AI tools are commonly used in organisations, especially among cybersecurity practitioners.

In statistics shared exclusively with SC UK, 86 percent of practitioners reported using AI, with 24 percent admitting to doing so via personal accounts or unapproved browser extensions. The research by Mindgard of 500 cybersecurity professionals found a rise in Shadow AI is creating a serious blind spot inside the very teams meant to protect the enterprise.

The survey found three-quarters of respondents suspect that their cybersecurity teammates are using AI tools in their workflows to write detection rules, generate training materials, or review code.

Also around 30 percent of security professionals said internal documentation and emails were being fed into AI tools within their organisations, and a similar number acknowledged the use of customer or confidential business data. Also, 12 percent said they didn’t know what data was being submitted at all.

Oversight and Responsibility

The survey further found that monitoring and oversight lag far behind adoption, as 32 percent of organisations have systems in place to track the use of AI, while another 24 percent rely on manual processes like surveys or manager reviews.

Meanwhile 14 percent of respondents say there is no monitoring at all, leaving their organisations exposed to silent and unmitigated risk.

Also, 39 percent said their organisation has no designated owner for AI governance, with smaller numbers of those surveyed identified data science (17 percent), executive leadership (16 percent), and legal or compliance (15 percent).

Shan Lee, CISO at DocPlanner, said in an email to SC UK that he is not surprised that AI is used so freely, when we hear almost panic - especially in the tech industry - about getting 'left behind', and this narrative pushes many to "Shadow AI.”

Lee says: “Because legal and security teams are struggling to keep up with the pace of change, formally approving products quickly enough is difficult. In the meantime the most basic message is to never use free products where sensitive information could be involved, and stick to the approved, contracted ones.” 

Recent research from Zscaler showed a 3,000+ percent year-over-year growth in enterprise use of AI tools, with it determining that ChatGPT was the most blocked tool by enterprises due to growing concerns over sensitive data exposure and unsanctioned use. Other most-blocked applications include Grammarly, Microsoft Copilot, QuillBot, and Wordtune.

Phil Tee, EVP and head of AI innovation at Zscaler, said that the concept of shadow AI “is creating another set of behaviours” and while cybersecurity does a good job of eliminating bad things such as malware and cyber-criminals, you are “never going to eliminate bad people."

Embedded AI

Peter Garraghan, CEO and co-founder of Mindgard, said that AI is already embedded in enterprise workflows, including within cybersecurity, but it i0s accelerating faster than most organisations can govern it.

“Shadow AI isn’t a future risk: it’s happening now, often without leadership awareness, policy controls, or accountability,” he said. “Gaining visibility is a critical first step, but it’s not enough.

“Organisations need clear ownership, enforced policies, and coordinated governance across security, legal, compliance, and executive teams. Establishing a dedicated AI governance function is not a nice-to-have. It is a requirement for safely scaling AI and realising its full potential."

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.