AI has become inescapable. What was once a niche research field has now become fully integrated into the personal and professional lives of the everyday person. For business leaders, the question therefore evolves from ‘are my employees using AI?’ (they are, whether you like it or not), to ‘are my employees using AI securely?’
Lead Cybersecurity Researcher at CultureAI.
Evidently, employees and, in turn, employers are seeing the potential of AI usage for productivity gains. An appealing ‘plus’ point for time and resource strapped teams.
Much of this change is being driven from the bottom up. Research suggests that 78% of AI users are already bringing their own AI tools to work. However, these tools are often used within the workplace without company knowledge or oversight.
These undocumented AI tools - or shadow AI - operating on company networks or using company data can pose significant security risks.
What’s clear is that employees will continue to use AI, without waiting for their employers to keep up with permissions, clear guidelines and security measures. Fortunately, there are ways that employers can quickly implement effective AI governance and usage controls without stifling innovation.
AI visibility (or lack thereof)
Your employees are likely to be using AI in one way or another. The risk is not knowing where or how and with what tools. Research suggests that nearly half (47%) of GenAI users are still accessing tools via personal, unmanaged accounts, either exclusively or alongside company-approved tools.
Unlike traditional software, generative AI relies on data input. With this comes the risk of inputted prompts including confidential information, personal data, IP or even source code. Without visibility, employers face a growing blind spot.
Understanding risks associated with workplace AI usage
With the adoption of any new technology comes risk. With workplace AI adoption, these include:
Shadow AI
Employees are increasingly experimenting with new AI tools at work, often because they are free, faster or more convenient than approved alternatives. While this can improve efficiency, the use of unauthorized AI apps (shadow AI) significantly expands the attack surface and leaves security teams without sufficient visibility or oversight.
What’s concerning is the data being entered into these tools. Recent research suggests that 93% of employees are putting company data into unauthorized AI tools, with nearly a third of those admitting to sharing confidential client information.
This means that intellectual property, regulated information and personal data is potentially being processed by unknown third parties. What they do with that information remains unknown.
Worryingly, many traditional monitoring tools struggle to detect prompt submissions containing sensitive data, particularly when AI tools are accessed via unmanaged accounts or personal devices.
Data leakage
Employees routinely paste sensitive information into AI tools, often without fully understanding the risks. As early as 2023, Samsung engineers accidentally exposed proprietary code and confidential meeting notes by submitting them to ChatGPT, placing the data beyond the company’s control.
Since then, similar incidents have surfaced across industries, revealing how much sensitive information is quietly flowing into third-party AI systems. Once submitted, organizations often have limited ability to fully remove or control how that data is retained or used.
Accounts and prompt breaches
Leaked AI chats or compromised prompts can provide threat actors with access to a wide range of sensitive information and, in some cases, enable further account compromise if broader cybersecurity controls are weak.
Given the volume and sensitivity of data often entered into AI tools, a single compromised AI account can lead to immediate exposure of private company information, including credentials, intellectual property and internal systems.
Compliance and governance gaps
As AI adoption accelerates, regulators are increasingly scrutinizing how organizations use AI, particularly where it intersects with data protection. Submitting personally identifiable information (PII) to uncontrolled or external AI services can breach regulations such as GDPR, HIPAA and sector-specific privacy requirements.
In heavily regulated industries like finance, defense and healthcare, even a single unsanctioned use of an external AI tool can create significant legal and compliance exposure.
The future of AI in the workplace
Whilst the explosion of AI in the workplace may appear rapid, it mirrors the same ‘bottom up’ adoption of technologies that came before it.
The difference between AI and the uptake of other ‘new’ technologies is that AI consumes corporate data on a massive scale in every interaction, which magnifies its risk of leaks, breaches and compliance issues massively. The solution isn’t blocking AI altogether.
Employees will find work arounds, like using their personal phones to input company data, especially if they’ve already found these tools valuable for efficiency. Security teams need to build out security and IT strategies that baseline AI usage controls, shadow AI discovery and comprehensive usage analytics.
These pillars are essential enablers of responsible innovation.
It may take a while for regulations to catch up, but it’s essential organizations don’t wait. Ultimately, your employees are using AI - whether you like it or not - acting now can help you understand and control the ‘how’ and ‘where’, making AI usage more secure, without stifling innovation.
We've featured the best AI chatbot for business.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.