Shadow AI drives security incidents at 58% of firms as workers bypass approved tools

Bosses blinded by confidence about shadow AI use by workers

More than half of orgs in Okta survey faced an AI-related security incident or near miss last year More than half of businesses had an AI-related security incident or a scare in the past year -- even as executives remain overwhelmingly confident in their ability to manage the risks of employees using AI tools, according to a study commissioned by identity and access management leader Okta. "For the purposes of this survey, an AI security issue is defined as an actual incident, i.e. a breach, data exposure, or system disruption, or a close call, meaning an issue was identified before it caused harm to the organization," Harish Peri, SVP and GM for AI Security at Okta, told The Register. Of those respondents who reported a security problem, 26.7 percent described an actual incident -- a breach, data exposure, or system disruption -- while 31.2 percent identified a close call caught before it caused harm. Yet, overall, 58 percent of executives reported that their organization experienced an AI-related security problem in the past 12 months and the data is pointing to "shadow AI" use by employees as the culprit, Peri said. "The old adage in cybersecurity is that you can't protect what you can't see. Our research shows that 52 percent of knowledge workers admit to using unapproved AI tools," Peri told us. "Security and compliance teams can't govern the usage of AI tools they don't know are being used. Organizations must implement an effective AI governance framework that prioritizes identity-centric controls, automated discovery, and secure sandboxes to test drive AI tools safely." The AI Agents at Work 2026 report was commissioned by Okta and conducted by Apprize360 in March. It surveyed 292 executives and 492 knowledge workers across seven countries: the US, UK, Australia, Canada, Japan, France, and Germany. It also showed a disconnect between how leaders believe AI is being used within their organizations and what employees actually do. Whether it's coding assistants, browser extensions, or industry-specific utilities, the study said what unites all of the tools is their need for data and, in many cases, access to an organization's internal systems. Peri said the survey found risky employee behavior when it came to interacting with AI models. Knowledge workers actively used unapproved AI tools, shared confidential company documents with those tools, handed over HR information to AI, and in 16 percent of cases, provided their login credentials. "These risky behaviors -- whether intentional or not -- increase the attack surface across an organization," Peri told The Register. Despite that, 90 percent of executives had confidence in their organization's visibility into AI tools, even as more than half of knowledge workers admitted to using AI tools without approval, with 24 percent adding that they do so regularly. Apart from the security issues, the survey found that AI agents and AI tools are gaining widespread adoption. Ninety-two percent of executives surveyed said autonomous AI agents are already in widespread or moderate use across their organizations, while nearly two-thirds of knowledge workers reported using an AI tool at least daily. Among those workers, 68 percent used AI agents, while 62 percent regularly used LLMs and AI-infused chatbots. The results of the survey vary by geography, too. The United States led all surveyed countries, with 67 percent - more than two-thirds - of workers reporting they use unsanctioned AI tools. Australia came in second, with 60 percent of workers saying they engaged in unapproved AI usage. In the United Kingdom, some 55 percent of workers ignore the rules, while roughly 50 percent of Canadian workers reported using unauthorized AI tools. Workers in France and Germany reported the lowest rates of unauthorized AI usage with each at around 30 percent. The gap between executive confidence and employee reality is widest in the UK, where 96 percent of executives expressed confidence in their AI visibility, while more than half of workers used unapproved tools. Peri said there's no easy fix. "For most organizations, shadow AI emerges unintentionally and isn't intended to be malicious," he told The Register. "Shadow AI primarily causes headaches for leaders because they don't have the proper visibility, governance, and security controls for tools the organization isn't managing." Okta's survey recommends that organizations should assume shadow AI exists and make discovery a priority. They should make the secure use of AI the easiest path, and define an AI governance strategy now. Peri said strict AI bans may actually make the problem worse by pushing more usage underground. A more effective approach, he said, involves talking with employees to understand what they need and making approved tools easier to use than unsanctioned alternatives. ®

Every organization is pouring money into AI right now, and almost none of them know what their people are actually doing with it': Study reveals employees are using their personal AI accounts at work, raising a whole host of issues

Two-thirds of personal AI use is for work, creating undetected risks * Two-thirds of AI use on personal accounts is actually for work purposes * Workers are also using company-provided tools to ask their personal questions * Clunky enterprise authentication makes approved tools harder to access in an instant New research from Harmonic has claimed nearly two-thirds (64.5%) of all activity on personal and free AI accounts is actually for work purposes, meaning there's a significant amount of AI use that's going totally undetected by companies. At the same time, enterprise-grade accounts are being used for personal questions, meaning employees and AI are meeting wherever is convenient regardless of security policies. In fact, nearly half (45.6%) of all personal AI activity is happening on licensed plans that are being paid for by companies. In reality, workers aren't treating work AI and personal AI as separate things, instead bringing their tasks to whichever AI tool is already open or easily accessible on their device, regardless of whether it's employer-provided or personal, free or paid. Undetected work on personal AI is creating a visibility gap Harmonic's research serves to highlight the visibility gap that's emerging as AI adoption spreads, with legal and governance workers having both the highest usage and highest visibility. These workers account for around one-fifth (19.5%) of all AI hours across teams, and 81% of this usage happens on approved tools. Go-to-market teams are the second-highest users, at 17.5%, but only 39% of GTM AI activity happens on company-approved tools, resulting in poor visibility. But that's still twice as much visibility as operations teams, where not even a fifth (18%) of activity runs on enterprise plans. As for why AI's being used at work, the clearest purpose is efficiency and automation (47%), which ranks far ahead of decision support (20%) and risk and compliance (20%). Revenue and growth (7%) and innovation (6%) are less common. The true measure of use is minutes, not queries Where Harmonic's research differs from other studies is in its use of 'minutes' rather than 'total queries', which it argues offers a much truer reflection of usage patterns. Longer sessions indicate heavier data exposure, it says, and Claude comes out on top when it comes to actual minutes (10m 12s) compared with ChatGPT (5m 53s). This is especially problematic when workers choose to use their own personal AI accounts, because sensitive company information and business context remains in their personal AI history even when they leave a company. Organizations don't even have the legal or technical powers to wipe or recover that data, leading to permanent IP loss. The path of least resistance Harmonic explained that many companies implement strict and clunky authentication processes for enterprise AI tools, making personal tools far easier to use. Popular personal tools like ChatGPT, Gemini, Claude and Perplexity also require little more than a Google account (or similar) to sign in. All of this while companies pay a premium for licenses that are barely getting used - Microsoft 365 Copilot is commonly deployed at $30 per user per month; ChatGPT Business plans come in at $20-25 per month. "Every organization is pouring money into AI right now, and almost none of them know what their people are actually doing with it," Harmonic Security CEO Alastair Paterson summarized, noting that this is the first study of its type to uncover how AI is "actually being used at work." Clearly, the issue isn't necessarily with the provision of wrong tools, but rather ease of access. Looking ahead, companies are advised to adopt universal single sign-on (SSO) to make logging in easier. But Harmonic still challenges the 'one size fits all' approach, urging employers to consider workflows and give the right tools to the right teams. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.