Shadow AIAI RiskCyber Insurance

Shadow AI Is Already Inside Your Business — IBM's 2025 Numbers

Right now, as you’re reading this, someone on your team is using an AI tool you didn’t approve. They’re not trying to cause a problem — they found something that helps them work faster, and nobody told them not to. But the moment they paste your company data into that tool — your client list, your financials, your proposals, your employee records — that data can leave your business permanently. And you may not find out for eight months.

That’s shadow AI. Here’s what it’s already costing companies that weren’t paying attention — and exactly what to do this week.

What shadow AI is

Shadow AI is any AI tool used inside your company that IT didn’t approve and leadership doesn’t know about. It’s the AI version of shadow IT — remember when employees started using personal Dropbox accounts because IT was too slow? Same dynamic, much higher stakes. (For the fundamentals, see What Is Shadow AI.)

And the number that should stop every CEO cold: Microsoft’s 2025 Work Trend Index found 71% of workers have used unapproved AI tools at work. Seven out of ten — not just the junior or tech-savvy staff. This isn’t a future problem. The only question is whether you know about it.

The Amazon story — and why it happens everywhere

In 2023, Amazon employees were caught pasting confidential internal data directly into ChatGPT. Not rogue actors — regular people doing their jobs. The AI responses that came back were later found to mirror proprietary Amazon documents. Amazon had to issue a company-wide emergency warning after the fact. The data was already out there.

Now think about your business. You don’t have Amazon’s security team, monitoring tools, or legal department on standby. And your employees are doing the exact same thing — because they’re human, the tools work, and nobody told them not to.

Picture it: your marketing person pastes a client’s name, revenue, and six months of strategy into a chatbot to polish a proposal. Your HR manager pastes an employee’s name, salary, and history into one to rewrite a review — potentially a HIPAA or CCPA issue. Your salesperson uploads your pricing sheet before a big pitch. Each time, that data leaves your company, into a tool with no enterprise agreement and no confidentiality guarantee.

The numbers every CFO needs to see

IBM’s 2025 Cost of a Data Breach Report (via the Ponemon Institute) studied 600 organizations breached between March 2024 and February 2025. On shadow AI specifically:

  • 1 in 5 organizations experienced a breach directly tied to shadow AI
  • 97% of those AI-related breaches hit companies with no proper access controls
  • 63% of breached organizations had no formal AI governance policy at all
  • $670,000 in additional breach cost on average when shadow AI is involved
  • $4.63M average total cost of an AI-associated breach
  • 65% of shadow AI breaches exposed customer personally identifiable information
  • 40% exposed intellectual property — your competitive advantage
  • 247 days — about eight months — to detect a shadow AI breach

That 97% number is the one to sit with. Almost every company that got hurt was operating exactly the way most companies operate today: they approved some tools, assumed people used them correctly, and had no way to verify it. The 3% that were spared weren’t lucky — they’d done the work. That’s the window you have right now.

Even approved tools aren’t enough

Maybe you’re thinking: we use Microsoft Copilot, IT approved it, we’re fine. In June 2025 a critical Copilot vulnerability was disclosed and rated 9.3 out of 10 in severity — on an enterprise-licensed, IT-approved product deployed in thousands of companies.

Buying an enterprise AI tool is the starting line, not the finish line. The governance layer underneath — policy, access controls, monitoring, training — is what actually protects you. IBM’s data shows 63% of breached organizations never built it. They had the tool. They didn’t have the system.

Your insurance carrier already knows

Cyber insurance carriers have read the IBM data, and they’re asking new questions at renewal: What’s your AI acceptable-use policy? How do you enforce it? Which tools are approved? Most policies require you to maintain reasonable security controls as a condition of coverage — and “no AI governance policy” is not reasonable care anymore. IBM found 32% of breached organizations paid regulatory fines on top of breach costs, with 48% of those fines exceeding $100,000.

What to do this week

  1. Find out what your team is actually using. Not what IT approved six months ago — what they’re using today. Survey them directly, no judgment. You can’t govern what you can’t see.
  2. Document it. Every tool, department, and use case. That list is your shadow-AI audit baseline.
  3. Put a one-page AI acceptable-use policy in place. It doesn’t have to be perfect — it has to exist. Which tools are approved, what data can and can’t go into them, and how to request something new. That document is your first line of defense with a regulator, a carrier, and a plaintiff’s attorney.
  4. Have the real conversation with a technology partner. A basic managed-services provider isn’t equipped for this. You need a partner who lives at the intersection of AI, security, and compliance — who can tell you which tools can be secured, which need enterprise licensing, and which should be shut off entirely.

The mindset shift

The companies genuinely winning with AI made one change: they stopped treating AI as a technical thing IT manages and started treating it as a business policy the executive team owns. Who decides what tools we use? Who decides what data goes into them? Who monitors compliance? That’s an executive conversation — and the leaders having it are building an advantage competitors will spend years trying to catch.

Your employees are going to use AI whether you build a strategy or not. The only question is whether they use it inside your guardrails or outside of them. The window to decide is right now.

Frequently asked questions

How common is shadow AI in the workplace?

Very common. Microsoft's 2025 Work Trend Index found 71% of workers have used unapproved AI tools at work — seven out of ten people, consistent across industries and company sizes. Most aren't being careless; they're trying to work faster.

How much does a shadow AI breach cost?

According to IBM's 2025 Cost of a Data Breach Report, shadow AI adds about $670,000 to the cost of a breach on average, bringing the total AI-associated breach cost to roughly $4.63M. These breaches also take an average of 247 days — about eight months — to even detect.

Does using an enterprise AI tool like Microsoft Copilot make us safe?

Not on its own. In June 2025 a critical Copilot vulnerability was rated 9.3 out of 10 in severity. Buying an enterprise tool is the starting line, not the finish line — the governance layer (policy, access controls, monitoring, training) is what actually protects you, and IBM found 63% of breached organizations had no AI governance policy at all.

What should we do about shadow AI this week?

Four steps: (1) find out what AI tools your team is actually using, (2) document every tool and use case, (3) put a one-page written AI acceptable-use policy in place, and (4) have a real conversation with a technology partner who works at the intersection of AI, security, and compliance.

Free AI Risk Scan