AI in the shadows: A conversation with Asha Palmer, J.D., CCEP, LPEC, of Skillsoft

If your practice hasn't sanctioned an artificial intelligence (AI) tool, that doesn't mean nobody is using one. Across independent and small group practices, clinicians are regularly reaching for consumer tools like ChatGPT or Claude to draft notes, work through clinical questions and cut down on administrative load — usually with good intentions, and usually without their employer's knowledge. That blind spot is widely referred to as “shadow AI.”

We sat down with Asha Palmer, J.D., CCEP, LPEC, senior vice president of compliance solutions at Skillsoft, to learn more.

Palmer, a lawyer by background, has spent considerable time advising organizations on exactly this challenge. She talks through why shadow AI persists, what governance actually looks like for a smaller practice and why the conversation with clinicians has to come before the policy does.

Why are clinicians using AI tools their organizations haven't approved?

Palmer doesn't frame shadow AI as a disciplinary problem, but as an organizational failure.

When a practice hasn't sanctioned any AI use, hasn't defined acceptable use cases and hasn't given clinicians a tool that meets their needs, they find one themselves.

"No one wakes up and says, 'I have enough hours in the day,'" she said. Clinicians are reaching for these tools because they're trying to do their jobs better, not because they're trying to create compliance headaches.

The organizations most likely to see heavy shadow AI use, she said, are the ones that have responded to AI anxiety by banning it outright. Bans don't eliminate use, they just push it underground. "People go behind the scenes and use them anyway," Palmer said. The result is that practices lose the visibility they need to manage risk.

What are the real risks of shadow AI in clinical settings?

The data risk is real but often misunderstood. Palmer said many clinicians already grasp the basics of patient data protection, but the more underappreciated risk is on the output side: inaccuracies, inconsistencies and hallucinations in AI-generated recommendations or summaries.

"The bigger risk is inconsistencies and inaccuracies in outcomes or recommendations," she said. "Is it hallucinating? Did it make something up that does not exist?" In a clinical environment, where AI is still, as she put it, "in its infant stage," that risk is not hypothetical. Palmer said she recently caught an AI tool drawing an inaccurate conclusion from its own source data — the kind of error that's easy to miss when no one is monitoring what tools are being used or how.

When shadow AI is in play, none of that is visible. Practices can't audit what they can't see.

What should a small practice's AI governance plan actually look like?

Palmer's governance framework is intentionally straightforward. It starts with a conversation, not a policy. Bring clinicians to the table and ask how they're already using AI, how they want to use it and how the organization wants them to use it. Those are three distinct categories, and all three matter.

From there, the work is to map the risks associated with the identified use cases, decide how to mitigate them — whether through procuring a private version of a tool, establishing input controls or other measures — and then build in ongoing testing and monitoring to check whether the controls are working and recalibrate as needed.

"Lawyers and compliance professionals can overcomplicate governance," she said, "but it can actually be quite simple."

For smaller practices, she noted, there's an advantage: leadership has more direct visibility into the workforce and more opportunity to bring people into the conversation early.

Is AI a compliance issue or just an IT problem?

Palmer pushes back on the tendency to treat AI as purely an IT concern. Your IT team can monitor systems and block certain inputs, but that's reactive. The more important work is proactive, and it requires multiple functions at the table.

A practice manager thinking about AI through the lens of efficiency and business growth will see different use cases than a compliance officer thinking about liability and a technologist thinking about data security. All three perspectives are necessary. "Everyone has to be at the table when deciding how the organization wants to use this technology to accelerate without making itself vulnerable," she said.

Before any AI tool goes live, she recommends thorough vendor due diligence: asking where data goes, how models are trained, whether the vendor tests for fairness and accuracy and what their own governance structure looks like. "What is their governance structure that can help support your governance structure?" she said. "That is very important before anything goes live."

What should practice leaders do if they suspect staff are already using unsanctioned AI?

Palmer's first recommendation is to resist the instinct to treat it as a firing offense. Her actual first recommendation is to ask why.

"What are you not providing that they feel is so necessary to deliver their standard of care that they need this tool?" she said. Shadow AI use is diagnostic information. It tells practice leaders where the gaps are in their current tools, policies and culture. Listening to that signal — rather than punishing it — creates an opportunity to build something better.

That said, she does recommend having a clear written policy on sanctioned AI use before any tool goes live, and revisiting that policy when unsanctioned use surfaces. The discovery of shadow AI, she said, is an invitation to ask: "What am I missing here? What do I need to expand in my own thinking?"

Her closing message was direct: banning AI is not a sustainable strategy. Clinicians will use it on their phones if they can't use it at work. The only question is whether the practice has any visibility into how. "If people are using it in the shadows, you are losing control of your data, your people and eventually your practice," Palmer said.