Shadow AI is not an edge case. It is the default behavior of high-performing employees, who are using various AI tools not maliciously, but as a way to boost their performance.
Many believe that approving a few tools like Claude or ChatGPT will remove your shadow AI risk, or at least greatly limit it. It won’t. With various new tools popping up every day (including within existing tools they use), there will inevitably be other tools and models that make their jobs easier or boost their impact.
And the data backs it up
Shadow AI Statistics: The 2026 Picture
- 34.8% of data shared with AI tools is now sensitive, up from 10.7% two years earlier. Source: Cyberhaven Labs, 2025 AI Adoption and Risk Report (based on 7M workers).
- 83.8% of AI-bound corporate data goes to tools rated critical or high risk. Source: Cyberhaven Labs, 2025.
- Breaches involving shadow AI cost about $670K more than the average, reaching roughly $4.63M. Source: IBM, Cost of a Data Breach 2025.
- About 20% of breached organizations had a shadow AI incident. Source: IBM, Cost of a Data Breach 2025.
- 13% of organizations reported a breach of their AI models or applications, and 97% of those lacked proper AI access controls. Source: IBM, Cost of a Data Breach 2025.
- Only 17% of organizations have technical controls to stop employees uploading confidential data to public AI tools. The other 83% rely on training, warning emails, or nothing. Source: IBM, Cost of a Data Breach 2025.
- Mid-level employees are the heaviest shadow AI users, out-using their managers by roughly 3.5x. Source: Cyberhaven Labs, 2025.
Read the adoption numbers before the breach numbers. The exposure is driven by your best people doing legitimate work. You are not fighting carelessness, you are fighting productivity.
What Shadow AI Really Is
Shadow AI is any use of an AI tool that your security and IT functions never reviewed, approved, or even saw. It shows up in a handful of recognizable forms:
- Unsanctioned tools. From browser extensions to desktop apps, the staggering number of AI tools is only going to grow.
- Using the wrong tier. Using a free or consumer plan, even when there is an approved enterprise version. As of 2025, 73.8%-94.4% of workplace ChatGPT or Gemini accounts are non-corporate.
- The wrong model. Routing sensitive data to a model that wasn’t approved. This is especially common when using a tool with multi-model routing functionality, which exist across domains and functions.
- Personal use on personal devices. Employees on their own accounts and devices. Especially considering how often people use AI for private reasons, the risk of them accidentally sharing sensitive data here is high.
- Embedded SaaS AI. Software you already approved, now with AI you didn’t. Basically every SaaS tool now features AI.
- Agents. The fastest-growing usage for AI is both the most effective and the riskiest.
Traditional data loss prevention was built to match patterns in structured channels, a credit card number leaving over email, or a classified file hitting an external drive. Shadow AI leaks differently. It can be via prompt text or files directly shared, but can also occur without any clear interface - from meeting recordings to agent workflows and integrations.
The 6 Shadow AI Security Risks
Now that we’ve covered what shadow AI is, let’s dive into the risks one-by-one.
1. Irreversible Data Leakage: You Can't Un-Leak It
Once you share data with AI, it’s irreversible. How it gets used varies by model, tier, and tool, but it’s no longer in your control.
Free and consumer-tier AI services have historically reserved the right to use user inputs to improve their models. In other words, your data can end up in a training set. But even on an enterprise tier with a clean training carve-out, the vendor still logs prompts, retains them for some window, and runs them through subprocessors (the downstream vendors your AI provider hands data to) you did not pick. That retained copy is exposure you do not control. The harm is not that a model will necessarily recite your source code back on demand. The harm is that you can no longer prove the data is gone or pull it back.
The clearest illustration is Samsung. In 2023, within roughly twenty days of allowing the tool, three separate Samsung engineers fed sensitive material into ChatGPT, including semiconductor source code, equipment defect-detection code, and the transcript of an internal meeting. Samsung's response was to ban the tool. The ban addressed future use. It did nothing about the data already submitted, which had left the building. This maps directly onto OWASP's LLM02; the risk is not the tool, it is the data that the tool now permanently holds.
Permanence is not only about model training, either. Copies of all data you’ve shared remain on the vendor's infrastructure. Even with training contractually carved out on an enterprise tier, that retained copy is exposure you do not control and usually cannot fully purge on demand.
2. Compliance and Regulatory Breach: A Single Paste Can Be Reportable
In a regulated environment, a single paste into a consumer AI tool can put you in breach of the law before any attacker is involved.
Start with GDPR. Article 28 requires that any processing of personal data by a third party be governed by a data processing agreement, a DPA, that binds the processor to specific obligations. Free-tier consumer AI use does not create a DPA. So the moment an employee pastes EU personal data into a consumer chatbot, the processing itself is non-compliant. The penalty for this one error can range from 10-20M Euro.
It’s even harder if you’re in finance or healthcare. Healthcare companies are already losing deals to shadow AI. Under HIPAA, processing protected health information through a third party requires a BAA. Free tier usage and unsanctioned tools don’t offer this, nor do many third party models accessed through model routers. A simple paste by one employee has already triggered an SEC disclosure by a US bank.
3. An Expanded Attack Surface
Every unsanctioned AI tool an employee connects is a new integration your security team did not review and cannot see. A clear example is OAuth scope creep. To make an AI assistant useful, an employee grants it access, often to a broad scope of tools and files. Click through it once and you have created standing third-party access into your data that nobody inventoried and that persists long after the employee forgot they ever connected the tool.
The exposure compounds as those grants accumulate. Each connected tool is a non-human identity holding a standing token into your systems, outliving the employee who created them. Agentic AI then sharpens the problem from access to action: an assistant that can not only read your drive but take action without any humans approving each step.
Then there is the vendor itself. Once your data is in an AI provider's logs, that provider's security posture becomes yours.You have inherited a third party's risk without a third-party review.
Note that prompt injection (OWASP LLM01) also belongs in the picture, but in proportion. It is a real risk in which malicious instructions hidden in content hijack a model's behavior, often to expose private info. But it is primarily a builder and runtime concern, not the dominant shadow AI risk for a knowledge-worker population.
4. Outputs that are unreliable, unowned, and unauditable
Not only what employees put into shadow AI matters. The outputs coming into your system present a real risk.
Lawsuits regarding unreliable data have already been won by consumers and are becoming an ever-growing risk with new regulation coming in across the globe. AI-generated code is entering production without any review or human owner, creating both supply chain attack and IP risks. Ads are being created and shipped without human review, both a brand and legal risk if you share the wrong text or image in just one of thousands of ad variations.
After the fact, you can no longer trace which outputs were AI-generated, which inputs informed them, or which were independently verified. That destroys auditability, and in a regulated context destroys defensibility, because you cannot demonstrate how a decision was reached.
5. The Risk That Survives Sanctioning
Sanctioning an AI tool controls which tool employees use. It does not control what that tool can reach, which is why even sanctioned AI carries shadow AI risk.
The mechanism is permission hygiene, not the tool's pedigree. Enterprise assistants like Microsoft 365 Copilot operate with the permissions of the user invoking them. Now, any data a user technically had access to but would never have hunted down across a thousand folders, the assistant now surfaces in seconds in response to a plain-language question. Copilot converts latent over-permissioning into operational access at the speed of a prompt.
It is not a theoretical concern that only security vendors flag. In 2024, the U.S. House of Representatives restricted staff use of the commercial version of Copilot over data-exposure concerns, ordering it removed from House devices pending a government-authorized version. That is a sanctioned, enterprise-grade product treated as a risk by the institution evaluating it.
“We only allow sanctioned AI" is not, by itself, a risk control. Sanctioning chooses the tool but it does not fix the data the tool can see.
Why the Old Playbook Doesn't Work: Shadow AI vs Shadow IT
The reason these risks resist your usual response is that shadow IT was a visibility problem you could solve with application inventories. Shadow AI is a data-behavior problem your inventory cannot capture.
Shadow IT is a set of unsanctioned applications. You discover them, block the ones you don’t want, sanctioned the ones you did, and the data mostly sat in structured stores you could later secure, migrate, or delete. The reflex worked because the problem held still. Shadow AI does not hold still.
To be effective, AI is used way differently, across desktop and mobile apps, agentic workflows, within the browser, within model routers, and within SaaS tools. Even if you solve that, t’s not enough to identify tool usage. You must go beyond that to verify that employees are using the right tier, model, skills, and integrations. That they’re not sharing sensitive files within prompts or without.
And even if you solve all of that going forward, any mistake will live on forever, with no way for you or the vendor to go back and delete records.


