What two studies found
A Cybernews survey of more than 1,000 US employees, conducted in August 2025, found that 59 percent use AI tools at work that their employer never sanctioned. Among executives and senior managers, the number climbs to 93 percent. Three quarters of those employees admitted to sharing potentially sensitive information, including customer data, internal documents, and employee records, with those tools. A separate BlackFog study, based on a survey of 2,000 respondents conducted by Sapio Research in November 2025, found similar patterns. Eighty-six percent of employees use AI tools weekly for work. Nearly half (49 percent) use tools not sanctioned by their employer. Sixty percent say speed is worth the security risk. Roughly a third shared research or datasets, more than a quarter shared employee data, and 23 percent shared financial statements.
Why employees reach for tools the business never approved
The BlackFog research found that only around a third of employees using company-approved AI tools said those tools fully met their work requirements. When the approved option does not do what someone needs, they find one that does. Free versions of public AI tools are easy to access, require no procurement, and can be started in under a minute. The Cybernews survey found that 63 percent of employees believe it is acceptable to use AI when no company-approved option or IT oversight exists. Twenty-one percent think their employer will simply turn a blind eye as long as the work gets done. The result is a pattern where employees solve the immediate problem, and the business inherits a data risk it does not know about.
What data is leaving through these tools
The data employees share with unsanctioned AI tools is not limited to low-stakes material. The BlackFog study found that a third of employees shared research or data sets, more than a quarter shared employee information such as staff names, payroll, or performance data, and 23 percent shared financial statements or sales data with unapproved tools. The Cybernews survey found that customer contact data and internal documents are common. Fifty-one percent of BlackFog respondents admitted to connecting AI tools to other work systems or applications without IT approval. That means the exposure is not just one-off. It can be ongoing and connected.
The part that surprises most owners
What makes this difficult to surface is that it is often tacitly supported. The Cybernews survey found that 57 percent of employees using unsanctioned tools said their direct manager is aware of and supports the behavior. The BlackFog study found that 21 percent believe their employer will ignore it as long as the work is completed. This is not a rogue group of employees hiding something. It is a broad pattern of informal adoption that has moved faster than the business has moved to address it. An owner who believes they have no AI exposure often has significant exposure they simply have not been told about.
This is not the same risk as vendor access being restricted
The Anthropic model access story from last week illustrated what happens when an AI vendor you depend on becomes unavailable through an external decision you do not control. Shadow AI is a different problem. It is the risk that sits inside the business already, created by internal behavior rather than external decisions. One is about what happens when a vendor goes away. The other is about what is happening right now, quietly, inside the operation. Both matter and both require a response, but they require different responses.
Three things to do before spending on more AI
First, find out what is already being used. Ask your team directly. A short, honest conversation about which AI tools people are using for work will surface more than any technology audit. What you hear may surprise you. Second, set one clear data rule. Before the conversation can change behavior, employees need a simple and specific rule about what can and cannot go into AI tools. Not a long policy document. One clear line: for example, no customer data, no financial records, no employee data, no vendor contracts into any AI tool the business has not approved for those data types. Third, create a path to a better answer. If employees are reaching for unsanctioned tools because the approved options do not meet the need, that gap is the thing to close. Blocking access without addressing the underlying need pushes the behavior further into the shadows, not out of them.
The ATLACIS view
An owner who asks 'what AI tool should I buy?' is asking the right question at the wrong moment. The first question is 'what is already being used inside the business, what data is going through it, and is that acceptable?' That question is harder to ask because the answer might be uncomfortable. But it is cheaper to find out now than after an incident. Shadow AI is not a technology problem. It is an information problem: the people running the business do not have a clear picture of where AI sits inside the operation. Getting that picture is the starting point, not the destination.
The short version
- A Cybernews survey found 59 percent of US employees use AI tools their employer never approved. Among senior managers, the figure is 93 percent.
- A BlackFog study of 2,000 respondents found that 49 percent use unsanctioned tools, and 60 percent say speed is worth the security risk.
- Data shared with these tools includes customer records, financial statements, employee data, and internal documents.
- Many employees are not hiding it: most say their direct manager is aware and supports the behavior.
- The first step is not buying a new AI tool. It is finding out what is already inside the business and setting one clear rule about what data may and may not go into any AI tool.
Where ATLACIS can help
Sources
- Cybernews: Shadow AI soaring, 59% of employees hide AI use from their bosses
- BlackFog/Business Wire: Shadow AI Threat Grows Inside Enterprises as BlackFog Research Finds 60% of Employees Would Take Risks to Meet Deadlines
- CIO: Roughly half of employees are using unsanctioned AI tools, and enterprise leaders are major culprits
- Journal of Accountancy: Lurking in the shadows, the costs of unapproved AI tools
- Forbes: Shadow AI, Your Employees Are Using Two AIs. You Only Control One of Them.