Shadow AI on the Rise: 50% of Employees Using Unap...

akkem

Software AG reveals that 50% of employees are using unauthorized AI tools "Shadow AI". Notably, 46% of these users indicate they would continue using these tools even if explicitly banned by their organizations.

While AI tools offer benefits like increased productivity and efficiency, their unsanctioned use raises significant concerns.

Data Security Risks: Unapproved AI tools may expose sensitive company information to external threats.
Regulatory Compliance: Using AI without proper oversight can lead to violations of data protection laws.
Operational Challenges: Lack of visibility into AI tool usage hampers IT departments' ability to manage and secure company systems effectively.

This study underscores the need for organizations to develop comprehensive AI governance strategies. This includes providing approved AI tools that meet employees' needs and implementing training programs to ensure safe and effective use

https://www.securityweek.com/the-shadow-ai-surge-study-finds-50-of-workers-use-unapproved-ai-tools/

Kyaw_Myo_Oo

This is very informative. Thank you for sharing your time and expertise with us on this forum @akkem.

To foster a more secure and responsible AI adoption, I'd like to open the floor with these points for discussion and guidance:

From an operational perspective, how can IT departments gain better visibility into Shadow AI usage without creating a culture of mistrust? Are there monitoring tools or strategies that can provide insights without being overly intrusive?

The study underscores the need for comprehensive AI governance, including providing approved tools and training. What key elements should be included in an effective AI governance strategy to balance innovation with security and compliance? What does 'responsible AI adoption' truly look like in practice?

Let's use this as an opportunity to share best practices, discuss potential solutions, and develop actionable guidelines for navigating the complexities of AI adoption while mitigating the risks of Shadow AI.

I'm eager to hear everyone's perspectives and experiences on this crucial topic.

All perspectives welcome!

tsutherburg

Good Morning

A timely article. From a personal perspective I recently update our AI policy and submitted it to legal for review. I also did some deep diving on internet traffic related to AI as well and found over a 30-day period that slightly over 90 different AI sites had been accessed. This data has sparked a review by HR and Legal and further fine tuning of the AI policy.

Most likely we will start hard blocking some access, but it shows that without guidance employees will do what they feel is appropriate to get on with their job.

akkem

@tsutherburg, impressive and definitely a good start. Are you leveraging any third-party tools or guardrails to monitor and secure AI-related traffic? I'm currently researching this area, but haven’t come across a robust solution yet—most vendors seem to rely heavily on existing cloud-native offerings like AWS Bedrock, WAFs, and similar services. Thank you!

tsutherburg

Hello @akkem

I did my research based off of several tools, so no real clean path to success (at least not for me).

Most of my data came from a Cisco Umbrella. Agents are installed on all devices. Some additional data came from our IDS/IPS and some from reviewing FortiGate traffic. I recently demoed another agent (Cloudflare) and it seemed to have similar capabilities to Cisco Umbrella.

The piece that is still a bit elusive for me is determining which traffic is coming from embedded AI in an application vs the user reaching out to utilize the AI platform. Most likely I will need to interview heavy users of specific AI platforms and do some hands-on sleuthing.

akkem

Thank you, @tsutherburg, for the details.
Yes, It's definitely challenging to determine the traffic in this scenario. Wishing you the best of luck with it!

wilftredm

Thanks for sharing this very interesting read.

In my experience, organisations often take too long enabling new technologies and tools for employees, and often times the "coporate" version of the product has been hardened and restricted beyond usefulness. If organisations become more agile in how they deliver things like GenAI internally, there'll be less need for employees to take their chances with unapproved solutions.

Shadow AI on the Rise: 50% of Employees Using Unapproved AI Tools at Work