AI is embedded in everyday workflows, from content creation and customer service to data analysis and threat detection. But while AI adoption is growing at an uncontrollable speed, many organisations are unknowingly exposing themselves to serious cyber, compliance and data‑privacy risks by using unaudited, unsecured or unsanctioned AI tools.
Recent industry research shows that 71% of employees have used unapproved [shadow] AI tools at work [Microsoft] and 89% of IT and cybersecurity leaders are concerned that flaws in generative AI tools could introduce organisational security risks [Sophos]. At the same time, the rise of “shadow AI” – where employees use AI tools without IT approval – is creating hidden vulnerabilities that traditional security controls can’t see.
Secure, governed AI is essential to keeping your organisations secure, whilst providing a modern workplace for your employees – without the risk.
Top 5 risks of using unsecured or unaudited AI tools
1. Data leakage & loss of intellectual property
71% of employees use unapproved AI tools at work [Microsoft], often feeding them sensitive corporate data without understanding where that data goes. Only 32% of staff express concern about the privacy of customer or company information they input into these tools, creating a huge risk of accidental data exposure or loss of IP!
89% of IT and cyber security leaders worry that flaws in generative AI tools could introduce new security vulnerabilities, particularly around data handling and model behaviour [Sophos].
2. Identity & access risks from AI adoption
While Sophos does not quantify identity-based agent growth, their surveys highlight that 87% of IT leaders are concerned about reduced accountability and the risk of over-reliance on AI systems within security processes. This over-reliance can lead to gaps in identity management, poor oversight of automated processes and opportunities for attackers to exploit weaknesses in how AI systems authenticate or authorise access.
The rise of shadow AI [employees using tools without approval] creates unmanaged identity and access points, increasing the likelihood of unauthorised data exposure.
3. Data poisoning & model manipulation
There are broad concerns from security leaders regarding flaws in generative AI models, including unpredictable behaviour and potential for “hallucinations.” These issues create opportunities for attackers to manipulate AI outputs or exploit model weaknesses [Sophos].
Microsoft’s responsible AI reporting emphasises the need for high-level secure governance, risk assessment and mitigation frameworks [a systematic approach that outlines strategies and actions to reduce the impact of disasters and enhance community resilience] noting that poor oversight increases vulnerability to data integrity attacks such as manipulated inputs or corrupted training data.
4. Regulatory & compliance violations
Organisations lacking strong AI governance frameworks struggle with risk management and compliance, with over 30% of respondents citing lack of governance as a major barrier to responsible AI adoption. Weak governance increases the risk of violating data protection laws or emerging AI‑risk regulations.
98% of organisations are using AI in cyber security, yet leaders remain concerned about flawed GenAI models introducing new liabilities, particularly when sensitive data is processed without oversight [Sophos].
5. Shadow AI creates invisible security gaps
Microsoft’s research provides a clear warning: 71% of workers use unapproved AI tools and 51% use them weekly, creating hidden data flows and blind spots for security teams. Only 28% of employees worry about the security of their organisation’s IT systems when using these unapproved tools.
Sophos adds that over‑reliance on AI without proper controls reduces cyber security accountability, which increases the likelihood of unmonitored or risky tool adoption within an organisation.
The insights above highlight a clear message: secure, well‑governed AI tools are no longer optional, they’re essential.
With employees increasingly turning to unapproved AI solutions for productivity, businesses now have a responsibility to provide safe, enterprise‑ready AI tools that support smarter working while protecting sensitive data. But providing tools isn’t enough.
Organisations need a AI adoption strategy that places security, governance and responsible use at its core, something both Microsoft and Sophos repeatedly emphasise in their research.
That’s exactly where CSG comes in. Join our upcoming webinar to learn how secure AI solutions can empower your teams to achieve more, without compromising your organisation’s security or compliance posture.
