Shadow AI: Employees Ignoring Security Rules

A late-2025 report reveals that nearly 90 percent of security professionals are using unapproved AI tools, with over 80 percent of all workers doing the same. Executives are identified as the most frequent users of this "shadow AI." This trend echoes past issues with "shadow IT," but current AI tools process and retain data, posing greater risks than simple data storage. When sensitive information like customer lists or proprietary code is fed into unapproved AI, it enters systems with no organizational oversight, creating compliance vulnerabilities.

Organizations experiencing high levels of unsanctioned AI usage face significantly higher data breach costs, estimated at $670,000 more on average. Prohibiting these tools has proven ineffective, with nearly half of employees continuing their use. Beyond financial costs, reliance on unvetted AI outputs can erode accuracy in data analysis and code generation. The emergence of agentic AI systems, which perform actions autonomously, introduces further security concerns. These agents can be exploited through malicious plugins or prompt injection, potentially leading to data exfiltration and system compromise.

Effective strategies involve offering approved AI alternatives rather than outright bans, which has shown an 89 percent reduction in unauthorized use. Treating AI interactions as data transfers, applying data loss prevention (DLP) policies, and classifying sensitive data are crucial. For agentic AI, robust security measures like sandboxing and least-privilege access are necessary. Security teams require monitoring tools designed for AI-native threats, such as prompt injection and supply chain compromises. Ultimately, AI governance should function as a service to employees, not a restriction, to foster secure adoption.