AI is already the new shadow IT. Now, how do we govern it?

Almost everyone feels genuine pressure to move fast on AI. Teams are experimenting, engineers are building, and operations are deploying at scale. Finance doesn't want to be the function that slows things down. But beneath all that momentum, there is a structural problem that finance is uniquely positioned to solve, if it changes its posture from reactive to proactive. 

Earlier this year, I moderated a roundtable on this exact topic at the World Finance Forum in London. Sixteen finance leaders came together to discuss: how AI token economics are reshaping the way companies budget. The conversation that followed was one of the more honest I have had with finance professionals about where they actually are with AI, not where they want to be, or where their communications say they are.

The reactivity versus proactivity problem in the approach to governing AI has three components:

• Costs that cannot be forecast using traditional methods;
• Spend that is accumulating outside approved governance structures,
• AI-generated outputs that are increasingly informing material decisions without the audit trails that finance depends on.

None of these is a reason to slow AI adoption. What’s needed is better governance.

The bill arrives before the governance does

The most common complaint in that roundtable room was not about AI itself, but about visibility. Finance teams are finding out what was spent after it’s already spent, without any cap or forecast.

This isn’t due to a lack of financial discipline, but to the way AI is priced. Unlike traditional SaaS tools with fixed seat counts and predictable invoices, the most capable AI systems charge by consumption, specifically by tokens. A token is the unit of text that AI models process as input and produce as output. Every step an AI agent takes consumes tokens. Long reasoning chains, autonomous decision loops, retrieval-heavy workflows, and multi-model pipelines multiply that consumption in ways that are hard to forecast before you have real production-scale usage data.

The numbers reflect what those finance leaders described. 

Around 80% of businesses miss their AI infrastructure forecasts by more than 25%. Actual costs often exceed initial estimates by 30 to 50% once token overages, API rate limits, and real-world usage patterns are accounted for. The average organisation’s monthly spend on AI-native applications now exceeds $85,000, an increase of 36% year on year.

And this is before the impact of agentic AI is fully felt. A query that looks like a $0.50 interaction can easily become $10 when an agentic workflow is running in the background. Multiply that across an organisation’s daily operations, and it compounds fast. Finance teams that are still treating AI as a line item in the software budget are not prepared for what agentic deployment at scale will do to their cost base.

Cloud infrastructure was governed before. How do we do it now with AI?

The analogy that landed hardest in the London room was cloud. When cloud infrastructure first appeared, organisations wanted in fast. However, its costs were unpredictable, spending kept growing, and for a while, nobody really knew how to budget it. A new category of tooling —cloud cost management— had to be built almost from scratch. Governance frameworks for on-premises capital expenditure had to be rebuilt for consumption-based operating expenditure.

Then businesses got savvy. They added governance, built forecasting capabilities, and introduced departmental accountability, making the cloud manageable. Instead of slowing adoption, they built the operational infrastructure needed to understand and control it. Today, cloud cost governance is a mature discipline. And AI token governance is at the beginning of the same curve.

The departmental pattern that the roundtable surfaced reinforced this. In most of the businesses represented, the most mature AI users were in operations and the most experimental in engineering, with finance sitting somewhere in between. Finance teams are typically curious about AI and capable of using it, but without the right tools to govern usage-based spend. That gap is both a challenge and an opportunity. Finance eventually got cloud governance right, so the question is how long it will take to get there with AI.

The rise of shadow AI: the spend finance cannot see

Just as shadow IT emerged when employees adopted cloud applications and file-sharing tools outside official channels, shadow AI is spreading through organisations at a pace that governance has not kept up with.

The scale of ungoverned use is striking. 

According to the “State of Shadow AI” report by UpGuard, more than 80% of workers, including a remarkable 90% of security professionals, use unapproved AI tools. 
Another report by Reco found that 71% of office workers admit to using AI tools without IT approval. 
And according to KPMG’s “Trust in AI” report, 57% of employees actively hide their AI use at work.

Most AI tool adoption happens at low price points that fall below the threshold, triggering a formal procurement review. But the problem isn’t only cost visibility. Each of those tools comes with its own terms of service, data handling and security policies. Finance teams adopting them are implicitly agreeing to those terms on behalf of their business, often without legal or IT review.

For finance specifically, this exposure is critical. The data finance professionals work with daily is among the most sensitive in any business. When it enters an ungoverned AI tool, they lose control over how it’s stored, processed, and potentially used to train the AI model. The latter is exactly what many AI tools do, unless an enterprise agreement explicitly prevents it.

AI-associated data breaches are common, and they cost businesses an average of more than $650,000 per incident, according to IBM’s 2025 “Cost of a Data Breach” report. More than a matter of budget, ungoverned AI spend can lead to far more serious problems.

The audit trail problem: AI-generated outputs lack traceability

There is a third dimension that receives less attention than cost and compliance, but matters just as much to finance leaders: the audit trail. Finance functions operate on the assumption that decisions can be traced and verified. If an output was generated, there should be a record of how it was produced.

AI-generated outputs often lack this traceability. If an AI tool used for forecasting, vendor communication, or financial modelling is no longer in use or its reasoning cannot be reconstructed, the audit trail breaks. Still, both internal and external auditors are expected to review AI controls and assess governance maturity.

KPMG’s Global AI in finance research found that businesses leading AI adoption are already building governance and internal control frameworks specifically for AI-generated financial reporting. Those frameworks are becoming the baseline expectation, and finance teams that have not started building them are falling behind.

The annual budget is gone, AI just makes it more obvious

One finding from the London roundtable genuinely surprised me. When I asked whether organisations should budget more frequently to keep pace with AI’s cost volatility, everyone said that annual budgets were already a thing of the past. All of them continuously re-forecast, something that had already shifted before AI and is now gaining even more traction.

This matters because it reframes the governance challenge. Finance teams have already abandoned annual planning cycles. The challenge now is building the tooling and accountability structures to make continuous forecasting work for AI spend specifically. That means treating AI cost as dynamic, usage-based, and subject to rolling review rather than annual allocation.

The ROI challenge adds to this. Explaining the value of an AI token to the board is like explaining brand awareness. You know it matters, the teams using it are convinced it’s working, but the numbers are hard to pin down in a way that satisfies a direct ROI question. Building measurement frameworks alongside governance frameworks is part of the same work, and finance is better positioned to lead this work than any other function.

Effective governance of AI adoption: here’s what it actually looks like

The function that says no to AI tools doesn’t stop adoption, it simply pushes it underground, where the cost exposure and data risk are higher. Effective governance is not about restriction, but about creating a clear path for approved use that gives teams what they need without creating the visibility gaps that ungoverned adoption produces.

There are three principles that define the governance enabling AI adoption:

• Make each department accountable for forecasting their own AI needs, not just using them. Finance can’t be the only function thinking about AI costs. When each team owns its forecast, the visibility problem starts to solve itself. This is the same accountability model that made cloud cost governance work, and it’s also what AI cost governance requires.
• Finance is a partner, not a gatekeeper. The most valuable thing finance can do for AI adoption is help teams make better procurement and deployment decisions. That can mean understanding the differences between models priced for complex reasoning and cheaper options for routine tasks, or knowing when a cloud API arrangement makes sense versus an enterprise contract with committed capacity and governance controls.
• Build controls that protect production budgets while creating dedicated room for experimentation. A cap on AI spend kills the experimentation that generates competitive advantage. A budget structure that makes room for experimentation does the opposite. It gives teams a safe space to build and iterate, and gives finance the visibility it needs to make informed decisions about what moves from experiment to production.

Where CFOs will win: closing the governance gap on AI

Across the 16 finance leaders in London, there was a common source of anxiety, namely that AI is moving faster than the frameworks designed to manage it. The spend and compliance exposure are real, and the audit trail questions are beginning to arrive from auditors who are themselves getting up to speed on what AI governance should look like in practice.

But the framing is competitive positioning, not risk. The businesses achieving the best returns on AI are those that prioritise governance frameworks that allow them to scale with confidence alongside capability investment.

Finance teams that govern AI spend well will use it at a greater scale and with significantly lower exposure than those that don’t. For many businesses, the future of agentic AI is already here, growing fast and often operating outside the frameworks built to manage it. 

The gap between where AI is and where governance is represents the most actionable risk on the CFO’s desk right now, and closing it is an investment that makes business operations sustainable.