Shadow AI at work is becoming a security crisis that most companies have not yet addressed. A new Cybernews study reveals that 59% of workers are using AI tools their employers have not approved, and they are doing far more than just experimenting—they are actively sharing sensitive company data with these unapproved systems.
Key Takeaways
- 59% of workers use unapproved AI tools despite company policies or lack thereof.
- 75% of shadow AI users share sensitive data including customer information and proprietary code.
- 89% of employees acknowledge AI carries risks, yet continue using unauthorized tools anyway.
- Only 52% of employers offer approved AI tools; just one in three say those tools meet their needs.
- 57% of direct managers actively support using unapproved AI tools at work.
The Data Sharing Problem Behind Shadow AI at Work
The most alarming finding is not simply that shadow AI at work is widespread—it is what employees are doing with these tools. Among the 59% of workers using unapproved AI systems, 75% are sharing sensitive data with them. This is not casual ChatGPT experimentation. Workers are uploading employee records, customer databases, internal documents, legal and financial information, security data, and proprietary code to systems their IT departments have never vetted or approved.
This recklessness would seem inexplicable if not for one fact: 89% of respondents said they associate AI with risks. They know better. Yet 64% also acknowledge that data breaches could directly result from shadow AI use. The knowledge of danger is not stopping the behavior. Instead, 57% said they would only stop using unapproved tools if a data breach actually occurred—meaning they are gambling with company security until something breaks.
Why Companies Cannot Stop Shadow AI at Work
The real problem is not rogue employees. It is broken alignment between what workers need and what their employers provide. Only 52% of employers offer any approved AI tools at all. Among those who do, the tools fail to meet employee needs: just one in three workers said the approved options actually work for their job.
When official channels do not deliver, employees find alternatives. Shadow AI at work thrives because it solves real problems faster than corporate procurement can. A designer frustrated with a slow-loading design tool switches to an unapproved generative AI. A sales rep tired of manual data entry turns to a consumer AI chatbot. A developer needs code completion and downloads an unauthorized plugin. None of these decisions happen in a vacuum—they happen because the approved path is broken.
The governance gap is widest at the top. Executives and senior managers were identified as the worst offenders for using unapproved tools. Managers at all levels are part of the problem: 57% of workers’ direct managers actually support the use of unapproved AI tools. When leadership normalizes shadow AI at work, no policy can stop it.
The Policy Vacuum Enabling Shadow AI at Work
Corporate policy has not kept pace. A staggering 23% of employers have no official AI policy whatsoever. Even among companies with policies, enforcement is weak and inconsistent. Shadow AI at work persists because the cost of using unapproved tools feels lower than the friction of requesting approval or waiting for IT to evaluate an alternative.
The solution is not banning AI. It is closing the gap between employee workflow and corporate tooling. Companies need three things: clear AI policies that reflect how work actually happens, approved tools that genuinely meet job requirements, and leadership that models responsible AI use rather than encouraging shortcuts. Without all three, shadow AI at work will continue growing, and the data breaches will follow.
What Happens When Shadow AI at Work Causes a Breach
The risk is not theoretical. Customer data, proprietary code, financial records, and security information are already in the hands of unapproved AI systems. A breach is not a question of if but when. And once it happens, the response will be reactive rather than preventive. Only 57% of workers said they would stop using unapproved tools after a data breach—meaning even a security incident may not fully eliminate the behavior.
Does your company have an AI policy?
Not every organization does. 23% of employers have no official AI policy at all, leaving employees in a gray zone where shadow AI at work can flourish unchecked. If your company is in that category, you are already behind.
What is the difference between approved and unapproved AI tools?
Approved tools are vetted by your IT and security teams for data privacy, compliance, and integration with company systems. Unapproved tools are anything else—consumer AI services, free trials, or tools installed without authorization. The distinction matters because unapproved tools often have no data protection agreements and may retain or sell the information you upload.
Will employees stop using shadow AI if they get caught?
Probably not immediately. Only 57% said they would stop using unapproved tools if a data breach occurred, suggesting that even consequences may not fully eliminate the behavior. The real fix is making approved tools so useful that shadow AI at work becomes unnecessary.
Shadow AI at work is not a technology problem—it is a business alignment problem. Companies that close the gap between employee needs and approved tooling will eliminate shadow AI faster than any policy ever could. Those that ignore it will watch their data leak into systems they do not control.
Edited by the All Things Geek team.
Source: TechRadar
