Shadow AI Fuels Security Incidents While Executives Overestimate Their Visibility

![Featured image]()

What happened

A survey of 292 senior leaders and 492 knowledge workers across seven countries, conducted by Apprize360 for Okta, shows a stark mismatch between executive confidence and employee behaviour when it comes to AI tools. While 90 % of executives say they have clear visibility into AI usage, 52 % of workers admit to using unapproved AI applications – from code‑assistants to chat‑bots – and 16 % have even shared login credentials with those tools. The result: 58 % of organisations experienced an AI‑related security incident or a close call in the last twelve months, ranging from data exposure to system disruption.

Legal basis

These findings intersect directly with data‑protection regimes such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Both statutes impose strict obligations on controllers to ensure that personal data is processed only by vetted, secure systems and that any breach is reported within tight timeframes (72 hours under GDPR, 30 days under CCPA). When employees feed confidential customer records or internal HR data into unsanctioned AI services, they risk creating unlawful cross‑border transfers and exposing organisations to:

• GDPR Articles 5‑9 – principles of data minimisation, purpose limitation and special‑category data protection.
• GDPR Article 32 – requirement for appropriate technical and organisational security measures.
• GDPR Articles 33‑34 – mandatory breach notification duties.
• CCPA §§1798.150‑1798.155 – similar breach‑notification and consumer‑right obligations.

Failure to demonstrate adequate oversight of shadow AI can be interpreted as a breach of the controller’s duty of accountability, exposing companies to fines of up to €20 million or 4 % of global annual turnover under GDPR, and up to $7 500 per violation under CCPA.

Impact on users and companies

• Employees – By using unapproved tools, workers unintentionally become vectors for data leakage. A single misplaced prompt containing a customer’s name, address or health information can trigger a GDPR breach.
• Customers – Data exposed through shadow AI erodes trust and can lead to class‑action lawsuits, especially when the data includes sensitive categories (e.g., health, biometric identifiers).
• Companies – Beyond regulatory fines, organisations face remediation costs, reputational damage, and potential loss of business contracts that contain strict data‑security clauses.
• Security teams – The “you can’t protect what you can’t see” problem forces security operations to allocate scarce resources to manual discovery and forensic analysis, diverting attention from other threats.

What needs to change

1. Assume shadow AI exists and prioritize discovery – Deploy identity‑centric monitoring that flags outbound API calls, unusual data‑exfiltration patterns, and the installation of unknown browser extensions. Tools that integrate with identity‑as‑a‑service (IDaaS) platforms can automatically surface unsanctioned AI endpoints.
2. Implement an AI governance framework – Align governance with existing privacy‑by‑design obligations. Key pillars include:
   • Policy definition – Clearly list approved AI services, data‑handling requirements, and prohibited use‑cases.
   • Secure sandboxes – Provide vetted environments where employees can test new AI models without accessing production data.
   • Automated risk scoring – Use machine‑learning‑based asset‑discovery solutions to rate each AI tool against GDPR/CCPA criteria.
3. Make the compliant path the easiest path – Rather than imposing blanket bans, offer employees approved alternatives that meet performance needs. When the sanctioned tool is user‑friendly, the incentive to resort to shadow AI drops dramatically.
4. Educate and involve the workforce – Conduct regular training that explains the legal ramifications of mishandling personal data, and create feedback loops so security teams understand legitimate employee needs.
5. Document and audit – Maintain a register of all AI tools in use, their data‑processing agreements, and any cross‑border data flows. This documentation is essential for demonstrating compliance during regulator audits.

Why executives must reassess their confidence

The survey’s geography‑specific data underline the risk: the United Kingdom shows the widest confidence gap, with 96 % of leaders believing they have visibility while over half of workers use unsanctioned AI. Such blind spots are fertile ground for violations of GDPR’s accountability principle. Executives should replace confidence with evidence – continuous monitoring dashboards, audit logs, and regular privacy‑impact assessments (PIAs) that specifically address AI‑driven processing.

Bottom line

Shadow AI is not a fringe problem; it is now a mainstream vector for data‑privacy breaches. Companies that fail to bring these tools under governance risk hefty fines under GDPR and CCPA, as well as the loss of customer trust. The path forward is clear: treat shadow AI as a known risk, invest in identity‑centric discovery, build a transparent AI governance regime, and align every step with the legal obligations that protect personal data.