Shadow AI surge in the workplace: What is happening?
The shadow AI surge in the workplace is becoming a significant concern for organisations. According to Verizon’s annual Data Breach Investigations Report (DBIR), there has been a fourfold increase in employees using unauthorised personal accounts to access generative AI tools. This shadow AI activity is largely non-malicious but introduces new insider risks that every organisation should address.
Shadow AI refers to employees using AI platforms such as ChatGPT, Gemini, Claude, Grok and various coding agents without IT approval. These tools are often accessed with personal accounts, meaning IT teams have no visibility or control over what data is being shared or processed. The DBIR reports that 67 percent of professionals using workplace AI platforms do so via personal accounts, and 28 percent of data loss prevention policy violations involve source code being entered into AI tools. Staff are also uploading images, structured data, documents, PDFs and proprietary research.
Why the shadow AI surge matters for organisations
The shadow AI surge in the workplace creates new challenges for data security and compliance. Sensitive corporate data is being exposed to third-party AI services, often outside the protection of enterprise controls. Even well-intentioned employees may inadvertently share confidential information, intellectual property or technical documentation, putting the organisation at risk.
Insider risk and data exposure
Non-malicious insider actions now represent a significant portion of detected breaches. While the intent may not be harmful, the result can be damaging. Employees may trust AI platforms to help with tasks such as generating code, analysing documents or answering queries, but without oversight, sensitive information can be leaked or misused.
- Intellectual property exposed: Source code and proprietary research uploaded to AI tools can be accessed or used by third parties.
- Loss of control: IT teams cannot monitor or enforce security policies when personal accounts are used.
- Regulatory compliance: Breaches involving confidential data may violate GDPR and other regulations.
- Incident response challenges: Lack of visibility hampers effective investigation and containment.
The emerging role of AI bill of materials (AI-BOMs)
To address these risks, organisations are exploring new controls such as AI bill of materials (AI-BOMs). Similar to software bill of materials (SBOMs), AI-BOMs provide a record of AI system configurations and state changes. This helps defenders understand which system prompts or ingredients were used to create AI applications, making it easier to track changes and investigate incidents.
AI-BOMs are also useful for incident response, allowing teams to pinpoint when and how an AI system’s behaviour changed. Cisco has open-sourced its AI-BOM tool, and other vendors are introducing solutions to track AI model provenance. By keeping an inventory of AI assets and their configurations, organisations can reduce the unknowns associated with shadow AI.
What organisations should do about the shadow AI surge
Managing the shadow AI surge in the workplace requires a multi-layered approach. Organisations need to balance the benefits of generative AI with the risks of uncontrolled data exposure. Here are practical steps to mitigate shadow AI threats:
- Implement AI usage policies: Define clear guidelines for AI platform usage, including which tools are approved and what data can be shared.
- Educate employees: Raise awareness about the risks of using personal accounts for AI tools. Train staff on data handling and compliance.
- Tune data loss prevention (DLP) controls: Update DLP policies to detect when sensitive data is entered into AI platforms, especially source code and proprietary documents.
- Monitor AI activity: Use enterprise-level AI monitoring solutions to track usage and detect policy violations in real time.
- Enforce account and permission management: Ensure AI tools are accessed only via approved corporate accounts, with tightly managed permissions.
- Adopt AI-BOMs: Start cataloguing AI assets, models and their configurations to improve incident response and maintain visibility.
Strengthening vulnerability management alongside AI controls
The DBIR also highlights that vulnerability exploitation has overtaken credential abuse as the leading cause of breaches. Organisations’ patching habits are worsening, with fewer critical vulnerabilities fully remediated. Addressing shadow AI risks should go hand in hand with robust vulnerability management:
- Regularly scan systems for known vulnerabilities.
- Prioritise patching critical flaws identified in CISA’s Known Exploited Vulnerabilities (KEV) catalogue.
- Maintain asset inventories and monitor for unauthorised changes.
By combining strong AI usage controls, tuned DLP measures and disciplined vulnerability management, organisations can reduce the risks posed by the shadow AI surge in the workplace.
Preparing for the future: Building resilience against shadow AI
The shadow AI surge in the workplace is likely to continue as generative AI tools become more accessible and powerful. Organisations should proactively adapt their security strategies to address these evolving risks. Start by reviewing current policies, engaging employees in conversations about safe AI usage and investing in technology to monitor and manage AI activity.
Ultimately, the goal is to enable the safe adoption of AI while protecting sensitive data and maintaining compliance. With the right controls, awareness and monitoring, businesses can benefit from AI innovation without falling victim to shadow AI threats.
Originally reported by www.theregister.com.
