2 Sources
[1]
Think Twice Before Using That Unsanctioned AI App at Work
Barbara is a tech writer specializing in AI and emerging technologies. With a background as a systems librarian in software development, she brings a unique perspective to her reporting. Having lived in the USA and Ireland, Barbara now resides in Croatia. She covers the latest in artificial intelligence and tech innovations. Her work draws on years of experience in tech and other fields, blending technical know-how with a passion for how technology shapes our world. You know that moment when you ask ChatGPT to polish a work email or summarize meeting notes? It may seem harmless at first, but using the wrong tool or giving it the wrong information can create a much bigger problem. Shadow AI is what happens when people use artificial intelligence tools at work without company approval, oversight or security review. That could be ChatGPT, Gemini, an AI note-taker during a meeting, an image generator or some other tool you opened because it helped you finish something faster. Most people aren't trying to leak company secrets or do anything nefarious. They're doing it because work is full of long documents, messy spreadsheets, meeting notes and wordy emails. But the road to hell is paved with good intentions. Once you put work information into an unapproved AI tool, your company may lose control over where that information goes, how it's stored and whether anyone can protect it. "Once the proprietary sensitive and confidential data is out, it's out," Edward Wu, founder and CEO of Dropzone AI, told CNET. That's why shadow AI is becoming one of the trickiest workplace AI problems. It can save time, but it can also move company information to somewhere your employer can't control it. Let's break down what this means for you and how to use AI at work without creating a mess for yourself or your company. What is shadow AI? "Ultimately, shadow AI is the usage of AI tools that have not been preapproved, reviewed and sanctioned by the IT and security team," Wu said. It's similar to shadow IT, which is when employees use unapproved apps or software at work. That's usually where the trouble starts. Not because you used AI to clean up a sentence, but because you gave it something your company would rather keep private. A quick shortcut can turn into an accidental data leak. That could be customer names, internal documents, source code or financial information. That doesn't mean every use of AI at work is dangerous. Asking AI to rewrite a generic email is different from pasting in a customer complaint or a legal memo. Approved AI tools usually come with privacy controls, security settings and rules about what happens to your data. A random free tool may not. Even if the tool says it doesn't train on your data, you may not know how long it stores your prompt or who can access it. "When you have your entire codebase and copy and paste it into a free-tier AI tool, you bet that code is going into training data immediately, and there's no way to undo that," Wu told CNET. Why people use shadow AI Let's be honest, AI tools are useful. That's the uncomfortable truth. Generative AI can help you draft emails, summarize reports, record meeting notes, clean up messy text, analyze data and brainstorm ideas. Those tasks eat up huge parts of the workday, and AI tools often feel faster than waiting for your company to approve something official. Microsoft's 2026 Work Trend Index shows why workers keep reaching for AI. The report found that 58% of respondents said it helps them take on tasks they couldn't have handled a year ago. Wu tells CNET that's the point companies shouldn't ignore. "The existence of shadow AI means there is productivity to be gained by certain functions. I don't think people are using AI tools for fun at work," Wu said. Employees are moving faster than company policies. Some workplaces still don't have clear AI rules. Others have rules buried in security documents no one reads unless they're already in trouble. Some companies ban public AI tools but don't offer a useful alternative. Shadow AI also doesn't always look like a separate app. It can live inside a browser extension, email plug-in, search engine, spreadsheet assistant or meeting recorder. You may think you're just clicking the helpful button, not using AI. When you're under pressure to do more with less, the free chatbot sitting in the next AI browser tab starts to look tempting. The risks companies see in shadow AI One small shortcut can expose more than you meant to share. "I think the biggest risk, obviously, is kind of uncontrolled data exposure," Wu said. AI tools need context to work well. That context might include internal tickets, documentation, customer details, contracts and code. Once that information is entered into an unapproved tool, the company may be unable to track it or retrieve it. IBM's 2025 Cost of a Data Breach Report found that 20% of organizations had unauthorized AI tools in their environments, while 63% had no AI governance policy or were still developing one. That's another sign that companies are still catching up to how fast AI is being used. AI output can also sound right even when it isn't. That's called an AI hallucination. A chatbot can summarize the wrong point, invent a detail, miss context or produce a confident answer that falls apart once someone checks it. If you use that output in a financial analysis or technical document, the shortcut may create more work than it saves. If AI-generated work goes out with false details, private information or sloppy mistakes, your company may not only have to fix the error but also deal with reputational damage. Being put on the internet wall of shame nowadays can come with a hefty price. For example, Deloitte faced public backlash and a mandatory review after submitting a million-dollar government report that contained fabricated, AI-generated research citations. The net consequence is clear: A tool that saves you 10 minutes can create a problem your company spends weeks cleaning up. Lawyers have already learned this the hard way after filing court documents with fake AI-generated case citations. Why banning AI usually doesn't work "Banning AI tools generally pushes more people to go kind of underground," Wu said. "Very similar to when parents tell teenage kids to stop using Instagram. That kind of never works." If you know AI can save time and your company doesn't provide a useful approved option, you may look for another way. You might use a personal account, your phone, a browser plug-in or a tool that looks harmless enough to slip by. A better policy focuses on what you're using AI for and what data you're putting into it. Your company might allow AI for brainstorming or summarizing public information, while banning customer data, confidential documents, unreleased product plans, financial records or source code in public tools. "[The] marketing team may feel free to use AI tools to generate images, right?" Wu said. "But you know, customer success team, please don't copy-paste customer interactions directly into unsanctioned tools." That kind of rule works better because it tells you where the line is. Wu says it's hard for individual workers to self-police what's appropriate, especially when AI tools have different privacy settings that aren't always obvious. "If things are not clearly spelled out, then it's left for interpretation," Wu said. Companies need clear guidelines that explain which tools are approved, which data is off-limits and which tasks require human review. What to do if you use AI at work If you use AI at work, assume anything you paste into a tool is out there forever. Check whether your company has an approved AI tool or policy. Don't upload sensitive, internal information in public tools or anything marked confidential, unless your company has explicitly allowed it. If you're not sure, don't paste it. Treat AI like Santa's little helper, but don't outsource your intelligence. Check facts, verify summaries, rewrite awkward lines and make sure the final version still sounds like a person who knows what they're talking about. While AI may have done the writing or summarizing, remember that it's your reputation -- or your company's -- at stake if there are mistakes. Shadow AI exists because people have found tools that help them work faster. That's not going away. The real challenge is making sure the shortcut doesn't turn into a security problem or one very awkward meeting with IT and HR.
[2]
Shadow AI - over-confidence and complacency are a toxic enterprise mix with disaster just around the corner...
A US financial services firm has provided a useful reminder of the dangers of the encroachment of Shadow AI within the enterprise, but will anyone listen? Pennsylvania-based CB Financial Services revealed in a recently-filed material cybersecurity Form 8-K with US regulators that employees were able to use un-authorized AI to bypass IT firewalls, resulting in the accidental disclosure of customer names, social security numbers and dates of birth. It wasn't even, it appears, an intentional act - an employee put such sensitive data into an unauthorized chatbot to save time. According to the filing, on this occasion the incident did not involve a disruption to the bank's operations, customer access to accounts or services, payment systems, or core information technology infrastructure. But the volume and sensitive nature of the non-public information concerned raised warning flags internally. It's clear this could have been a lot worse and CB Financial Services have now launched internal reviews to ensure it can't happen again, but similar incidents are likely to become increasingly common as users within organizations become more and more exposed to AI as part of their working lives. Impatient/unsatisfied with the sort of corporate AI they're offered compared to the stuff they use in their consumer lives, the temptation will grow to 'bring their own' into the workplace. This places a burden on the IT and governance teams to ensure that operational guardrails and processes are in place to rein this in. Cross-sector issue It's happening across all business sectors, including some that are highly-regulated and handle enormously sensitive personal data. According to the 2026 Nutanix Healthcare ECI study, an international poll of 1,600 cloud, IT, and engineering execs, Shadow AI is rife and largely unmanaged. Seventy-nine percent of healthcare organizations report AI applications or agents being implemented by employees in non-IT functions. The dangers associated here are appreciated - some 83% believe that AI tools and agents operating outside official oversight create business risk. So why is it happening? It's down to organizational barriers, as the most common reason cited. Silos between business units and IT make it difficult to effectively execute technology initiatives, according to 83% of respondents. A second study, Writer's 2026 AI Adoption In The Enterprise survey, backs up the threat Shadow AI exposes organizations to. Sixty-seven percent of respondents here say their company has already suffered a data leak or breach due to un-approved AI tools. Seventy-nine percent say AI applications are being created in silos with individual departments deploying AI tools independently. Meanwhile 35% of employees admit to entering proprietary information into public AI tools. Some 40% say they'll just use whatever it takes to get job done, while 32% think IT-approved tools are terrible. And nothing is being done about it, it seems. Fifty-five percent describe AI use as a "chaotic free-for-all" at their company, 36% don't have any formal plan for supervising AI agents, and 35% wouldn't be able to shut down a rogue agent if it was detected. And over a fifth of respondents (21%) claim that their manager knows what's happening, but turns a blind eye to it! So what are organizational leaders playing at here? Is this really wilful blindness or 'rabbit in the headlights' panic at an oncoming storm? Identity management firm Okta's AI Agents at Work 2026: Securing the agentic enterprise report may provide some insight here. Surveying 292 executives and 492 knowledge workers across seven countries, the findings suggest that leaders vastly under-estimate the prevalence of Shadow AI, and thus the risk levels to which they are exposed. It seems to be a potent combination of over-confidence and complacency at play here. An overwhelming 90% of those polled said they have confidence in their organization's visibility into AI tools, while even more (95%) assume their employees are using AI responsibly. This despite the data also finding that over half (52%) of knowledge workers admit to using unsanctioned AI tools at work, nearly a quarter (24%) admitting to doing so regularly. Of those using unapproved AI tools, the top three most-shared types of information included internal messages and emails (54%), HR-related information (45%), and confidential company documents, including financials and contracts (39%), just the sort of thing to land you on the receiving end of a lawsuit or unwanted regulatory attentions. Meanwhile over 20% of those using un-approved tools are also sharing login credentials and passwords, and 28% are sharing banking and payment information, throwing open the corporate window to external cyber-attack from bad actors. What to do? So is there a need for the immediate introduction of draconian governance regimes to clamp down on all this? Bill Patterson, EVP of Corporate Strategy at Salesforce, suggests: 'Bring your own AI' is not something I think many IT organizations want to think about, because it creates a security risk for companies. And then also, ubiquitous access of AI means that a lot of people are just using the tool for the wrong purpose and job. I don't know if I think of it necessarily in the world of governance and control. I definitely think of it as maybe appropriate use and economic value, and so I do think this means that, you know, we probably need to help companies navigate this moment. Fo his part, Mark Williams, COO, Sharp UK, argues: Trust and clarity are key to implementing AI in the most effective way, right from the C-Suite down to every layer of business operations. Businesses must create the frameworks and shared understanding of what good AI use looks like to enable them to lead by example. These aren't the concerns of people resisting AI. They're the concerns of people trying to navigate it without enough support and enablement to get the most from these tools. Williams notes that a sizeable chunk of business leaders do already recognise the risk., but adds: The gap between recognising it and doing something about it is where the real work is. This about culture and mindset, and leaders are in the best position to set the tone on this. Not by having all the answers, but by being open about how they're using AI themselves. This changes habits faster than any policy. My take One of the ironies here is that it was Shadow IT that took many of today's SaaS leaders into the enterprise landscape on 'land and expand' missions that lead to their market dominance over the legacy contenders, when employees swiped a credit card to access a Salesforce or a Workday rather than use the aging installed alternative. But that's a history lesson that is too risky to repeat with powerful AI technologies. Every organization needs to wake up to the reality of the dangers of Shadow AI to their organizational, reputational, and operational integrity. Is it going to take a massive public failure by some hapless enterprise to scare them into action? In the meantime, we could do worse than try to follow some steps suggested by management consultancy KPMG on this topic: * Create a dedicated AI transformation organization or authority to govern strategy, architecture, tools, trust, and standards across the business. * Develop clear AI governance policies - and stick to them! * Use discovery tools and platforms to maintain a tight inventory of AI tech across the enterprise. * Create a cross-functional AI technology review steering committee to ensure cross-enterprise alignment. * Stand up an AI labs function as a sandboxed realm in which teams can dabble with new AI tech safely, reducing the scope for unsanctioned experimentation. * Allow 'bring your own AI' only within strictly-approved boundaries, such as enabling staff to choose from a curated list of vetted generative AI tools, for example. * Promote education and awareness of AI risk, security principles, and the importance of data governance. * Encourage a culture of transparency whereby employees can safely share ideas and experiences of AI tech use.
Share
Copy Link
Organizations face mounting data breach risks as employees increasingly use unapproved AI tools like ChatGPT without security oversight. A Pennsylvania bank accidentally exposed customer social security numbers when staff used unauthorized chatbots, while studies show 67% of companies have suffered data leaks from unsanctioned AI. Despite the threat, 90% of executives remain overconfident about their visibility into AI tool usage.
Shadow AI has emerged as a critical workplace security challenge as employees increasingly turn to unauthorized AI tools at work without proper security review or company approval. The practice involves workers using platforms like ChatGPT, Gemini, and other AI applications to complete tasks faster, often without understanding the data exposure risks they create
1
.Edward Wu, founder and CEO of Dropzone AI, warns that "once the proprietary sensitive and confidential data is out, it's out." The issue mirrors shadow IT practices but carries heightened risks due to AI's need for context-rich data to function effectively
1
.
Source: CNET
The dangers materialized dramatically when CB Financial Services, a Pennsylvania-based financial institution, filed a material cybersecurity Form 8-K with US regulators revealing that employees used unapproved AI tools to bypass IT firewalls. The incident resulted in accidental data leaks exposing sensitive customer data including names, social security numbers, and dates of birth. An employee had entered this information into an unauthorized chatbot simply to save time
2
.While CB Financial Services avoided disruption to core operations or payment systems, the volume and sensitivity of the exposed information triggered internal reviews. This incident serves as a stark reminder that even well-intentioned shortcuts can lead to serious proprietary information exposure
2
.The scale of unsanctioned AI tools usage is far more extensive than most organizations realize. Writer's 2026 AI Adoption In The Enterprise survey found that 67% of respondents reported their company had already suffered data breaches due to unapproved AI tools. More concerning, 79% indicated that AI applications are being created in silos, with individual departments deploying AI tools independently
2
.Okta's AI Agents at Work 2026 report revealed that 52% of knowledge workers admit to using unsanctioned AI tools at work, with nearly a quarter (24%) doing so regularly. Among those using unauthorized tools, 54% share internal messages and emails, 45% share HR-related information, and 39% share confidential company documents including financials and contracts. Additionally, over 20% share login credentials and passwords, while 28% share banking and payment information
2
.Employees aren't using these tools maliciously. Microsoft's 2026 Work Trend Index found that 58% of respondents said AI tools help them take on tasks they couldn't have handled a year ago. Wu emphasizes that "the existence of shadow AI means there is productivity to be gained by certain functions. I don't think people are using AI tools for fun at work"
1
.The problem stems from employees moving faster than company policies can adapt. Some workplaces lack clear AI rules entirely, while others bury guidelines in security documents rarely consulted. When organizations ban public AI tools without offering useful alternatives, workers under pressure to deliver results turn to whatever helps them complete tasks efficiently
1
.Writer's survey found that 40% of employees will use whatever it takes to get their job done, while 32% think IT-approved tools are inadequate. More troubling, 21% claim their manager knows about unauthorized AI usage but turns a blind eye
2
.A toxic combination of overconfidence and complacency at leadership levels exacerbates the risks of Shadow AI. Despite widespread unauthorized usage, 90% of executives surveyed by Okta expressed confidence in their organization's visibility into AI tools, while 95% assume employees are using AI responsibly. This disconnect between perception and reality leaves organizations vulnerable to accidental data leaks and governance failures
2
.
Source: diginomica
In healthcare, where regulatory compliance is critical, the 2026 Nutanix Healthcare ECI study found that 79% of healthcare organizations report AI applications being implemented by employees in non-IT functions. While 83% recognize that AI tools operating outside official oversight create business risk, organizational silos between business units and IT make it difficult to execute effective technology initiatives
2
.Related Stories
Wu identifies "uncontrolled data exposure" as the biggest risk. When employees paste code, customer details, or internal documents into free-tier AI platforms, that information may be used for training data immediately with no way to retrieve it. "When you have your entire codebase and copy and paste it into a free-tier AI tool, you bet that code is going into training data immediately, and there's no way to undo that," Wu explained
1
.Approved AI tools typically include privacy controls, security settings, and clear data handling policies. Random free tools may lack these protections, and even when platforms claim not to train on user data, questions remain about storage duration and access permissions
1
.The chaos is undeniable. Fifty-five percent of respondents describe AI use as a "chaotic free-for-all" at their company, 36% lack any formal plan for supervising AI agents, and 35% wouldn't be able to shut down a rogue agent if detected
2
.Shadow AI doesn't always appear as a separate application. It can hide within browser extensions, email plug-ins, search engines, spreadsheet assistants, or meeting recorders. Employees may not even realize they're using AI when clicking a helpful button
1
.As AI becomes more embedded in both consumer and professional contexts, organizations must balance productivity gains with security imperatives. The question isn't whether employees will use AI tools, but whether companies can implement effective governance before the next data breach occurs.
Summarized by
Navi
18 Feb 2025•Technology

22 Aug 2025•Technology

27 May 2026•Technology

1
Policy and Regulation

2
Policy and Regulation

3
Policy and Regulation
