Your employees are already pasting customer data into ChatGPT. The only question is whether you know about it.
That’s the uncomfortable core of shadow AI — unsanctioned AI tools people use at work without IT or security signing off. It’s not a hypothetical risk anymore. IBM’s most recent Cost of a Data Breach research found that one in five breached organizations had an incident linked to shadow AI, and those breaches cost about $670,000 more than the average. The same data showed 97% of organizations that had an AI-related breach lacked proper access controls around their AI, and 63% had no AI governance policy at all.
So the instinct to ban it is understandable. It’s also a mistake. Banning AI doesn’t kill shadow AI — it just pushes it onto personal phones and personal accounts where you have zero visibility. The organizations getting this right aren’t the ones with the strictest blocklists. They’re the ones who detected what people actually use, gave them something sanctioned and good, and wrote rules people can follow.
Here’s how to do that.
What shadow AI actually is (and why it blew up)
Shadow AI is the AI version of shadow IT. Someone needs to summarize a 40-page contract, so they drop it into a free chatbot. A sales rep wants to clean up a messy CRM export, so they paste it into a consumer tool. A developer asks a public model to debug a stack trace that happens to contain production credentials.
None of those people think of themselves as a security threat. They’re trying to get work done faster. That’s exactly why this is hard — the behavior is rational from the employee’s seat and dangerous from the org’s seat.
Three things made 2026 the year it exploded. First, the tools got genuinely useful, so usage went from occasional to constant. Surveys now put unapproved AI use north of 80% of employees, and roughly half use these tools regularly rather than once in a while. Cyberhaven’s research found over 30% of employees regularly feed company data into public AI tools. Second, the surface expanded past chatbots — browser extensions, AI features baked into apps you already pay for, and autonomous agents that take actions all became vectors. Third, and most quietly, executives are among the heaviest users, which means the “just enforce a policy downward” approach runs straight into the people who’d have to enforce it.
The gap between what IT thinks is running and what’s actually running is the whole problem. Netskope’s telemetry pegs the average enterprise at around 10 generative AI apps in use — but most companies discover the real number is five to ten times higher than IT estimated. For smaller organizations the math gets ugly fast: some are looking at hundreds of distinct shadow AI tools per thousand employees, with no security team to watch them.
The numbers that should get your attention
Stats get thrown around loosely in this space, so here’s what’s actually backed by reporting, with the caveat that the headline breach figures come from IBM’s research published in 2025 and are the freshest hard numbers available going into 2026:
- $670K in additional cost when a breach involved shadow AI ($4.63M vs. $3.96M for incidents without it).
- 20% of breached organizations had a shadow-AI-linked incident.
- 97% of AI-related breaches happened at orgs without proper AI access controls.
- 63% of breached organizations had no AI governance policy.
- 65% of shadow AI breaches exposed customer PII, versus 53% across all breaches.
That last one matters more than the dollar figure. The thing leaking isn’t abstract “data” — it’s customer personal information, the category that triggers regulators, contractual penalties, and the kind of disclosure obligations that turn an incident into a headline.
What the numbers don’t capture is the slow-burn version: no single dramatic breach, just thousands of small disclosures of strategy docs, source code, and customer records into systems you don’t control and can’t claw back. Once a prompt leaves your boundary, you can’t un-send it.
Where the leaks actually happen
If you only picture someone typing into ChatGPT, you’ll miss most of it. The real exposure points:
Prompts and pasted text. The classic. Someone pastes a spreadsheet, an email thread, or a contract clause to get help. The content is now on a third party’s infrastructure, and depending on the tool and tier, possibly in a training set.
File uploads. Worse than pasting, because people upload the whole document — the full customer list, the entire financial model — instead of the snippet they needed help with.
Browser extensions. AI extensions that “summarize this page” or “rewrite this email” often have permission to read everything on screen, including internal dashboards and webmail. Most were installed by employees, vetted by no one.
AI features inside sanctioned apps. This is the sneaky one. You approved the SaaS tool two years ago. Last quarter it shipped an AI assistant that sends data to a model provider you never evaluated. Your approval predates the risk.
Agent tools and connectors. Autonomous agents that can read your files, call APIs, and act on your behalf are a different magnitude of risk than a chatbot. A misconfigured agent doesn’t just leak a prompt — it can take actions across connected systems.
Personal accounts. When work gets done on someone’s personal ChatGPT or Gemini account, there’s no audit log, no enterprise data controls, and no way for you to delete anything later.
The detection layer: see it before you can govern it
You can’t govern what you can’t see, so detection comes first. There’s no single magic box here — it’s layers, and how many you need depends on your size and risk.
AI discovery / SaaS posture tools scan your environment to inventory which AI apps are in use, who’s using them, and how risky each one is. This is the cheapest high-value first step: it turns “we think people use some AI tools” into an actual list. If you do nothing else this quarter, do this.
CASB / SSE platforms (the Netskope, Zscaler, Palo Alto tier) sit in your network or cloud traffic and can see and control access to AI services. If you already run one for general cloud security, it likely has AI-specific controls you haven’t turned on yet — start there before buying anything new.
Browser and endpoint DLP catches the paste-and-upload behavior at the source. Browser-level controls are increasingly the right place for this, since so much AI use happens in the browser. Good ones can warn or block when someone tries to paste sensitive data into a chatbot, without killing the legitimate use.
AI gateways are the piece built specifically for this moment. A gateway sits between your users (or apps) and the model providers, inspects prompts in real time, and strips or blocks sensitive data — PII, secrets, regulated content — before it ever reaches an external LLM. Many also log every prompt for audit and apply policy per team. If you’re building internal AI features, routing them through a gateway is the cleanest way to get DLP and observability in one place.
Don’t buy all four at once. Most organizations get 80% of the value from discovery plus whatever controls already live in their existing CASB or browser management, then add a gateway when they start standing up sanctioned AI tooling.
The governance playbook: rules people will actually follow
Here’s where most programs fail. They write a policy that says “do not use unauthorized AI tools,” email it once, and call it governance. Six months later usage is unchanged and now it’s just hidden better.
Governance that works has four moving parts.
Give people a sanctioned alternative that’s genuinely good. This is the single highest-leverage move and the one most companies skip. People use shadow AI because it helps them. If your sanctioned option is worse, slower, or wrapped in so much friction that it’s painful, they’ll route around it — and you’ve taught them that the official path is the dumb path. Roll out an enterprise tier of a capable tool (one with data controls and no training on your inputs), make access fast, and the demand for shadow tools drops on its own.
Write a tiered usage policy, not a ban. Spell out what’s fine, what needs review, and what’s off-limits, by data type. Public marketing copy? Use AI freely. Internal docs? Sanctioned tools only. Customer PII, source code, financials, anything regulated? Approved channels with DLP, or not at all. People can follow a policy that distinguishes between a blog draft and a customer database. They can’t follow “no AI.”
Train for the why, briefly. A short, concrete session on what happens to data when it leaves your boundary beats a 30-slide compliance deck nobody finishes. Show the actual failure mode — pasted customer list, third-party retention, no way to delete — and most people self-correct. You’re not trying to scare them off AI; you’re trying to make the risk legible.
Treat the policy as living. New tools ship monthly, and that SaaS app you approved will grow an AI feature you didn’t anticipate. NIST’s AI Risk Management Framework, and its generative AI profile, frame this as an ongoing cycle — govern, map, measure, manage — not a one-time document. Review your sanctioned list and your detected-tools inventory on a regular cadence. Quarterly is reasonable for most teams.
The framing that lands with leadership: this isn’t about saying no to AI. It’s about making sure the AI people use is AI you can stand behind.
A 30-day rollout for teams without a security org
If you don’t have a dedicated security team — most companies don’t — here’s a sequence that fits a founder or an IT generalist’s calendar.
Week 1 — See it. Run an AI discovery scan or, at minimum, pull what your existing tools already log. Check browser extension inventories and your SaaS app list for AI features you didn’t evaluate. The goal is one honest inventory of what’s actually in use.
Week 2 — Decide and provision. Pick one sanctioned AI tool with proper enterprise data controls and turn on access for everyone who needs it. Don’t overthink the vendor — capable, with no-training-on-your-data and admin controls, beats perfect-but-three-months-away.
Week 3 — Write the short policy. One page. What’s allowed by data type, where to go for the sanctioned tool, what’s off-limits. Run it past legal if you have access to it, then send it with a plain-language note, not a mandate.
Week 4 — Turn on the guardrails. Enable the DLP or browser controls you already have for the highest-risk data types. Block or warn on pasting regulated data into consumer tools. Set a recurring calendar reminder to re-review the inventory next quarter.
This won’t make you airtight. It will move you from “no idea” to “known and managed,” which is the entire difference between the two breach numbers IBM reported.
What the tooling costs
Rough shape of the market, since the research-driven readers here are usually pricing this out:
AI discovery and security posture tools range from modest per-user pricing for SMB-focused options to enterprise contracts for the full posture-management platforms. The standalone discovery scan is the affordable entry point.
AI gateways span open-source self-hosted options (your cost is engineering time and infra) through managed commercial gateways priced per request or per seat. If you’re already building internal AI features, the gateway often pays for itself in audit and DLP coverage alone.
CASB / SSE and DLP are usually enterprise platform deals, and if you already run one, the AI controls are typically included or a modest add-on rather than a new purchase. Check before you buy a point solution.
The honest caveat: pricing in this category moves fast and most vendors quote rather than publish. Treat any number you see in a roundup as a starting point and confirm against the vendor’s current docs.
The trade-off nobody advertises
More inspection means more surveillance. An AI gateway logging every prompt, browser DLP watching every paste — that’s real monitoring of how people work, and pretending otherwise erodes the trust you need for the policy to stick. Be straight with people about what’s logged and why. A program people understand and accept will catch more than a covert one they resent and route around.
And no tool fixes a bad incentive. If the sanctioned option is worse than the free one, people will use the free one, and you’ll be playing whack-a-mole forever. The detection layer buys you visibility. The sanctioned alternative is what actually shrinks the problem.
If you want one thing to do this week: run a discovery scan and look at the real list of AI tools in your org. Most people are genuinely surprised by what comes back — and you can’t govern, or replace, what you’ve never seen.
Sources: IBM Cost of a Data Breach via Kiteworks, Cybersecurity Dive on shadow AI breach costs, ISC2 on unapproved AI tool usage, Netskope data via Superblocks, Zscaler on NIST AI RMF controls.