Shadow AI

Now, corporate data leaks are (also) being facilitated by the use of artificial intelligence in the workplace

The use of personal AI tools by employees exposes companies to serious leaks of confidential information

by Nicola Bernardi

 (Adobe Stock)

4' min read

Translated by AI
Versione italiana

4' min read

Translated by AI
Versione italiana

Whilst the fear that hackers might gain unauthorised access to IT systems and steal all the data has, until now, been one of the risks that has caused companies the greatest concern, now, with artificial intelligence, the danger now also comes from ‘friendly fire’ within their own workforce.

In fact, two-thirds of employees (67%) who use AI platforms to carry out their office tasks do so via personal accounts not authorised by their employer, leading to the uncontrolled leakage not only of personal data, but also of projects, contracts, business plans and many other confidential documents that form part of the company’s know-how.

Loading...

The causes of corporate data loss with artificial intelligence

This is highlighted in Verizon’s report “Data Breach Investigations Report 2026” by Verizon, which ranks “Shadow AI”, i.e. the unauthorised use of artificial intelligence tools within a company.

The process is relatively straightforward. AI tools are perceived by employees as ordinary productivity applications: fast, intuitive, and often free. Unfortunately, the average employee does not realise that, by uploading company documents to a public chatbot, they are carrying out a potentially critical transfer of data to third parties, and that the information may often pass through infrastructure located in non-European jurisdictions considered unsafe for the protection of personal data, nor is there full awareness of the risk that such information may be processed, stored or reused by someone else beyond the company’s control.

In most cases, there is obviously no intention to unlawfully take data from one’s employer, but all too readily, employees turn to AI platforms available online as the quickest and most convenient solution for easily producing reports, drafting quotations, generating summaries, prepare presentations for business meetings, and produce other business documents much more quickly than it would normally take.

The consequences of using unauthorised AI tools

The fact remains, however, that by indiscriminately feeding company documents into unauthorised AI chatbots, the end result can, paradoxically, be similar to that of an external cyber-attack, with a flood of strategic information leaking outside the organisation’s perimeter, leading to the risk of fines for GDPR breaches, the use of data for criminal purposes by hackers and malicious actors, as well as damage to the company’s reputation and a loss of competitiveness in the market due to unscrupulous competitors who may exploit trade secrets leaked via public generative AI tools.

In the context of industrial espionage, the concept of the ‘insider threat’ is also changing; until recently, it conjured up images of hostile figures such as disloyal employees, competitors and organised infiltrators. Today, however, the threat can stem from perfectly ordinary and seemingly harmless behaviour on the part of a company’s own staff, which can result in an uncontrolled flow of corporate data to external technological ecosystems.

The challenges of managing rapid change

The phenomenon is reaching such proportions that it is beginning to cause concern not only amongst cybersecurity managers, but also amongst boards of directors, legal departments and compliance bodies. In fact, the gap is not merely technological, but also cultural and organisational, and the problem affects both employees – who need greater awareness – and management – which must be prepared to identify effective organisational solutions to protect the company’s assets.

As the Verizon report itself points out, generative artificial intelligence is in fact being adopted by businesses much faster than their ability to manage it, with 45 per cent of employees now using it regularly (compared with 15 per cent the previous year), and organisations that fail to manage the rapid technological change currently underway in an orderly manner are exponentially increasing the risk of losing control over the boundaries of corporate data.

Despite all the significant benefits that can result from the adoption of AI systems, companies therefore find themselves facing a paradigm shift that is set to have a profound impact on corporate governance.

For years, companies have invested substantial resources in defending themselves against external attacks such as phishing, ransomware and malware, whereas today a growing proportion of the risks to corporate know-how stem from within, from the day-to-day behaviour of employees. The potential threat no longer comes solely from cybercriminals breaching the system, but from an employee who, with the best of intentions, uses a chatbot to speed up a process, edit a document or automate a task.

Data governance with AI

The solution is obviously not to ban artificial intelligence, an idea that is now unrealistic and probably also inappropriate, given the indisputable advantages it offers and its unstoppable progress; rather, it lies in establishing rules for using it appropriately and in a manner consistent with the strategic value of the information processed, so as to maximise the benefits and minimise the risks.

It is for these reasons that, in recent months, several multinational companies have begun to restrict or strictly regulate the use of generative AI platforms through stringent policies, whilst a growing number of other companies – keen not to miss out on the opportunities offered by artificial intelligence – are seeking proprietary or cloud-based solutions that guarantee full control over their data.

In this context, data governance ceases to be a matter confined to mere compliance and becomes a strategic factor in competitiveness. Companies that manage to effectively integrate artificial intelligence, privacy, cybersecurity and data governance in the coming years will be able to reap the benefits of AI whilst reducing the risks of information leakage. Conversely, organisations that continue to treat these aspects as separate silos risk exposing themselves to vulnerabilities that are increasingly difficult to control.

To meet this challenge, company management can no longer regard data protection as a purely technical or legal issue, but must treat it in every respect as a structural and strategic component of corporate governance.

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti