86% Think They Control Their AI. 59% Have Shadow AI.

TL;DR

• 86% of executives believe they have adequate AI governance and control
• 59% have shadow AI — employees using unsanctioned AI tools without oversight
• The gap between perceived and actual AI control is a compliance time bomb
• Shadow AI governance isn't about restriction — it's about channeling enthusiasm productively

Excerpt: Your team is already using AI you did not approve, on data you did not secure, through tools you do not control. Here is what the data says about the shadow AI epidemic — and what to do about it before it becomes a breach.

Slug: shadow-ai-86-percent-think-they-control

Categories: ai-governance, compliance, ai-strategy

Your team is already using AI you did not approve, on data you did not secure, through tools you do not control. This is not a prediction. It is happening right now. The only question is whether you know about it — and our shadow AI governance guide provides the comprehensive framework for addressing it.

54% of organisations are using public frontier large language models — ChatGPT, Claude, Gemini, and their competitors. 52% cite sensitive data exposure as their top concern. The irony is sharp: the same companies worried about data exposure are the ones whose employees are pasting confidential information into public AI tools every day. They just do not know it.

This is shadow AI. It is the unauthorised, ungoverned, unmonitored use of artificial intelligence tools inside your organisation. And it is spreading faster than most leaders realise.

The enthusiasm-security gap

Here is the core tension. 82% of organisations report that executive leadership is actively pushing AI initiatives. The board wants AI. The CEO wants AI. The CMO wants AI. Everyone wants AI. But 72% of organisations are neutral or lack confidence in their ability to execute an AI security strategy.

Read those two numbers together. Eight in ten companies are accelerating AI adoption. Seven in ten are not confident they can secure it. The gap between enthusiasm and capability is not a small oversight. It is a structural vulnerability.

The numbers get worse when you look at what is actually in place. Only 26% of organisations have comprehensive AI security governance. That means nearly three-quarters of companies pushing AI forward have no real framework for governing how it is used — an AI governance maturity crisis we've documented separately.

For large enterprises, the picture is slightly better — 44% of large enterprises have comprehensive governance. But that still means the majority of large organisations are flying blind. And for mid-market companies, the 50-to-200-headcount firms that are the engine of the UK economy, governance rates are likely even lower.

The attack surface is already active

Shadow AI is not a theoretical risk. It is an active threat surface. Elastic's 2025 Elusive Threats Defence Report provides the evidence.

67% of organisations have been targeted by AI-enabled attacks in the past year. Two-thirds of companies have already seen attackers use AI against them. This is not a future concern. It is a current reality.

61% say their AI assets have already been compromised. Not "could be compromised." Have been. More than half of organisations running AI have already had those systems breached or exploited in some way.

The financial impact is compounding. 25% of AI initiatives have been cancelled or postponed specifically because of security concerns. Shadow AI does not just create risk. It destroys value. A quarter of all AI projects are being shelved because organisations cannot secure what their own employees have deployed.

Three attack scenarios that should worry you

Shadow AI creates three specific threat scenarios that most organisations are not prepared for.

Scenario 1: The data bleed

An employee pastes a customer list into ChatGPT to generate a sales email. The data goes to a public model. It may be used for training. It is certainly logged somewhere the company does not control. Under GDPR, that is a data breach. Under most commercial contracts, that is a violation of confidentiality obligations.

52% of organisations cite sensitive data exposure as their top AI concern. Yet the employees creating the exposure are doing it with tools that cost £15 a month and require zero IT approval. The barrier to creating a data breach is now a corporate credit card and a browser.

Scenario 2: The identity explosion

AI agents create non-human identities at scale. Every agent needs API keys, access permissions, and data connections. Most organisations have no process for managing these identities. Backend APIs were not designed for the granularity of permissions that AI agents require.

Elastic found that organisations with elevated AI identity risks have a 52% higher incident rate. The more AI identities you have — authorised or shadow — the more likely you are to experience a security incident. And most companies have no idea how many AI identities exist in their environment.

Scenario 3: The supply chain amplifier

Your employees are not just using shadow AI internally. They are connecting it to your SaaS stack, your CRM, your accounting software, your project management tools. Every connection extends the blast radius. When a shadow AI tool is compromised, the attacker does not just get access to the AI. They get access to everything the AI is connected to.

76% of security leaders expect AI exposure management to be their primary defence method by 2028. Yet 64% still rely on human-based remediation for AI security exposures. Humans cannot move fast enough to contain an AI-speed breach. The defenders are outgunned.

Why governance is an accelerator, not a brake

Here is the contrarian point that most organisations miss. AI governance does not slow you down. It speeds you up.

The CSA/Google Cloud data shows a clear governance multiplier. Organisations with comprehensive AI security governance are 2x more likely to deploy agentic AI. They are 3x more likely to have trained their staff on AI security. They are 2x more confident in their AI strategy overall.

Companies without governance are not moving fast. They are moving blindly. They are deploying AI into environments they cannot secure, with employees they cannot train, against threats they cannot detect. That is not speed. That is recklessness — and it's a core reason why AI projects fail.

55% of organisations whose boards fully understand AI security have comprehensive governance in place. Board-level understanding is the strongest predictor of governance maturity. The lesson is clear: when leadership takes AI security seriously, governance follows. When leadership only takes AI adoption seriously, shadow AI follows.

Practical steps to reclaim control

You cannot eliminate shadow AI by banning tools. Employees will find workarounds. The only effective approach is to make authorised AI easier and safer than shadow AI.

Step 1: Discover what is running

Before you can govern AI, you need to know what AI is already in use. Run an internal audit. Survey employees anonymously. Check network logs for traffic to public AI services. Check expense reports for AI tool subscriptions. You will find more than you expect — and if your organisation needs help, AI-native engineering support can provide a thorough shadow AI assessment.

Step 2: Establish a governance baseline

You do not need a 50-page policy on day one. Start with three questions: What AI tools are approved? What data can go into them? Who is responsible for monitoring? A one-page policy that people actually follow beats a comprehensive policy that nobody reads.

Only 13% of organisations say their security team is responsible for AI adoption. But 53% say security is responsible for AI protection. Close this gap. Security should have a seat at the table from the start, not just when something goes wrong.

Step 3: Launch a "licence to drive" programme

Give employees access to approved AI tools that are actually good. Make the authorised tools better than the shadow ones. Then require a brief training module — a "licence" — before access is granted. This turns shadow AI users into governed AI users without the friction of a ban.

Step 4: Monitor continuously

AI use changes fast. A tool that was safe last quarter may have changed its data handling policy. A new model release may create new risks. Continuous monitoring is not optional. 72% of organisations lack confidence in their AI security execution. Monitoring is how confidence gets built — and understanding EU AI Act compliance requirements is increasingly part of that picture.

The bottom line

Shadow AI is not a technology problem. It is a governance problem. Your employees are using AI because it helps them work better. That is good. The problem is that they are doing it outside your security perimeter, with your data, and you cannot see it.

The solution is not to ban AI. It is to make governed AI the path of least resistance. Approve good tools. Train your people. Monitor what matters. And accept that the 72% confidence gap will only close when you stop pretending shadow AI is not happening in your organisation.

Book a shadow AI audit. We will map every AI tool running in your organisation — approved and unapproved — identify the data exposure risks, and build you a governance framework that lets your team use AI safely. Fifteen minutes to start. Your data is worth it.

[Book your shadow AI audit →]

Key Takeaways

• 86% confidence vs 59% shadow AI — the governance gap is the widest it's ever been
• Shadow AI isn't going away — your employees will use AI tools regardless of policy
• Governance frameworks must enable, not restrict — channel enthusiasm, don't suppress it
• Audit your shadow AI exposure before regulators do it for you
• UK companies face dual pressure from EU AI Act compliance and domestic scrutiny

<!-- INTERNAL LINKS:

• Link to /insights/shadow-ai-governance-guide from section about shadow AI governance
• Link to /insights/eu-ai-act-compliance-guide from section about EU AI Act
• Link to /insights/ai-sdlc-maturity-framework from section about maturity levels
• Link to /services/ai-governance from CTA

-->