Pillar · Hook
Shadow AI in Swiss SMEs: The risk nobody names in the board meeting
Your employees use ChatGPT, Copilot, Claude. Today. Privately. Without governance. What that means, and what you as a CXO can concretely do.
What is Shadow AI?
Shadow AI is the AI variant of Shadow IT. An employee uploads client correspondence into ChatGPT for translation. A developer copies a codebase excerpt into Claude for debugging. A marketing lead has Copilot "polish up" a customer list. All of it happens now, in every SME, without the management board knowing about it.
The Swiss AI Paradox
The phenomenon we observe: employee adoption of AI in Switzerland is high. Higher than management's perception. While the board still debates whether "we should talk about AI sometime", the case workers have long been working with ChatGPT. The result is a blind spot in risk management. One that grows larger every day.
Three risk axes
| Axis | What can go wrong | What it costs |
|---|---|---|
| Data leakage | Business data lands in US cloud LLMs without a data processing agreement | revDSG violation; fine risk |
| Quality hallucinations | AI delivers plausible but wrong answers, and employees do not verify | Errors in client correspondence, accounting, code |
| Competence drift | Employees stop learning themselves, the AI thinks for them, wrongly | Slow, hard-to-measure loss of competence |
What the management board can concretely do
Three steps that build on each other:
- Inventory: Who uses what? One hour of interviews in the leadership circle is enough for an honest finding.
- Rules of the game: No bans. A 1-page "AI house rules": which data may go where, which may not.
- Sanctioned tool: One officially approved tool, whether ChatGPT Enterprise, Copilot, or on-prem, that replaces the shadow tools. Otherwise bans get circumvented.
When Shadow AI tips into revDSG compliance
revDSG requires a data processing agreement with third-country providers. ChatGPT in the free version does not meet that. Copilot in M365 often does. ChatGPT Enterprise partially. The concrete compliance is a question for your lawyer, not ours. But the risk is real, and the gut impression of "it's somehow OK" does not hold.
Frequently asked questions
What is the difference between Shadow IT and Shadow AI?
Shadow IT is unapproved software like Dropbox or WhatsApp. Shadow AI is unapproved AI use. The sharper variant, because data is not "just" stored but actively processed.
Should I ban ChatGPT in my company?
No, in most cases not. Bans get circumvented. The solution is an approved, secure tool plus clear rules of the game.
How do I find out what my people are using?
Direct interviews within the leadership circle (1 hour is enough), plus optionally checking browser logs. We do this as part of the AI potential assessment.
What does "revDSG-compliant" mean for AI tools?
revDSG requires: known data processors, clear purposes, data subjects informed. Cloud AI based in the US often only meets this if a DPA contract is in place. On-prem (e.g. Lenovo ThinkStation PGX) solves the problem structurally.
Do we have to go on-prem?
Not necessarily. Cloud AI with a revDSG-compliant DPA is enough for many office workflows. On-prem becomes relevant for client, patient, or IP-sensitive data, or strict internal compliance.
What is the Swiss AI Paradox?
A Waldsee term for the observation that employee adoption in Switzerland is higher than management perception. Employees are further along than the strategy.
How quickly can this escalate?
Fast. A single accidentally uploaded client correspondence is potentially a revDSG incident with a reporting obligation. The risk profile changes daily, because more employees use more tools.