Back to Posts employee peeking out from behind his laptop, looking suspicious

Shadow AI: The Unseen Risk Growing Inside Your Firm

Sept. 30, 2025

A new cyber threat has emerged that isn't coming from external hackers but from within your company's walls. It's called "shadow AI," the unauthorized use of artificial intelligence tools by employees without approval. This growing trend presents significant security risks that many firms are just beginning to recognize.

What Is Shadow AI?

Shadow AI refers to the use of AI tools and applications by employees outside of approved channels. Similar to "shadow IT," where staff use unauthorized software or hardware, shadow AI specifically involves artificial intelligence tools like Copilot, ChatGPT, Gemini, Claude, and other generative AI platforms employees leverage without formal approval or oversight.

These tools are often used with intentions to increase productivity, solve problems, or simplify workflows. However, when staff input sensitive company data into these platforms without understanding the security implications, they create serious vulnerabilities.

Oh Behave! Highlights Scope

The fifth annual "Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report" from the National Cybersecurity Alliance and CybSafe provides alarming statistics about shadow AI adoption.

AI usage has completely flipped since last year, with 65% of participants now using AI tools, up from 35% in 2024. More concerning is that 43% of workers admit to sharing sensitive work information with AI tools without their employer's knowledge.

Of those who share sensitive information:

  • 43% have shared internal company documents
  • 44% have shared customer data
  • 42% have shared financial information

Despite this widespread usage, 58% of AI users report receiving no training on the security and privacy risks.

The generational breakdown is particularly revealing, with 89% of Gen Z and 79% of Millennials embracing AI technology. Nearly half of Gen Z and Millennials have shared sensitive work information with AI tools. In India, which leads AI adoption (87%), unauthorized sharing of sensitive work information with AI tools reaches 55%.

The Security Risks of Shadow AI

The dangers of shadow AI extend beyond just data leakage. Many AI platforms store user inputs to improve their models, which could mean your confidential information becomes part of their training data. Proprietary information, trade secrets, and competitive strategies could be compromised when shared with third-party AI services.

Unauthorized sharing of sensitive information may violate regulations like GDPR, HIPAA, or industry-specific requirements, leading to potential fines and legal issues for your company. Third-party AI tools may not meet your security standards, potentially introducing new attack vectors for cybercriminals.

Real-World Issues

When staff paste company code, client information, financial projections, or strategic plans into AI tools, they're essentially sharing this information with external entities. These actions, while often well-intentioned, create significant security gaps.

For example, a 2023 Samsung incident involved engineers who pasted proprietary code into ChatGPT to help debug issues, inadvertently exposing sensitive source code. Similar incidents have occurred across industries as employees seek AI assistance without considering security implications.

Why Staff Use Shadow AI

Understanding why staff turn to unauthorized AI tools is crucial for addressing the problem. AI tools can dramatically accelerate tasks that would take hours to complete manually and break down complex problems more efficiently. When companies don't vet, secure, and provide official AI solutions, employees naturally seek their own.

Many workers simply don't understand the security risks involved, and with most AI tools requiring minimal setup and available through any web browser, the path of least resistance often wins out over security protocols.

How to Address Shadow AI in Your Business


Develop Clear AI Usage Policies
Create guidelines that specify which AI tools are approved, what data can be shared, and required security measures when using AI tools.

Provide Secure AI Alternatives
Deploy enterprise-grade AI solutions that maintain data within your security perimeter while offering similar functionality to public tools.

Implement AI Security Training
The Oh Behave report highlights that 58% of AI users have received no training on security risks. Educate employees about how data shared with AI tools can be compromised and tailor training to different demographics.

Monitor AI Usage
Establish systems to detect unauthorized AI tool usage and track data transfers to known AI platforms.

Foster an Open Security Culture
Rather than simply prohibiting AI use, acknowledge its productivity benefits and create a non-punitive reporting system for accidental violations.

The Future of AI Security

The rapid adoption of AI tools, as documented in the Oh Behave report, suggests that shadow AI will only grow more prevalent. Companies that take a proactive approach—balancing security needs with productivity benefits—will be better positioned to manage these risks.

As younger generations with higher AI adoption rates continue to dominate the workforce, businesses must adapt their security strategies to address the evolving challenges of shadow AI. The key is not to prohibit AI usage entirely, but to channel it through secure, approved channels.

Shadow AI represents a significant and growing security challenge that combines the longstanding problem of shadow IT with the unique risks of artificial intelligence. The 2025-2026 Oh Behave report makes it clear that this trend is accelerating across all demographics and regions, with particularly high adoption among younger employees.

By understanding shadow AI usage, implementing appropriate policies, providing secure alternatives, and fostering a security-conscious culture, enterprises can harness the benefits of AI while mitigating its risks. The goal should be to bring AI out of the shadows and into a secure, managed environment where it can safely drive innovation and productivity.

Need help managing AI security risks in your business?

Call (734) 744-5300 or Contact Us to schedule a consultation with our AI-certified security team.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More