Key Point: Uncontrolled AI usage by employees jeopardizes data security and compliance – network monitoring and clear AI policies are essential for risk mitigation.
Employees are increasingly deploying AI tools without IT approval – a phenomenon known as Shadow AI. This endangers data protection, compliance, and control over sensitive business information.
Shadow AI refers to the uncontrolled use of AI applications by employees without the knowledge or approval of IT and security departments. Frequently, free or easily accessible tools such as ChatGPT, Copilot, or specialized AI services are integrated directly into workflows – without considering security measures or data classification.
For CISOs, this phenomenon presents a dual challenge: On one hand, employees may inadvertently or intentionally share sensitive company data with external AI platforms, such as source code, customer lists, or internal documentation. On the other hand, compliance gaps emerge as uncontrolled data processing violates requirements of the GDPR, NIS2 Directive, industry-specific regulation, or internal corporate policies. In addition, there is the risk of prompt injection attacks or unexpected outputs from AI systems that cause critical failures in production processes.
To combat Shadow AI, several measures are necessary: Comprehensive network and data flow visibility enables the detection of suspicious data transfers to AI platforms. Cloud Access Security Brokers (CASB) or Endpoint Detection and Response (EDR) solutions can log unauthorized AI tool usage. In parallel, organizations should establish clear policies for the use of generative AI and provide employees with approved, secure alternatives – such as locally hosted or contractually secured enterprise AI solutions. Training on data sensitivity helps sharpen risk awareness.
Source: www.computerweekly.com · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.