“Shadow mode” (sometimes called a dark launch) lets you run a new AI copilot alongside your current process, using real traffic, but without showing its answers to staff or customers. You see how it behaves in the real world—accuracy, latency, cost—before you switch it on. It’s a low‑risk way for UK SMEs and charities to validate value without reputational jeopardy.
Shadow mode is a well‑understood release tactic in software reliability. Google’s Site Reliability Engineering guidance describes “canarying” and “traffic teeing” (copying real requests to a test service and discarding responses) as safe ways to test changes with real production signals. For AI, it’s ideal: you can compare the copilot’s outputs with your current workflow while keeping users unaffected. See Google’s canarying/teeing overview and trade‑offs, including when to run only one canary at a time to avoid signal contamination. Google SRE: Canarying releases and traffic teeing.
If you run on AWS, you’ll also encounter “traffic mirroring” and purpose‑built shadow testing features. Amazon documents traffic mirroring for VPCs (copying network traffic for analysis) and provides SageMaker “shadow testing” to compare new models against production without affecting users. AWS VPC traffic mirroring, SageMaker: shadow testing.
This article gives you a 14‑day plan, the decision checkpoints, and the KPIs to track. It also includes procurement questions and a practical risk/cost table you can paste into a board pack.
When shadow mode is the right choice
- You need confidence on real work (tone, facts, formats) before exposing customers or fee‑earners to AI suggestions.
- Your process is high‑stakes or high‑volume (complaints handling, advice letters, grant decisions, customer replies).
- You want to quantify benefits (accuracy, speed, cost) and failure modes before staff adoption training.
It’s also a clean stepping stone into canary releases, where a small percent of users see the new behaviour. If you’re planning that step next, see our related post on safe releases. Ship AI changes safely: version pinning, canaries and rollbacks.
Your 14‑day shadow‑mode plan
Days 0–1: Choose one high‑leverage task and a baseline
- Pick a single, repeatable task with clear “good” vs “bad” outcomes. Examples: email triage labels, call‑wrap summaries, invoice query replies, knowledge answers for staff.
- Collect a small gold set of 100–300 recent cases with the “right” outcome (what a competent human produced). This is your baseline to compare against.
- Nominate an accountable owner in Ops and a technical contact. Agree decision criteria now (e.g., “≥90% match on labels; ≤5% critical errors; p95 latency under 3s; cost per item ≤£0.03”).
Days 2–3: Set up the safe sandbox and logging
- Ensure the shadow system cannot send emails or trigger actions. It should only log its outputs for review.
- Turn on request/response capture for both your current process and the shadow copilot (inputs, outputs, confidence, latency, token/compute usage). If you’re on AWS, read their shadow testing notes on cost/complexity trade‑offs. AWS: Deploy shadow ML models (blog).
- Apply basic security hygiene: least‑privilege access, separation of dev/test from production, and incident plans. The UK government’s AI Cyber Security Code of Practice summarises pragmatic controls for SMEs and operators. DSIT: AI Cyber Security Code of Practice (2025).
Days 4–5: Mirror real traffic (safely)
- Send a copy of live requests to the copilot. The production answer still comes from your current workflow; the copilot’s answer is discarded, but logged.
- Avoid shared state between live and shadow paths (e.g., caches) so results aren’t skewed—one of the caveats in Google’s “teeing” guidance. Google SRE: traffic teeing.
- If you lack built‑in mirroring, commercial and open‑source tools support “shadow testing” with response diffing. GoReplay: shadow testing overview.
Days 6–7: Define measurement slices and acceptance thresholds
- Overall KPIs: accuracy vs baseline, critical error rate, p95/p99 latency, cost per item, deflection or time‑saved estimates.
- Slices: new vs returning customers, by product, by channel, by reading age, by template type; rare classes may need special attention.
- Set alert thresholds for automatic rollback in later phases (e.g., if cost per item doubles, or accuracy drops below 85%).
Days 8–10: Run the shadow quietly and red‑team edge cases
- Let the shadow run across at least two weekdays and one weekend day to catch volume/seasonality.
- Feed known “tricky” prompts and edge documents through the shadow path (adversarial inputs, ambiguous requests, unfamiliar formats). UK NCSC and CISA’s joint guidance recommends threat‑modelling AI‑specific failure modes—use those as inspiration. CISA & NCSC: Secure AI System Development.
- Track any content that could cause harm if shipped (wrong legal basis, off‑tone replies, unsafe suggestions). Mark them as “critical” for your go/no‑go later.
Days 11–12: Compare, annotate, and present
- Compare shadow vs baseline outputs. Score them: exact match, acceptable variant, unacceptable.
- Estimate operational impact. Example: “If we shipped at today’s accuracy, 65% of emails need no hand edits; 25% need light edits; 10% would be bounced to a specialist.”
- Draft a one‑page decision: benefits, risks, mitigations, costs, and a staged rollout plan (10% canary next; staff training; monitoring SLOs). For monitoring ideas, see our 30‑day observability sprint. The 30‑day AI observability sprint.
Days 13–14: Decision and next step
- If thresholds are met, plan a small canary (e.g., 10% of internal users) with rollback. If not, pause, fix the top 3 failure modes, and re‑run the shadow for another week.
- Lock in ownership: who watches the dashboards daily, who can rollback, and who leads weekly reviews.
What to measure: KPIs and thresholds
| KPI | How to measure in shadow mode | Typical threshold to ship |
|---|---|---|
| Task accuracy | Compare to your gold set or human output: exact match, acceptable variant, unacceptable. | ≥90% acceptable or exact; ≤2–5% unacceptable (critical) depending on task risk. |
| Critical error rate | Count any output that would mislead a customer, breach tone, or pick the wrong category. | ≤1–2% for customer‑facing content; ≤5% for internal drafts with human review. |
| Latency (p95/p99) | From request to shadow output, not user‑visible but still crucial for staff experience. | p95 under 3s for quick tasks; under 8s for long‑form drafts. |
| Cost per item | Compute or token spend divided by number of items processed in the shadow path. | At or below baseline human time cost target; alert if >2× baseline. |
| Coverage | % of requests where the copilot produced a usable answer (not “I don’t know”). | ≥80% coverage, with safe abstentions for genuinely unknowns. |
| Staff edit rate | On a sample, how many shadow outputs would require light vs heavy edits. | ≤30% heavy edits before go‑live; trend improving week‑on‑week. |
If performance varies by cohort (e.g., product line or document type), ship only where thresholds are met and keep shadowing the rest.
Security, governance and “safe by default”
- Keep the shadow isolated and read‑only. Suppress outbound actions; log everything.
- Use least‑privilege credentials and separate environments for dev/test vs production. These align with the UK’s AI Cyber Security Code of Practice. Code of Practice (HTML).
- Follow joint guidance from NCSC and CISA on securing AI development and deployments (threat‑model attacks like prompt injection, data poisoning; document models and prompts; plan incident response). CISA/NCSC: guidelines.
- If you mirror traffic at the network layer, review cloud security implications and data handling. AWS VPC mirroring.
These are not box‑ticking exercises; they cut real risk during fast experimentation. If you’re planning a busier January, a small amount of structure now avoids messy fire‑drills later. For capacity planning tips, see our 15‑day AI load test and capacity plan.
Costs, risks and trade‑offs
Shadow mode usually doubles inference calls for the scoped task (you run live and shadow in parallel), so expect temporarily higher compute/API spend and some engineering time to wire up logging and comparisons. The upside: you avoid costly rollbacks, reputational harm, and staff churn caused by poor early experiences.
| Area | Typical risk/cost | Mitigation |
|---|---|---|
| Spend spike during trial | Temporary 1.5–2× cost on the chosen task while both paths run. | Limit scope to one workflow; sample to 25–50% of traffic; set spend alerts. |
| Skewed results from shared state | Shadow shares cache or queue with live path, hiding latency issues. | Decouple caches; follow Google SRE’s warning on teeing pitfalls. |
| Security/data leakage | Mirroring routes sensitive data to the wrong place. | Mask fields; restrict egress; follow DSIT/NCSC code; keep environments separate. |
| Team trust | Staff assume “the robot is replacing me.” | Co‑design evaluation; publish acceptance thresholds; keep a human‑in‑the‑loop. |
| Over‑generalisation | Shadows one use case; leaders extrapolate to all work. | Ship where thresholds are met; keep shadowing other cohorts. |
Procurement questions to ask vendors this week
- Shadow support: “Can you run in shadow mode (no user‑visible impact), log inputs/outputs, and compare against a baseline?”
- Observability: “Do you expose latency, error, and cost metrics per request and per cohort?”
- Guardrails: “How do you handle unsafe content, prompt injection attempts, or unknown answers? Can we enforce abstain behaviour?”
- Security: “Can you operate in a separate environment/tenant and restrict outbound actions during trials?” See the UK AI Cyber Security Code of Practice for baseline controls. DSIT Code.
- Rollout: “Can we promote from shadow → canary → full rollout with version pinning and instant rollback?”
- Costs: “How do we cap spend during trials? Do you support sampling, caching, or cheaper model fallbacks?”
Decision tool: Shadow, canary, or A/B?
- Pick shadow if risk is high, outputs are subjective, or you lack live‑time to review edits. You need real traffic data without user impact.
- Pick canary if the task is well‑scoped, you have rollback, and your thresholds were met in shadow mode. Start at 5–10% of users or tickets.
- Pick A/B if outcomes are objective and easily measured at volume (click‑throughs, form completion), and you’re ready to expose some users.
Whatever you choose, keep a simple, documented rollback. Our practical guide to UX trust signals can also help reduce user confusion when you do go live. Fix the “moment of confusion” in your AI copilot.
Rollout checklist (paste into your board pack)
- Scope agreed, owner named, baseline collected.
- Shadow path isolated, no outbound actions; logging on.
- Security reviewed against UK AI Cyber Security Code; least‑privilege credentials applied.
- KPIs set with thresholds by cohort; dashboards visible to Ops and product owners.
- Red‑team run completed; top 3 failure modes documented with mitigations.
- Go/no‑go review done; canary plan and rollback defined; staff training slot booked.
References & further reading
- Google SRE on canary releases and traffic teeing. Read the guidance.
- UK Department for Science, Innovation and Technology: AI Cyber Security Code of Practice (Jan 2025). Code + implementation guide.
- CISA & UK NCSC: Guidelines for Secure AI System Development (Nov 2023). Overview.
- AWS concepts you may see: VPC traffic mirroring; SageMaker shadow testing. Traffic mirroring, SageMaker shadow testing.
- Engineering examples of “shadow testing” and traffic diffing. GoReplay, Uber: Auto‑shadow for ML.