Survey: Half of Corporate AI Projects Are 'Shadow IT'
A new EY survey reveals that 52% of department-level AI initiatives are operating without formal approval or oversight. The report also found 85% of tech leaders prioritize speed-to-market over exhaustive vetting, and 45% reported a sensitive data leak from AI in the last year.
The rise of "Shadow AI" mirrors the "Shadow IT" trend where employees use unapproved software, but the risks are magnified. Between March 2023 and March 2024, corporate data fed into AI tools increased by 485%, with the proportion of sensitive data in those inputs jumping from 10.7% to 27.4%. This surge is driven by employees seeking productivity gains, with 75% of knowledge workers using AI, and nearly half admitting they would do so even if their employer restricted it. This unsanctioned activity creates significant security vulnerabilities. One in five organizations has already experienced a data breach linked to shadow AI. These breaches are more costly, adding an average of $670,000 to the total cost of a data breach for organizations with high levels of shadow AI. The issue is widespread, with an estimated 60% of organizations having experienced a data exposure event due to an employee's use of a public generative AI tool. The data being exposed is highly sensitive, including proprietary source code, M&A documents, customer records, and internal financial data. One analysis found that 22% of files and over 4% of prompts submitted to generative AI tools contained sensitive information. This is partly because only 15% of companies have updated their acceptable use policies to include specific guidelines on AI, leaving employees without clear rules. In response, 90% of organizations now block at least one generative AI application, with the average organization blocking ten different tools. However, employees continue to find ways to use them, often through personal accounts. For example, over 47% of sensitive uploads to Perplexity and 26% to ChatGPT come from non-enterprise accounts. To manage this, leaders are turning to AI governance frameworks, which provide a structured approach to risk management, compliance, and ethical standards. These frameworks establish clear policies, roles, and controls for AI use, moving from reactive blocking to proactive management. Key components include identifying and classifying AI use cases by risk level, implementing human-in-the-loop oversight for critical decisions, and continuous monitoring of AI systems. Frameworks like the NIST AI Risk Management Framework (RMF) and ISO/IEC 42001 are becoming common standards for operationalizing AI governance. The goal is to create a centralized, curated "AI toolkit" of approved applications and platforms. This approach allows organizations to harness AI's productivity benefits while mitigating risks like data leakage, intellectual property loss, and regulatory penalties.
