Paubox hosted a fireside chat exploring the rise of shadow AI in healthcare and how organizations can stay ahead of emerging risks. The session brought together Dean Hoffman, IT Lead, and Dawn Halpin, Demand Generation Manager at Paubox, and was moderated by Lilly Ohno, Product Marketing Manager at Paubox.
Watch the webinar
Key themes
Shadow AI is already widespread and moving faster than governance
One of the most eye-opening statistics discussed was the gap between AI usage and official approval. Dawn explained that a Paubox report on shadow AI showed that 95% of healthcare organizations believe staff are already using AI tools, yet only 25% have formally approved any AI usage.
She notes that “Everyone is trying to keep up with the technology…IT and compliance just haven't been able to catch up to the pace that everybody else is moving at.”
Employees aren’t being malicious, they're trying to be more effective in their jobs
Across roles and departments, staff are reaching for AI because it feels like the fastest way to reduce manual work and increase their productivity. These conveniences introduce significant risk when the tools are not configured correctly, or when employees don’t realize they’ve unknowingly connected to sensitive data.
IT leaders may be overconfident in their ability to prevent an AI-related HIPAA breach
Paubox's report found that 41% of leaders feel confident they could detect improper AI use before a HIPAA violation occurs. Yet, most shadow AI activity happens silently and without visibility. The panel emphasized that this overconfidence can leave organizations exposed. Dean noted that without proper tools, "it’s very, very hard to have visibility into all of these AI platforms."
Note-taking AI tools are a hidden but serious blind spot
One of the most repeated concerns was the rise of AI-powered meeting note-takers that automatically join calls, record conversations, transcribe discussions, and store summaries. "You'll join a meeting and somebody signed up for some free AI note-taking tool…you have no visibility into what they're doing with your data." says Dean.
This risk multiplies when employees meet with vendors, contractors, or partners whose note-taker tools cannot be controlled.
Policies matter, but communication matters more
Across the conversation, the panel underscored that strong governance is not just about rules—it’s about clear communication and making approved tools easy to adopt.
Dean emphasized the need for leadership teams to communicate policies to employees. "You need your leadership team behind that policy…If it’s not viable for folks to follow, you’re just going to have tons of AI sprawl."
The final wrap-up
AI is unavoidable, so start with visibility, education, and reasonable guardrails
The panel closed with advice for organizations beginning their AI governance journey:
-
Assume AI is already being used, even if you don’t see it
-
Put a clear, reasonable policy in place
-
Communicate approved tools early and often
-
Verify HIPAA compliance rather than trusting marketing language
-
Implement systems that help IT see OAuth connections and shadow AI behavior
Download the full Shadow AI is outpacing healthcare email security report to read the complete findings and guidance for IT and compliance leaders.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Lilly Ohno
