As you can tell, I am obsessed with Verizon’s Data Breach Investigations Report. It is worthy of full immersion, and I am picking it apart with precision (here and here). I always spend a lot of time delving into it as it informs and confirms strategies to assist others with prevention and resilience.
One of the important findings from the Report is that 67% of users in companies are using non-corporate generative AI tools on their corporate devices for their work. This unauthorized use is “now the third most common non-malicious insider action detected in our data loss prevention data set in 2025, a fourfold increase in percentage from the previous year.”
According to the Report, users are submitting company source code, images, structured data, research and technical documentation to unauthorized generative AI tools “which presents a risk of intellectual property exposure.”
Not only can uploading company data into unauthorized AI tools risk the loss of IP but doing so increases the risk of loss of company proprietary or confidential information, and personal information of employees and customers. Using unauthorized AI tools with company data is called “Shadow AI” as your cybersecurity professionals are unable to detect, monitor, and prevent data loss through data loss prevention strategies.
If you are using an unauthorized generative AI tool for your work, you are using Shadow AI, and you are putting your company at risk. Stop using Shadow AI! If you want to use AI tools for your work, find out what tools are authorized, get trained on those authorized tools, and follow your organization’s AI Governance Program and AI Acceptable Use Program. If your company doesn’t have guidance, urge them to consider adopting a governance program. Help your organization find a tool that is safe to use and be an ambassador to prevent the use of Shadow AI by others.