Shadow AI has become the third most common non-malicious insider action detected in enterprise environments, a fourfold increase from the previous year, according to Verizon's 2026 Data Breach Investigations Report — and a new survey published this week found that two-thirds of office professionals have used AI tools at work despite believing their use was against company policy. The pattern is consistent across industries and geographies: employees are adopting AI tools faster than organisations can govern them, and the data now entering unsanctioned models includes source code, client proposals, HR records, and financial documents.

It isn't driven by reckless behaviour, but rather by convenience, pressure, and the simple fact that AI tools are now extremely easy to access.

Research and recent breach data make shadow AI one of the more pressing cybersecurity issues of 2026, because it sits in the gap between how leaders think work is happening and how work is actually happening. In the UK specifically, a survey by Okta and Apprize360 found that 96% of executives expressed confidence in their visibility over AI use whilst 55% of UK employees reported using unsanctioned tools — a disconnect that makes the country's shadow AI exposure among the highest of any surveyed nation.

What Is Shadow AI?

Shadow AI is the use of AI tools, features, or assistants for work without formal approval, oversight, or governance from the business.

In practice, it is the AI version of Shadow IT. The behaviour is familiar: staff find tools that help them get work done faster, while the organisation's policies, risk reviews and controls lag behind.

The difference now is the speed and scale at which it is moving, as AI doesn't simply store files or move messages around.

It processes data, summarises sensitive discussions, analyses documents, writes code and generates content, making business information significantly easier to use within minutes.

Its usefulness to a business is precisely why the risk matters.

Why Shadow AI Is Harder to Govern Than Shadow IT

Multiple independent surveys confirm how widespread generative AI use has become in the workplace. The PagerDuty 2026 Shadow AI Survey, conducted by Wakefield Research among 1,250 office professionals at companies with revenues above $500 million, found that 66% had used AI tools at work despite believing them not permitted under company policy. More than a third entered customer data into public AI models. Nearly half said they would rather use AI without telling anyone than risk being told it was not allowed.

If an employee enters a client proposal, HR notes or finance data into an unapproved AI tool, the business may lose visibility over where that information goes, how it is processed, and whether it should have been shared in the first place — especially if they are operating on the free versions of those same tools.

That is what makes shadow AI particularly difficult to govern: it usually begins with someone trying to be more productive. What starts as a useful shortcut can become a data handling, compliance or security issue. Some businesses still don't realise it.

Three Cybersecurity Risks Organisations Cannot Ignore

Shadow AI creates three practical cybersecurity problems for businesses.

The first is data leakage. Sensitive information may be entered into tools that the organisation hasn't assessed and signed off on, or enrolled on a paid corporate plan. That could include customer records, pricing, commercial strategy, legal documents, intellectual property or internal emails. Once that information leaves an organisation's environment, it may no longer have the same control over retention, access, deletion, or auditability. In 2023, engineers at Samsung's semiconductor division leaked proprietary source code and internal meeting notes by pasting them into ChatGPT across three separate incidents, prompting the company to restrict generative AI use. According to IBM's analysis of shadow AI-related breaches, incidents involving unsanctioned AI use add an average of $670,000 to the cost of a data breach compared with non-AI incidents.

The second is poor visibility. Organisations cannot protect what they cannot see, and if AI usage sits outside approved systems, it becomes harder for IT and security teams to understand what data is moving, which tools are being used, and where risks are building.

The third is trust in outputs. AI-generated content can sound confident even when it is wrong. That matters when staff use it to summarise technical advice, draft policies, interpret contracts, analyse data or make decisions. The issue isn't just whether a chatbot produces a strange answer. It is whether a polished answer slips into a business process without proper human review.

Attackers Are Using AI Too

Shadow AI is only one side of the AI security conversation. The other is that cyber attackers are also using AI to work faster.

The UK's National Cyber Security Centre assessed in its 2025 Annual Review that AI will almost certainly continue to make elements of cyber intrusion more effective and efficient, particularly in areas such as reconnaissance, social engineering and vulnerability research. In the 18 months to August 2025, security researchers identified new techniques including fully automated spear-phishing campaigns, hijacking cloud-based large language models, and automating post-breach attack stages.

The practical implication is direct: attackers don't need advanced capabilities to cause issues. More convincing phishing emails, faster research on targets, better impersonation and more efficient use of stolen information are enough to raise the pressure.

That's why shadow AI shouldn't be treated as a niche issue. It sits alongside identity, email security, access control, monitoring and incident response. If a business already has messy permissions, weak admin controls or limited security visibility, AI can make those weaknesses even more exposed.

How Should Organisations Respond to Shadow AI?

Any blanket ban may simply push behaviour further out of sight, giving the business the worst of both worlds: staff still using AI, but with even less transparency.

A more practical approach is to accept that AI is already part of how work happens and to bring it under control by setting clear, workable rules: Which AI tools are approved? What information should never be entered into them? Which outputs need human review? What should staff do if they're unsure?

It doesn't even need to begin as a 40-page policy. People will outright ignore that under pressure. The first version should be something role-relevant and easy to apply and follow.

The starting point is visibility: ask teams openly what they are already using AI for, and keep the tone practical rather than accusatory. From there, organisations should classify risk — treating AI use cases differently depending on the sensitivity of the information and the importance of the output. If staff have no safe option, they will find an unsafe one. Approved tools, enterprise settings, access controls and clear usage guidance make safer behaviour easier.

AI tools are increasingly embedded into business platforms, browsers, productivity suites and collaboration tools, which means AI governance is also identity governance. Staff don't need to be lectured on machine learning. They need to know what shouldn't be pasted into a prompt, when to challenge an AI-generated answer, and why a tool that feels harmless can still create exposure.

How to Tell Whether Shadow AI Is Winning

Mimecast's State of Human Risk 2026 report, based on a survey of 2,500 IT security and decision-makers across nine countries, found that 80% of organisations are concerned about data leaking through generative AI tools. Yet 60% still have no specific strategy to address AI-driven threats. That gap between awareness and action is where shadow AI thrives.

Shadow AI is not a sign that a business has failed. It's a sign that technology adoption has moved faster than internal governance, which has happened before.

Cloud storage, messaging apps, SaaS platforms and automation tools all created similar tensions. AI just makes the pattern faster, more conversational and harder to spot.

The right response is neither panic nor uncritical adoption. Organisations managing shadow AI well will make safe use easier than unsafe use. They'll provide useful tools, clear boundaries and practical guidance, treating AI as part of cybersecurity, data protection and governance.

Because the real risk isn't that employees want to use AI. The real risk is that the business doesn't know they already are.

Frequently Asked Questions

What is shadow AI and why does it matter for cybersecurity?

Shadow AI refers to the use of artificial intelligence tools, features, or assistants for work without formal approval, oversight, or governance from the organisation. It matters because data entered into unsanctioned tools — including customer records, financial documents, and source code — may leave the organisation's control permanently, creating data leakage, compliance, and security risks that IT teams cannot monitor or manage.

How many workers are currently using unsanctioned AI tools?

The scale varies by study, but multiple 2026 reports place the figure between 45% and 66% of the workforce. Verizon's 2026 Data Breach Investigations Report found 45% of employees are now regular AI users — authorised or not — on corporate devices, and shadow AI has become the third most common non-malicious insider action detected in breach data. A separate PagerDuty survey found 66% of office professionals at large companies used AI despite believing it was against company policy.

Does the UK have legal obligations around employee use of AI tools?

Yes. Under UK GDPR, organisations remain responsible for any personal data processed on their behalf — including data entered by employees into third-party AI tools. The Information Commissioner's Office has published specific guidance on AI and data protection, and organisations that cannot demonstrate control over where personal data flows may face regulatory scrutiny. The ICO committed in March 2025 to producing a statutory code of practice for businesses using AI, which is expected to clarify obligations further.

What is the single most important step a business can take to address shadow AI today?

Begin with a visibility audit: ask teams openly what AI tools they are already using, and treat the answers as operational intelligence rather than a disciplinary exercise. Understanding the actual landscape — which tools, which data, which departments — is the prerequisite for every other governance step. Organisations that provide approved, functional alternatives see substantial reductions in unsanctioned use; 2026 research from the healthcare sector found a significant drop in unauthorised usage when employees were given sanctioned tools that matched the functionality they had found independently.