UpGuard has released its “State of Shadow AI” report detailing the widespread use of unapproved generative AI tools, or “Shadow AI,” by employees in the workplace.
Data shows that employees worldwide are actively bypassing corporate governance at all levels, with a staggering 8 out of 10 employees using unauthorized AI tools. This widespread non-compliance extends all the way to the top—68% of security leaders, including CISOs, admit to incorporating unauthorized AI into their daily workflows.
This is of increasing concern for organizations as employees expose their companies to greater security risks.
The report also highlights a critical AI security paradox. Despite 40% of employees reporting that they received AI safety training and have a better understanding of the risks, they are also the ones who use unapproved tools most frequently.
This correlation suggests that compliance and security awareness campaigns need to evolve to accommodate employees’ increasing drive for productivity and confidence in new technology.
“Shadow AI has triggered a challenge in maintaining trust between employer and employee,” said Greg Pollock, head of Research and Insights at UpGuard. “Our data shows that increased security training and literacy does not curtail increased shadow AI usage; in fact, it increases it. Organizations need to better engage with their employees about AI to channel that curiosity appropriately.”
Who is bypassing controls and at what level?
UpGuard’s research indicates that traditional security awareness methods are not effective against curtailing unapproved AI usage, and instead, are enabling “AI power users.” The paradox is further aggravated by seniority, with Shadow AI usage increasing alongside managerial authority; senior leadership across the organization is 50% more likely to use shadow AI.
The report finds that:
- A surprising 90% of security leaders themselves report using unapproved AI tools at work, with 69% of CISOs incorporating them into their daily workflows.
- 27% of workers trust AI more than their managers or colleagues for reliable information, further highlighting the growing divide of non-compliance between employees and corporate authority.
- 23% of CISOs know that passwords and other credentials are being shared with AI tools within their company, indicating that organizations are becoming increasingly exposed by the minute.
- Furthermore, while 52% of employees are familiar with their company’s AI usage policy, 70% know of sensitive data shared with AI tools at their workplace
Guiding enablement into the future
Unauthorized AI usage in the workplace will continue to rise unless reinforced governance is implemented. It is clear that the problem cannot be solved by blocking applications, as 41% of employees find a way around it.
For companies keen on creating a transparent environment, a strategic necessity is a shift from a fear-based approach of restriction to one of guided enablement.
This new pivot must address the next steps: providing visibility, implementing intelligent guardrails, and offering vetted tools to make the secure path the path of least resistance.
