Shadow AI in Government: Germany's Overlooked Cyber Risk

A new Microsoft study reveals a striking finding: nearly half of all federal employees in Germany use AI tools that have never been reviewed or approved by their own organization. So-called shadow AI has quietly become a fixture in government offices - and it carries serious risks for confidential data and critical infrastructure. At the same time, 73 percent of the German population feels poorly informed about how AI works, and only 43 percent take any protective measures at all. This article explains what shadow AI is, why it poses such a significant threat, and what individuals can do right now to reduce their exposure.

The Cyber Resilience Act is the first European regulation to establish a binding minimum level of cybersecurity for all connected products available on the EU market. Until now, a manufacturer could sell a connected device or app with serious security vulnerabilities without being held directly accountable under EU product law. That changes fundamentally with this regulation.

The law applies to both connected hardware products such as smartphones, laptops, smart home devices, smartwatches, and connected toys, as well as to software-only products such as accounting software, video games, and mobile apps. The Cyber Resilience Act entered into force on 10 December 2024 and is being rolled out in stages - with the first major milestone for consumers and businesses arriving on 11 September 2026.

Imagine a government employee typing confidential details into a free AI app on their phone to finish a report faster. The app comes from an unknown provider, nobody has reviewed it, and the data entered may end up on servers outside the EU. That sounds like a rare edge case. But according to a Microsoft study published in November 2025, conducted by polling institute Civey, this scenario plays out every day at the federal level in Germany - affecting nearly one in two employees.

45 percent of workers in Germany's federal administration use AI tools that their organization has neither reviewed nor approved. At the municipal level the figure stands at 36 percent, and at the state level at 19 percent. The numbers make one thing clear: shadow AI is no longer a niche problem. It has become a systemic vulnerability at the very heart of the German state.

Shadow AI refers to the use of artificial intelligence applications and tools without the knowledge or approval of the relevant IT department or employer. These can be free chatbots, AI-powered translation services, writing assistants, or image generators - often accessible directly through a web browser, without installation or registration.

The problem is not AI itself, but the lack of oversight. Who actually knows what an anonymous AI provider does with the data entered into their tool? Is it stored? Used to train new models? Shared with third parties? In a government setting where employees routinely handle personal data, legal documents, or internal reports, the consequences can be severe - for citizens, for ongoing investigations, and for national security.

What makes the study findings particularly alarming is not just the widespread use of shadow AI, but the gap between awareness of the danger and actual protective behavior. 67 percent of the German population considers the misuse of AI for cyberattacks to be the single biggest security problem of our time. Yet only 43 percent actually take any basic precautions when using AI tools - such as checking who built the tool or which country its data is stored in.

There is also a significant knowledge deficit: 73 percent of Germans feel they do not understand how AI works well enough to assess its risks. Ralf Wigand, National Security Officer at Microsoft Germany, summed it up clearly: approved, organization-wide solutions backed by clear policies, strong identity protection, and automated defenses are the answer. AI-powered cyber defense, he notes, is now indispensable for responding to attacks in minutes rather than hours.

Meanwhile, the threat environment itself has intensified. 80 percent of decision-makers at the federal level now rate the current situation as high-risk - a sharp increase from 57 percent the previous year. And 78 percent of the general population believes Germany's critical infrastructure is not sufficiently protected against cyberattacks.

Normal text.Shadow AI cannot be solved by bans alone. When employees reach for unapproved tools, they usually do so not out of malice but because they want to work more efficiently and either lack access to secure alternatives or simply do not know they exist. The solution therefore requires a two-track approach: organizations must provide trusted AI tools while simultaneously investing in awareness and training.

For everyday use - whether at work or at home - concrete steps make a real difference. Use only AI applications that your IT department or a trusted provider has approved. Check who is behind any AI tool and in which country the data is stored. Never enter personal, professional, or sensitive information into unreviewed AI tools. Enable multi-factor authentication for all important accounts - it remains one of the most effective defenses against phishing and unauthorized access. And talk openly about cybersecurity with your colleagues and family, because digital safety is a shared responsibility.

The generational dimension deserves special attention here. The study found that 82 percent of people over 65 feel they do not know enough about AI, compared to 55 percent of those under 30. Awareness campaigns must therefore reach all age groups - not only those who grew up with technology.

Created with

Shadow AI in German Government Agencies: When AI Becomes a Security Gap

Introduction

Summary

Introduction

What exactly is shadow AI?

Awareness is high - action is low

What needs to happen - and what you can do today

Conclusion

Quick links

Follow us

Get in touch with us

Email us

Call us