According to the latest IBM report, organizations experiencing data breaches that involve shadow AI — unauthorized AI tools used by employees — face additional costs averaging $670,000 per incident, compared to standard breaches.
These findings align with a recent Cybernews survey, which shows 59% of employees use unapproved AI tools at work. Additionally, 75% of these employees share sensitive company and customer data with these unauthorized applications, creating a perfect storm of financial risk.
“Shadow AI isn’t just a security problem but a hidden financial liability waiting to materialize,” said Emanuelis Norbutas, chief technology officer at nexos.ai. “As many as 93% of executives use unapproved AI tools, making leadership, not rank-and-file employees, the biggest source of risk. What makes this situation particularly insidious is that the people responsible for preventing security risks are often the ones introducing them.
“Companies keep approaching this problem as a compliance issue when it’s actually a capability gap. When your approved tools create more friction than value, employees will inevitably choose productivity over policy, and your security framework becomes irrelevant. The real question isn’t whether employees will use AI — it’s whether they’ll use yours.”
Why shadow AI breaches become more expensive
The financial impact of shadow AI extends far beyond traditional security threats. IBM research reveals that 97% of organizations experiencing AI-related incidents lacked proper access controls. Organizations effectively using AI in their security operations identified and contained breaches 80 days faster than those not using these technologies, demonstrating that strategic AI adoption delivers measurable security benefits while uncontrolled shadow AI creates costly blind spots.
When shadow AI is involved, the damage spreads further and deeper than in typical breaches: 65% of these incidents result in the exposure of personally identifiable information, and 40% compromise intellectual property, often spreading across multiple environments and complicating forensic investigations.
“Shadow AI is not a tool problem, it’s a governance crisis,” Norbutas added. “We are talking about autonomous agents operating inside enterprise walls with no oversight. These systems plan and execute actions independently, but current AI is far from ready for direct deployment in such settings. Even consumer AI chat tools like ChatGPT or Gemini, which are commonplace in workplaces, can lead to leaks of sensitive data when employees paste proprietary information into them. Every action these systems take creates a new, unmonitored attack surface.”
Shadow AI incidents also lead to increased regulatory scrutiny, with fines more frequently targeting organizations lacking proper AI governance. Organizations with high levels of shadow AI faced average breach costs of $4.74 million, while those effectively integrating AI into their security operations saw costs decrease to $3.62 million. Organizations heavily utilizing security AI saved $1.9 million compared to those not using these technologies.
“The contrast couldn’t be clearer,” Norbutas added. “Strategic AI adoption reduces breach costs, while uncontrolled shadow AI drives them up. Companies that succeed don’t just block unsanctioned tools. They provide secure alternatives that employees actually prefer to use. You can’t policy your way out of this problem. You have to out-compete it with better options.”
Practical steps to eliminate the shadow AI tax
According to Norbutas, organizations can mitigate this risk and turn a liability into a competitive advantage by adopting a strategic, user-centric approach to AI governance.
Frame the risk in financial terms, not just security policy. Start by building a clear business case that moves beyond abstract security rules. When employees use unapproved AI, they risk exposing sensitive company data and valuable intellectual property. This reframes the conversation from a compliance issue to a direct threat to the bottom line.
Hold managers to account. Shadow AI thrives when managers quietly approve of unapproved tools, directly undermining top-down security policies. Leadership must close this gap by making it clear that productivity goals cannot come at the cost of security.
Offer a secure alternative that beats the rogue tool in effectiveness and applicability. Blocking unapproved tools doesn’t work. The only winning strategy is to offer a secure “sandbox” with powerful AI that employees prefer to use, turning a security risk into a managed asset.
Make governance a living system with clear ROI metrics. Move beyond static policies that quickly become irrelevant. A modern AI governance framework must be a “living” system, one that evolves with employee feedback and is tied directly to business value and return on investment.
