Data leakage: navigating ‘shadow AI’ risks
August 2026 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
As artificial intelligence (AI) proliferates, so does the risk of shadow AI – the use of AI tools such as generative AI (genAI) or other systems without the approval, monitoring or involvement of an organisation’s IT or security teams.
Rapidly outpacing traditional shadow IT, such as unauthorised file storage, the prevalence of shadow AI is driven by several factors. These include the accessibility and ease of integration of AI tools, modern development practices that allow models to be embedded directly into continuous integration and continuous delivery pipelines without adequate oversight, and the widespread use of containerised AI workloads.
Additional drivers include productivity pressures, with employees turning to tools that offer immediate gains when approved solutions fall short. Many employees also underestimate the risks associated with unsanctioned AI use.
Such behaviours are increasingly common. According to Mimecast’s ‘State of Human Risk 2026’ report, employees continue to input sensitive information into unapproved AI tools that may lack enterprise-grade security, exposing organisations to data breaches, compliance failures and regulatory penalties. The report found that while 80 percent of organisations are concerned about data leakage through genAI, 60 percent still lack a specific strategy to address it, and only 40 percent feel fully prepared for AI-driven threats.
“The rise of shadow AI is being driven by a very human mix of pressure, curiosity and convenience,” suggests Ellie Hurst, commercial director at Advent IM. “With procurement and approval processes often moving more slowly than user demand, AI tools promise speed, polish and productivity. Add in poor awareness, unclear policies and a lack of safe and approved alternatives, then shadow AI becomes almost inevitable.”
Detection and management strategies
To harness the benefits of AI while maintaining security, compliance and operational integrity, organisations must address shadow AI by embedding governance within existing security frameworks.
Mend.io, in its 2025 shadow AI analysis, recommends a comprehensive approach combining policy development, employee education and technological oversight.
Monitoring AI usage is a critical first step. Organisations should implement tools capable of detecting AI-related activity across networks, applications and cloud services. AI models and agents generate distinctive patterns in files and code, which can in turn be identified by detection systems trained for this purpose.
“Organisations need to discover where AI is already being used, by whom, for what purpose, with what data, and with what business reliance,” says Ms Hurst. “That means honest staff engagement, clear reporting routes, supplier and software reviews, browser and endpoint visibility where appropriate, and asking sensible questions in audits, data protection impact assessments, procurement and risk reviews.”
A comprehensive audit of AI usage is also essential. Establishing an inventory of tools and models in use creates a baseline for governance, documenting who is using each system, for what purpose and what data is being processed.
“Shadow AI is no longer a marginal issue but a central organisational risk – one that is likely to intensify as AI becomes more deeply embedded in business operations.”
Ms Hurst advises organisations to approve lower-risk tools while applying more rigorous assessment to higher-impact use cases. She also recommends maintaining detailed records of AI systems, including ownership, data usage, suppliers, outputs and levels of human oversight, and delivering practical training that shows employees what effective and responsible use looks like, rather than relying on fear-based messaging.
Clear policies are equally important. Employees need practical guidance on acceptable AI use, including what data can be processed, which activities are prohibited and which security protocols must be followed.
“Governance has to become practical, underpinned by an AI acceptable use policy that people can actually understand and which defines what data must never be entered into public tools,” adds Ms Hurst.
If left unaddressed, shadow AI can have serious consequences, including exposure of personal data, breaches of confidentiality, loss of intellectual property, unreliable outputs influencing business decisions, contractual non-compliance, regulatory challenges and reputational damage.
Passive assistant to active participant
Shadow AI is no longer a marginal issue but a central organisational risk – one that is likely to intensify as AI becomes more deeply embedded in business operations.
Ms Hurst notes that the risk landscape will grow more complex as AI evolves from a passive assistant into an active participant. The issue will extend beyond simple tasks, such as drafting emails, to encompass AI agents summarising inboxes, querying systems, generating documents, accessing files, triggering workflows and making recommendations that may not be sufficiently verified.
“As AI becomes embedded into everyday platforms, the line between approved, semi-approved and completely unmanaged use will blur,” predicts Ms Hurst. “Staff may not even realise they are using AI, or that their data is being processed in a new way. Without governance, organisations risk building a quiet layer of automation that no one has mapped, assured or risk assessed.”
Organisations should move beyond reactive controls and embed accountability at every level, aligning governance with real workflows and ensuring leadership sets a clear tone around responsible, transparent AI adoption.
Equally, companies must invest in safe, approved alternatives that are as accessible and effective as the tools employees are already using. When secure options match user needs, shadow AI becomes less a risk to police and more a behaviour to guide.
© Financier Worldwide
BY
Fraser Tennant