one vendor will cover every use case. In practice, different teams need different tools, and the single contract approach leaves the unserved teams to buy on the side.
Three or four category contracts almost always close more of the bill than one tool ever can. The category contract approach matches how the business actually uses AI.
The third common mistake is the ban that the contrarian section above warned against. A ban that lacks an alternative pushes use to personal accounts and removes the only audit trail finance had.
The pattern that works is consolidate first and ban only what cannot be consolidated. The reverse order produces more spend, more risk, and a worse 2027 budget input.
A handful of operational signals reliably flag estates where shadow AI is already a material line. They show up in the data finance and IT already collect, not in a separate audit.
The first signal is a quarterly rise in the software merchant category on the corporate card program, with no matching rise in EA spend. The card category usually breaks out the increase before procurement notices it.
A second pass on the card data, filtered to AI vendor names, almost always confirms the picture. The first list reveals the category. The second list names the tools.
Repeat individual expense reports for the same vendor name, often under twenty dollars per month, are the second signal. They appear most in functions that ship to deadlines, like engineering, marketing, and sales.
The pattern is rarely one big claim. It is many small claims that an expense system was never tuned to flag. Aggregated across a quarter, they read as a recurring cost.
SSO logs show the same picture from a different angle. AI vendor domains that appear in sign in events but never in the EA inventory are off books seats by definition.
This is the cleanest source for engineering tools, because developers log in to AI coding tools daily. The SSO log catches what the card data missed when the seat was bought on a personal email.
The good news is that the contract template is short. The clauses that matter on an AI tool are the ones that close the data and cost questions the personal account never answered.
The first clause excludes prompts and outputs from model training by default. Enterprise tiers from the major vendors include this. The personal tier usually does not, which is why the migration matters.
The second clause names the data classes the enterprise may submit, the storage region, and the retention period. Where regulation applies, this clause closes the audit question in advance instead of leaving it open until a breach.
A right to inspect the vendor's SOC reports and a documented audit path are now table stakes on any AI contract a regulated enterprise signs. Without them, the security review has to be repeated from scratch every year.
For non regulated estates, the same clauses still pay off at renewal, because they shift the burden of proof from the buyer to the vendor when something does need to be reviewed.
The last set of clauses is the cost discipline. A separate term and a flat percentage cap on the AI add on, with an exit right that does not penalize the buyer for stepping back, keeps the premium bounded.
Bundling the AI add on into the base license removes this discipline. Even when the base renewal is friendly, an uncapped AI line will compound past the base inside two cycles.
Ownership decides whether the category gets sized accurately or argued about. Finance, procurement, and security each see a different slice of the bill, and none of them sees all of it alone.
Finance is the only function that holds the card data, the expense reports, and the AP feed. That makes finance the owner of the sizing exercise. The deliverable is the dollar number behind the category, not a policy.
This is also where the planning input lives. The 2027 AI line in the software budget belongs in finance, sized from the data finance already controls.
Procurement turns the finance number into a contract round. The category map becomes a list of two or three enterprise contracts to negotiate, with the data and cost clauses described above.
This is also where the consolidation conversation lives. A procurement team that runs the round annually keeps the off books bill bounded for the next twelve months.
Security writes the one page acceptable use policy and signs off on the contract data clauses. Security does not need to own the cost number. It does need a veto on tools that fail the data review.
The three way ownership works when each function leads its own slice and meets monthly to reconcile. It fails when one function tries to own all three, which is the usual reason a ban is reached for in the first place.
A benchmark is only useful if its limits are stated. This report is a directional read on the size and shape of the off books AI category. Several things sit outside it on purpose.
The category sweep counts recurring card subscriptions. It does not size one time AI consulting, vendor proof of concepts, or short pilots paid as a single expense claim. Those are real costs but they are not the recurring exposure.
The report measures cost on the buyer side, not revenue on the vendor side. A vendor revenue figure can grow even where a given enterprise holds spend flat, and the reverse is also true.
Pricing varies by region, currency, and product mix. A global estate will see effects this report does not localize. Read the bands as direction and adjust for your own region before planning.
Shadow AI is any AI tool an employee uses for work that procurement and IT did not approve, did not contract, and cannot see in the EA. It usually arrives on a personal account, a free plan, or a corporate card subscription a manager bought directly. The point is not the tool. It is the absence of oversight.
In our 2024 to 2025 advisory file, shadow AI ran 4 to 9 percent of total software spend in a large enterprise. That is often two to three times the formal AI line. On a billion dollar IT budget, the gap reaches tens of millions of dollars sitting outside contract.
Four families show up in almost every shadow AI audit. ChatGPT and Claude on personal or team plans, Cursor and similar AI coding tools on individual developer cards, Perplexity and similar AI search tools, and individual Microsoft Copilot or Google Gemini subscriptions bought outside the EA. Together they cover most of the off books AI bill.
The buyers are almost always line managers and senior individual contributors with a corporate card and a real productivity problem. They are not trying to evade procurement. They are trying to ship work this quarter. The buyer pattern is consistent across functions, with engineering, marketing, and sales the heaviest users.
Shadow AI grows quarter by quarter, because most AI tools price per seat per month at a level that sits below the threshold a card needs procurement to approve. Each seat is small. The aggregate is large. By the time finance pulls the category, the bill is already a recurring cost.
We disagree with a default ban. In the estates we audited, blanket bans pushed the highest value tools into personal accounts and out of any governance. Productivity demand kept growing. The better move is to consolidate the few tools that matter into enterprise contracts with data controls.
The data risk is larger than the cost risk and harder to undo. Personal account prompts can leak into model training, customer data can cross a boundary the contract never blessed, and sensitive code or financials sit on a vendor account no security team has reviewed. The breach you do not see is the breach you cannot answer for.
The fastest path is a category sweep of the corporate card data. A short list of vendor name patterns and merchant categories surfaces 80 percent of the bill in a single afternoon. The second pass cross checks expense reports and an SSO log for the same vendors. Together they map the off books estate.
The pattern that works is consolidate, contract, and govern. Consolidate the high value tools into one or two enterprise contracts with data controls. Contract the rest by category, not by tool. Govern usage with a short acceptable use policy and a budgeted central AI line that gives finance a place to plan the spend.
Treat AI as its own line in the software plan, separate from the base EA, and size it from the corporate card data, not from the request queue. The card data shows what the business is already paying for. That is a more honest planning input than the formal AI roadmap, because it reflects revealed demand.
The vendor name patterns to search for, the four category consolidation framework, the data control checklist for AI contracts, and the one page acceptable use policy template.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for finance and procurement leaders sizing the 2027 AI budget.
The EA tells you what procurement bought. The corporate card tells you what the business is actually using. In 2026, the gap between those two is the AI category.
