There’s a Second Company Inside Your Company
Shadow AI: Your Employees Already Run on Tools You Don’t Know About, Can’t See, and Never Approved
While leadership debates an AI strategy, the workforce has already built one. It is unsanctioned, it runs in the dark, and every day it pastes source code, customer records, and trade secrets into consumer tools nobody approved, on accounts nobody audits.
For most companies, the model being cautiously evaluated in a committee is not the real exposure. The exposure is the dozen tools already in daily use, running with no policy, no audit, and no record of what has already left the building.
Shadow AI is already the norm
Share of knowledge workers, by behavior
Published by Kymata Labs · Independent Research Institution.
If you employ knowledge workers, the answer is already yes.
Picture your most capable employee, mid-afternoon, stuck on something hard. Maybe it is a contract clause that won’t resolve, or a function that won’t compile, or a customer email that refuses to land. The fastest path to an answer is sitting one browser tab away, and it is genuinely excellent. So they paste in the clause, the code, the customer’s name, and the problem dissolves. They feel productive, and they were never trying to leak anything in the first place.
That moment is repeating across your organization right now, hundreds of times a day, and you cannot see a single instance of it. The security literature has a name for the behaviour. Shadow AIis the use of AI tools your organization never issued, sanctioned, or even knows exist. None of this is hypothetical. Microsoft and LinkedIn’s 2024 survey of 31,000 people across 31 countries found that 75% of knowledge workers already use AI at work, and 78% bring their own tools to do it.
The shadow-AI problem is not waiting somewhere in the future. It arrived a while ago.
“Your employees built your AI strategy before you did, and they never mentioned it.”
Kymata LabsFour independent studies measure the same thing, and the number isn’t reassuring.
A flagship leak, telemetry from millions of workers, the most-cited workplace survey in the field, and the hard breach economics. Four different lenses end up pointed at one convergent picture: the second company is already running, and it is carrying your data.
The flagship case: Samsung banned generative AI after engineers leaked source code
In roughly three weeks in the spring of 2023, Samsung’s own semiconductor engineers pasted confidential data into ChatGPT across three separate incidents. The leaked material included source code from a facility-measurement database, equipment program code, and a recording of an internal meeting. On May 2, 2023, Samsung banned generative-AI tools on company devices and networks and capped any remaining prompts at 1,024 bytes. Its warning to staff is the part that should travel: data sent to ChatGPT sits on external servers the company cannot retrieve or delete. Some of the fastest engineers at one of the most security-conscious manufacturers on earth did this. Not out of malice, but because the tool was useful and the friction to reach it was zero.
Bloomberg & TechCrunch, May 2, 2023; three-incidents detail via The Economist Korea.The telemetry: sensitive data is pouring into AI, and it’s accelerating
Cyberhaven instruments what employees actually paste rather than what they say they paste, and its current reading is stark: 39.7% of AI interactions involve sensitive data. That figure is worth holding against the original benchmark. Back in 2023, with telemetry from 1.6 million workers, Cyberhaven found that 11% of everything employees pasted into ChatGPT was confidential, with source code and client data among the top leaking categories. The trend line runs in a single direction. As the tools grew better and more embedded, the share of sensitive material flowing through them roughly quadrupled.
Cyberhaven, 2026 (current) and 2023 (1.6M-worker benchmark).The survey: they’re using it, and over half are hiding it
Microsoft and LinkedIn’s 2024 Work Trend Index surveyed 31,000 people across 31 countries. 75% of knowledge workers use AI at work, and 78%bring their own AI tools, a habit the report labels “BYOAI.” The figure that should change how you read your own org chart is the next one: 52% are reluctant to admitthey use AI for their most important tasks. Roughly half your workforce is doing its highest-stakes thinking with a tool it won’t name, and governance has no purchase on a practice your people are actively concealing.
Microsoft & LinkedIn, 2024 Work Trend Index (31,000 people, 31 countries).The majority: shadow AI is the norm, and they won’t give it up
Software AG’s October 2024 study of roughly 6,000 knowledge workers across the US, UK, and Germany found that 50% use shadow AI, meaning tools their company never issued. The more telling number is what they said about quitting: 46% of them would refuse to stop even if their employer banned the tools outright. A ban, in other words, does not end the behaviour so much as move it. Harmonic Security analyzed 176,460 prompts in Q1 2025 and found 45% of ChatGPT prompts came through personal accounts that bypass corporate governance entirely. Bolt the front door and the traffic simply finds the window.
50% / 46% from Software AG (Oct 2024). 45% personal accounts from Harmonic Security (Q1 2025).The economics: shadow-AI breaches cost more, and the controls aren’t there
IBM’s 2025 Cost of a Data Breach report, drawn from roughly 600 breached organizations, priced the gap. Breaches involving shadow AI cost about $670,000 more, or $4.63M versus $3.96M, and shadow AI was a factor in 20% of breaches. The governance picture underneath turns out to be worse than the cost. 97% of organizations with an AI-related breach lacked proper AI access controls, and 63% had no AI governance policy at all. There is nothing exotic about this exposure. It is the default condition of most companies, now with a price tag attached.
IBM, Cost of a Data Breach Report 2025 (~600 breached organizations).
Sensitive data flowing into AI is accelerating
Share of pasted / AI content that is sensitive
– IBM, 2025
– Cyberhaven
No one ordered this. Everyone built a piece of it.
Shadow AI was never a strategy, and it was never a rebellion. It accumulated as the sum of a million small and entirely reasonable choices. A capable tool arrived, free or nearly so, with no install, no procurement, and no ticket to file. It made hard work fast, collapsing the distance between “I’m stuck” and “I’m unstuck” from hours to seconds. Inside that newly tiny gap, an employee under deadline does the most human thing available: pastes in the problem and takes the answer.
When the breach comes, the controls aren’t there
Governance gaps behind AI-related breaches
Leadership, meanwhile, did the responsible-sounding thing and convened the committee, commissioned the risk review, and debated the policy. The result is a structural mismatch in tempo. Adoption moves at the speed of an individual’s next task, while governance moves at the speed of a quarterly steering meeting. By the time the official AI strategy clears its final approval, the unofficial one has been running for two years and touched almost everything.
The early movers saw where this led. In the first months of 2023, JPMorgan, Amazon, Bank of America, Citigroup, Deutsche Bank, Wells Fargo, Goldman Sachs, and Verizon all restricted ChatGPT inside their walls. None of these are organizations that underspend on security. They acted because the exposure was never about a single careless employee. It had become the default behaviour of an entire workforce.
Adoption rises from the bottom in seconds while governance descends from the top over quarters, and the distance between them is where the risk lives.
Two kinds of companies are forming, and only one of them can see itself.
The open question was never whether your employees use AI, since that one is already settled at 75%. What still varies between companies is whether they have given the workforce a sanctioned way to do it. One kind of company offers an approved, monitored, enterprise-grade path and meets the demand out in the open. The other bans the tools, declares the matter closed, and drives the identical behaviour onto personal accounts and personal phones it will never see.
Harmonic’s 45%-personal-accounts finding shows what that second path looks like in practice, and Software AG’s 46%-won’t-stop finding explains why the ban never holds. The resulting risk lands unevenly. It pools in the companies that mistook a prohibition for a control, which are precisely the ones least equipped to measure what is leaving. No one defends a perimeter they have already persuaded themselves nobody is crossing.
The same evidence, read by three people who own the problem.
Exposure is not destiny. The same studies that diagnose shadow AI also point toward the response: meet the demand in the open, instrument the flow of data, then govern what you have made safe to govern. What that actually requires depends on where you sit.
For employees
The unstuck moment is real, and so is the custody you are quietly giving away.
- Assume anything you paste into a consumer AI tool has left the building for good, since Samsung’s own warning was that it can’t be retrieved or deleted.
- Source code, customer records, contracts, and anything under NDA are the categories that leak most. Treat the paste field like an outbound email to a stranger.
- If the sanctioned tool is slower, say so, and say it loudly. Quietly routing around it is exactly how the second company grows.
For security & legal
You can’t protect data flowing through a door you can’t see.
- 97% of AI-related breaches involved organizations without proper AI access controls, so assume you are in that 97% until you have measured otherwise.
- Instrument the actual flow of sensitive data into AI tools. Cyberhaven-style telemetry exists precisely because policy text is invisible to the paste field.
- Bans displace rather than stop, and 45% of prompts already route through personal accounts. Provide a safe path, or accept that you are mostly blinding yourself.
For leadership
The official strategy is running two years behind the unofficial one.
- A policy is not a control. 63% of breached orgs had no AI policy, 97% with breaches lacked the controls, and 46% of users say a ban won’t stop them anyway.
- Sanction and instrument fast. Every week of committee debate is another week the workforce governs itself, off the record.
- Price the inaction. A shadow-AI breach runs about $670K higher, and shadow AI shows up in one breach out of five, so the cost of moving stays well below the cost of not knowing.
FAQ
A policy is not a control. IBM's 2025 breach report found that 63% of breached organizations had no AI governance policy at all, and the more uncomfortable figure sits right beside it: 97% of organizations that suffered an AI-related breach lacked proper AI access controls. A line in the handbook stops nobody. The Software AG data is blunter still. Of the employees using unsanctioned AI tools, 46% said they would keep using them even if their employer banned them outright. You can write the rule, but the second company never reads the handbook.
Blocking is the obvious fix that happens not to work. The demand behind shadow AI is real and large: 75% of knowledge workers already use AI at work, and 78% bring their own tools. Block the sanctioned path and the behaviour doesn't die. It migrates to personal accounts and personal phones, where you have no visibility at all. Harmonic Security measured exactly that displacement, finding that 45% of ChatGPT prompts came through personal accounts that bypass corporate governance entirely. Banning the tools without offering a safe alternative simply converts a problem you can see into one you can't.
IBM put a number on it. In 2025, breaches involving shadow AI cost roughly $670,000 more than those without, $4.63M versus $3.96M, and shadow AI was a factor in 20% of all breaches studied. That is not a rare tail event. It is a recurring line item that shows up in one breach out of every five. Worse, the dollar figure is only the part you can measure. The trade secret now sitting on a third-party server, the source code an engineer pasted to debug it on a Tuesday afternoon, none of that shows up cleanly on the incident report.
No, and that was the heart of Samsung's warning. When it banned generative-AI tools in May 2023, the company told staff plainly that data transmitted to services like ChatGPT is stored on external servers, which makes it impossible to retrieve and delete. Once a fragment of source code or a customer record crosses your perimeter into a consumer tool, custody is gone. There is no recall button. The only durable control is preventing the paste in the first place, because chasing it afterward leads nowhere.
It's structural, and the biggest names reached that conclusion early. In the first months of 2023, JPMorgan, Amazon, Bank of America, Citigroup, Deutsche Bank, Wells Fargo, Goldman Sachs, and Verizon all restricted ChatGPT inside their walls. None of these are organizations short on security budget or sophistication. They moved because the exposure is a property of how the workforce now operates rather than the carelessness of a few individuals. Any security model that assumes employees will refrain from pasting sensitive data into the most useful tool they have ever been handed is quietly betting against human nature, and losing.
The model under evaluation was never the real risk. The dozen already in production is.
None of this is an argument against AI at work, because the productivity is real and the demand is universal. It is an argument for ending the convenient fiction that the shift hasn’t already happened. The second company inside your company will keep running whether or not leadership acknowledges it. The only real choice left is whether you can see it clearly enough to govern it.
Find the second company while its leaks are still its problem and not yet yours.
Sources
Every figure in this paper is drawn from the primary sources below, each cited to its true owner. Where two studies measure adjacent things, we have kept the attribution distinct in the text.
- Bloomberg (2023). "Samsung Bans ChatGPT, Generative AI Use by Staff After Leak." May 2, 2023. (The three-incidents-in-twenty-days detail traces to The Economist Korea / Economist economy reporting.) https://www.bloomberg.com/news/articles/2023-05-02/samsung-bans-chatgpt-and-other-generative-ai-use-by-staff-after-leak
- TechCrunch (2023). "Samsung bans use of generative AI tools like ChatGPT after April internal data leak." May 2, 2023. https://techcrunch.com/2023/05/02/samsung-bans-use-of-generative-ai-tools-like-chatgpt-after-april-internal-data-leak/
- Cyberhaven (2026). "Sensitive data flowing into AI tools." Current telemetry: 39.7% of AI interactions involve sensitive data. https://www.cyberhaven.com/blog/sensitive-data-flowing-into-ai-tools
- Cyberhaven (2023). "4.2% of workers have pasted company data into ChatGPT." Telemetry from 1.6 million workers; 11% of pasted content was confidential. https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt
- Microsoft & LinkedIn (2024). "AI at Work Is Here. Now Comes the Hard Part." 2024 Work Trend Index Annual Report. Survey of 31,000 people across 31 countries. https://www.microsoft.com/en-us/worklab/work-trend-index/ai-at-work-is-here-now-comes-the-hard-part
- SecurityWeek / Software AG (2024). "The Shadow AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools." Survey of ~6,000 knowledge workers across the US, UK, and Germany, October 2024. https://www.securityweek.com/the-shadow-ai-surge-study-finds-50-of-workers-use-unapproved-ai-tools/
- Harmonic Security (2025). "The AI Tightrope: Balancing Innovation and Exposure." Analysis of 176,460 prompts, Q1 2025: 45% of ChatGPT prompts came through personal accounts. https://www.harmonic.security/resources/the-ai-tightrope-balancing-innovation-and-exposure
- IBM (2025). "Cost of a Data Breach Report 2025." Conducted by Ponemon Institute across ~600 breached organizations. https://www.ibm.com/reports/data-breach
Read it as a PDF
The complete argument, the cross-domain evidence, and all primary sources, typeset as a white paper. Free, no signup.
↓ Download the PDF