The consulting industry’s artificial intelligence adoption is happening faster than most firms realise – as employees take matters into their own hands, leveraging AI tools without a company roll-out. Bret Tushaus, VP of Product Management at Deltek, explores the impact of the rise of shadow AI and what project-based businesses can do to protect themselves.
While boardrooms stall over implementing AI strategies and procurement teams evaluate enterprise solutions, half of UK employees have already embraced personal AI tools to deliver better client outcomes. This phenomenon, known as ‘Shadow AI’, reflects a healthy drive from consultants to overcome resource constraints or bridge capability gaps and improve their offering in ways that their organisations have not yet sanctioned.
What makes this so striking is its stealth nature. Our research shows that 77% of project-based firms plan to increase AI investments in 2025, but many remain unaware of the AI tools already operating within their organisations. While AI holds incredible promise, this disconnect creates a dangerous blind spot where the very innovation driving productivity gains could undermine the security and compliance standards that consulting firms depend upon.
It’s a critical misunderstanding to believe that shadow AI is problem, when in actuality it’s a symptom. It signals a dangerous innovation bottleneck that, if left unaddressed, risks making firms obsolete given the technology’s breakneck pace of advancement.
The accessibility of off-the-shelf AI tools – such as ChatGPT, Claude, and Gemini – makes managing shadow AI adoption particularly challenging. Further, once professionals experience how the technology eliminates friction, 46% say that they would continue using the tools even if their employer banned them. The genie is truly out of the bottle.
It’s easy to empathise with consultants, considering the numerous driving forces. The ongoing skills shortage is well documented, and firms are operating with leaner teams, all while client expectations continue to rise. The appeal of AI assistance becomes irresistible.
Shadow AI manifests itself in different ways, making it all the harder for organisations to eliminate. Strategy consultants feed client data into AI models to accelerate market analysis and competitive intelligence. Management consultants harness AI to create compelling proposal documents that better align with client expectations and industry benchmarks. Digital transformation specialists use AI to rapidly prototype solutions and generate technical documentation that would typically require days of manual effort.
While shadow AI adoption demonstrates consultant innovation, it creates vulnerabilities that could devastate client relationships and firm reputation. Perhaps the most immediate danger lies in data exposure. One-in-five companies have experienced data leakage because of employees using generative AI, with three-quarters of Chief Information Security Officers now viewing insiders as a greater risk than external threats. For consulting firms, this risk is amplified. Client confidentiality forms the bedrock of consulting relationships, and inadvertent data exposure through unsecured AI platforms could trigger contractual breaches, regulatory penalties, and irreparable reputational damage.
Compliance vulnerabilities represent another critical concern. Consulting firms operating across regulated industries, such as financial services or healthcare, face stringent requirements around data handling and client information protection. Unauthorised AI models used to process sensitive client data may violate GDPR, sector-specific compliance frameworks, and/or contractual confidentiality agreements. This creates legal exposure that many firms haven’t yet recognised.
Finally, the quality and reliability of AI outputs pose strategic risks. Unchecked AI-generated insights, recommendations, or deliverables may contain biases, hallucinations, or fabricated information that sharply undermine client trust and consulting credibility.
The biggest mistake consulting leaders can make is viewing shadow AI purely as a cybersecurity issue to be solved through restrictions and controls. This mindset signals that leadership isn’t ready for what’s coming. Firms that approach shadow AI as solely a security problem will find themselves outpaced by competitors who recognise it as an innovation catalyst.
The real opportunity lies in integrating AI not as a separate initiative, but as a core component of business strategy. This makes AI inherently safer for business because it becomes woven into organisational processes rather than operating as a disconnected technology experiment.
The past few years have undeniably proven that firms with embedded AI report improvement in project delivery speed, enhanced client satisfaction scores, and stronger competitive positioning. Shadow AI must therefore be recognised as a positive signal that consultants want to innovate, and firms must provide them with secure, approved alternatives. Rather than imposing blanket bans that drive underground usage, consulting leaders must develop comprehensive AI strategies built on four foundations.
First, fostering open dialogue between IT security, business development, and delivery teams creates shared understanding of AI’s capabilities and limitations. This collaboration helps identify beneficial AI applications while ensuring compliance with client requirements and regulatory obligations.
Second, firms must create safe experimentation environments, or ‘AI playgrounds’, where consultants can test tools and approaches without exposing client data or violating security protocols. This enables rapid evaluation of AI solutions while maintaining risk controls.
Third, comprehensive AI literacy programmes ensure consultants understand model limitations, bias implications, and security requirements. Training must cover data handling protocols, output validation requirements, and the critical importance of human oversight in AI-assisted deliverables.
Fourth, and most critically, AI must be aligned with and integrated into broader business strategy. This means identifying how AI capabilities can enhance core service offerings, improve client value propositions, and strengthen competitive positioning. When AI becomes part of strategic planning rather than a technology afterthought, adoption becomes more purposeful and security becomes more manageable.
If the AI future is already unfolding, firms must now ask themselves if they want to shape it proactively or react to it defensively. The unauthorised use of AI certainly represents risk and vulnerability, but equally it demonstrates a tenacity, curiosity and drive that is the hallmark of any good consultant. Firms that recognise this dual nature and respond accordingly will capture competitive advantages that slower-moving competitors cannot match.
The need to empower and not restrict has never been greater. The choice is clear: lead the AI transformation, or be disrupted by those who do. With shadow AI, the biggest risk is remaining in the dark.
