The Shadow AI Problem Is Already in Your Buildings

TL;DR: Shadow AI in commercial real estate isn't your corporate team using ChatGPT. It's every vendor in your building running AI on your operational data — leasing platforms, energy systems, access control — under their governance, not yours. The fix is owner-controlled data infrastructure, not banning vendor AI.

Every operator I talk to is thinking about AI risk at the wrong level.

They are worrying about whether to sanction a copilot for their corporate team. They should be worrying about what is already running inside their buildings.

Camden just settled its RealPage algorithmic-pricing lawsuit for $53M. That was not an AI story on the surface. It was a governance story. An owner outsourced a core pricing decision to a vendor-controlled model and then could not show who decided what, on what data, under what rules. The settlement is just the receipt.

Now layer what else came through this week. CoStar reports that OpenAI, Anthropic, Nvidia, and Databricks have quietly become the largest net absorbers of U.S. office space. Blackstone filed for a $100M Data Center REIT IPO to house that demand. Anthropic disclosed a new AI tool, Mythos, that can already find thousands of software vulnerabilities faster than any human team. And AppFolio research, referenced in CRE Daily this week, says 73 percent of capital partners now expect AI-enabled insights from the asset managers they back.

Each of those stories lands on a different part of your building. Together they tell one story: AI is no longer arriving. It is here, it is faster than your governance, and it is making decisions on data you do not control.

The Pattern Behind the Noise

Geoff Woods at AI Leadership framed this well in a note to CEOs last week. He called it the shadow AI problem. Employees are pasting customer data into consumer AI accounts because sanctioned tools are too slow or too locked down. Top performers go first. By the time IT notices, the horse is out of the barn.

The same pattern is live at the building level, just one abstraction layer up. Every vendor in your building is running its own version of shadow AI right now.

The leasing platform is training models on your tenant pipeline.
The access-control vendor is running analytics on your foot traffic.
The energy platform is optimizing HVAC against its own benchmarks, not yours.
The tenant-experience app is collecting behavioral data on every occupant.
The managed-WiFi provider knows more about how your tenants actually use the space than you do.

None of that is inherently bad. Some of it is genuinely useful. But notice what it has in common: the intelligence generated from your building is flowing into someone else's system, governed by someone else's rules, and priced into someone else's product roadmap. Your building is producing data every day. You are renting the benefit of it back.

That is the real shadow AI problem for owners. Not what your corporate team is doing on Claude. What your vendors are doing on your assets.

Why This Matters Now, Not Next Year

Three forces are compounding this risk on a tight timeline.

First, the capital markets signal is clear. Blackstone filing a dedicated data center REIT says out loud what the private markets have been saying quietly: data and digital infrastructure are now the asset. Every owner whose assets generate data but do not own it is competing with owners who do. That gap will show up in cap rates.

Second, the tenant mix is changing. AI-native tenants are moving into traditional office space fast. Those tenants need clean power, enterprise-grade connectivity, secure segmented networks, and a building that does not fight their stack. Buildings that cannot deliver that are leaking prospects.

Third, the governance failures are getting expensive. The Camden settlement is one signal. Marsh McLennan reported this week that mainstream insurers are growing more squeamish about multifamily risk. Anthropic's Mythos disclosure is another. When AI can find vulnerabilities at machine speed, the difference between a segmented owner-controlled network and a sprawling vendor-managed one is the difference between a quiet audit and a front-page incident.

A Practical Response

The owners who get through this year without a governance scar are going to follow a simple sequence. At OpticWise we call it the PPP 5C plan. It works because it gets owners out of the vendor-driven loop and back into the owner-driven loop.

Clarify. Write down, per property, what data matters, where it lives, and who owns it. Not the vendor's answer. Your answer. Most owners cannot answer this cleanly on a full portfolio today. That is the gap.

Connect. Build a single, secure, segmented data and digital infrastructure that every vendor plugs into. No rogue networks. No vendor-laid fiber running alongside your own. No devices living on unmanaged SSIDs.

Collect. Normalize the data coming off your buildings into a consistent model you actually own. When every property sends data in the same shape, your portfolio finally becomes comparable.

Coordinate. Govern identity, access, lineage, retention, and rules of use across every system that touches the building. This is the layer where algorithmic pricing lawsuits are lost or won.

Control. Let any decision engine — a vendor platform, an internal analytics tool, an LLM you choose tomorrow — act under your permissions, on your data, inside your rules.

The companies getting AI governance right at the enterprise level are doing the same thing at the building level: they are sanctioning a single path that is faster and better than the shadow path. Shadow AI disappears not because you banned it but because you made it irrelevant.

If you are still running the building with the vendor stack your property manager approved five years ago, you are not managing AI risk. You are paying for it quarterly.

The owners who get this right will look around in eighteen months and notice their buildings are operating as actual digital assets. Their portfolios will price differently. Their tenants will stay longer. Their incidents will stay smaller. Their leverage with every vendor will be higher because they can credibly say, “if you cannot plug into our standard, we can switch — without rewiring the building.”

That is the move.

If you have not audited the data and digital infrastructure in your buildings in the last 18 months, that is the first conversation to have. Not next quarter. This quarter. The operators who are about to look overbuilt on governance are the ones who are going to look generationally right on control.