Shadow AI has moved from a governance footnote to the single fastest-growing entry on the corporate breach ledger. IBM’s Cost of a Data Breach Report 2025 found that 20% of breached organizations were compromised through shadow AI, the unsanctioned generative AI tools employees adopt without security sign-off. Those incidents added roughly $670,000 to the average breach. As of June 2026, security leaders are treating that figure as the opening bid, not the ceiling.

The pattern rhymes with the shadow IT wave of the 2010s, when employees routed around slow procurement to use Dropbox, Slack, and personal cloud accounts. The difference now is the payload. Shadow AI tools do not just store files. They ingest source code, customer records, contracts, and strategic plans, then send that data to third-party model providers that sit entirely outside corporate control. This analysis breaks down the hard numbers, the market reaction, expert commentary, and where shadow AI risk goes through 2027.

What Shadow AI Is and Why June 2026 Is a Turning Point

Shadow AI describes any use of artificial intelligence, most often consumer chatbots and AI browser extensions, that an organization’s security and IT teams have not approved, inventoried, or secured. A developer pasting proprietary code into a public chatbot to debug it is shadow AI. So is a sales team running customer call transcripts through an unapproved summarizer, or a finance analyst feeding a quarterly forecast into a free writing assistant.

The reason 2026 marks an inflection point is adoption speed. The World Economic Forum’s 2026 outlook and IBM both report that 94% of cyber leaders now name AI as the defining force in cybersecurity, while 77% of organizations already use AI inside their own security operations. Employees adopted these tools faster than any enterprise software category in history, and policy never caught up. The result is a visibility gap: security teams cannot defend data flowing to tools they cannot see.

What changed between 2025 and 2026 is that the theoretical risk produced measurable losses. The shift from “this could leak data” to “this added $670,000 to one in five breaches” is what pushed shadow AI onto board agendas and into the same risk tier as ransomware and supply-chain attacks.

The Numbers: 20% of Breaches Now Involve Shadow AI

The headline statistics come from IBM’s 2025 breach study, which surveyed organizations across 16 countries and 17 industries. The global average breach cost held at $4.44 million, while the United States posted the highest regional figure on record at $10.22 million. Against that backdrop, the AI-specific findings stand out because they describe a brand-new attack surface that barely existed three years ago.

Shadow AI metric (2025)FigureSource
Breaches involving shadow AI20%IBM Cost of a Data Breach 2025
Added breach cost from shadow AI+$670,000IBM Cost of a Data Breach 2025
Global average breach cost$4.44 millionIBM Cost of a Data Breach 2025
US average breach cost$10.22 millionIBM Cost of a Data Breach 2025
Organizations with no AI governance policy63%IBM Cost of a Data Breach 2025
Breached orgs with AI incidents lacking access controls97%IBM Cost of a Data Breach 2025
Organizations reporting an AI-related security incident13%IBM, 2026 trends
Shadow AI breach metrics, IBM 2025 reporting.

Two numbers in that table do the heavy lifting. The 97% figure shows that almost every organization suffering an AI-linked incident had no real access controls around the tools. The 63% governance gap explains why: most companies never wrote a policy to begin with. Shadow AI is less a story about clever attackers and more a story about ungoverned data exits, which is exactly the failure mode that most large data breaches share.

How Employees Leak Data to Unsanctioned AI Tools

The behavioral data explains how a 20% breach share materialized so quickly. Industry survey figures circulating through 2025 and 2026 put consumer generative AI use among employees at 57%, with 33% admitting they have exposed sensitive company data to these tools and 36% using unapproved AI apps directly on work devices. When more than a third of a workforce routes corporate data through tools the security team cannot inventory, leakage is not an edge case. It is the baseline.

The leak vectors are mundane, which is what makes them dangerous. The most common include:

  • Code and secrets: developers paste functions, API keys, and configuration files into chatbots for debugging.
  • Customer data: support and sales staff summarize tickets, transcripts, and contact lists.
  • Financial and legal text: analysts and counsel run forecasts, contracts, and board materials through free assistants.
  • Browser extensions: AI add-ons silently read page content, including internal dashboards and email.

Once that data lands in a third-party model, an organization loses the ability to enforce retention, deletion, or jurisdiction. Some of it can resurface in compromised AI accounts; credential markets in 2025 listed hundreds of thousands of chatbot logins for sale, each potentially exposing whatever an employee had typed in. This is why shadow AI sits squarely in the operational security domain rather than being a purely AI problem.

From Shadow IT to Shadow AI: A Decade-Long Pattern

The Shadow IT Era (2012 to 2020)

Shadow IT emerged when consumer cloud services outpaced enterprise procurement. Employees wanted Dropbox-grade convenience and got it, with or without approval. Security teams responded with cloud access security brokers (CASBs) and data loss prevention (DLP) tooling that discovered unsanctioned apps and blocked risky uploads. The core lesson was that bans alone failed; visibility plus sanctioned alternatives worked.

The Shadow AI Acceleration (2023 to 2026)

Generative AI compressed that entire cycle into roughly 24 months. In 2023 and 2024, the risk was employees pasting data into consumer chatbots. By 2025, the problem expanded to unapproved model use, AI browser plugins, and personal accounts handling work tasks. By 2026, autonomous AI agents pushed it further, acting across enterprise systems with minimal human oversight. IBM’s own framing captures the continuity: shadow AI “mirrors the rise of shadow IT a decade ago, but with far higher stakes.” The stakes are higher because the data does not just sit in an unsanctioned app, it trains or transits external models.

What Security Experts Are Saying About Shadow AI

Named commentary from the people who compiled the 2025 and 2026 data is blunt. Jeff Crume, an IBM cybersecurity leader, set the tone in IBM’s 2026 predictions:

“In 2026, we’ll see major security incidents where sensitive IP is compromised through shadow AI systems: unapproved tools deployed by employees without oversight.”

Jeff Crume, Cybersecurity Leader, IBM

Crume ties the trajectory directly to the previous decade, noting that the dynamic “mirrors the rise of shadow IT a decade ago, but with far higher stakes,” because AI tools “now handle proprietary algorithms, confidential data and strategic decision-making.” He adds a warning about the agent era: “As autonomous AI agents begin to operate independently across enterprise environments, often outside sanctioned workflows, they access sensitive data with minimal human oversight.”

Suja Viswesan, Vice President of Security and Runtime Products at IBM, put a price on the trend when the breach report landed:

“The report shows that having a high level of shadow AI, where workers download or use unapproved internet-based AI tools, added an extra USD 670,000 to the global average breach cost.”

Suja Viswesan, VP, Security and Runtime Products, IBM

The World Economic Forum’s 2026 reporting reinforces the consensus from a different angle, finding that 94% of cyber leaders identify AI as the defining force reshaping their field. The agreement across IBM, the WEF, and Google Cloud’s forecast is unusual in a field that loves to disagree, and it signals that shadow AI is now a structural concern rather than a vendor talking point.

The Governance Gap: 63% Still Have No AI Policy

The most actionable statistic in the entire dataset is the governance gap. IBM found that 63% of organizations had no AI governance policy in place to manage AI use or prevent shadow AI. Among organizations that did suffer an AI-related incident, 97% lacked proper AI access controls. These two numbers describe an open door, and attackers have noticed.

Governance here does not mean a banned-apps list. The organizations reducing risk are doing four things in combination: discovering which AI tools employees actually use, classifying what data those tools touch, routing approved use through a sanctioned gateway, and monitoring for prompt-based data exfiltration. Only about 23% of organizations have implemented AI runtime controls so far, which leaves most of the market exposed. The gap between policy and enforcement is the single clearest predictor of whether shadow AI becomes a line item on a breach invoice. The same discipline that protects credentials and access applies directly to AI tool usage.

Market Impact: AI TRiSM Reaches $5.7B and DLP Vendors Pivot

Money follows risk. Gartner projects the AI trust, risk, and security management (AI TRiSM) market to reach $5.7 billion by 2026, a category that barely had a name in 2023. The growth is pulling in three groups of vendors at once: legacy DLP providers retooling for AI, cloud platforms bundling AI governance, and a wave of startups built specifically to discover and control shadow AI.

The economic logic is straightforward for buyers. If shadow AI adds $670,000 to an average breach and a control platform costs a fraction of that, the return on investment math closes quickly, especially for regulated industries facing the $10.22 million US average. That is why budgets are shifting from broad awareness training toward technical enforcement that can see and stop data leaving for an external model in real time.

Control approachWhat it doesBest at catchingLimitation
AI discovery / CASBInventories which AI tools employees useUnknown apps and accountsSees usage, not content
Browser / endpoint DLPInspects data before it leaves the devicePasted code, files, secretsCoverage gaps on personal devices
Identity and access controlsGates who can reach which AI serviceUnauthorized accessDoes not inspect prompt content
AI gateway / runtime controlsRoutes approved AI use through a monitored proxyPrompt-level data exfiltrationOnly 23% adoption so far
Policy and trainingSets rules and educates staffCasual misuseWeak without technical enforcement
How the main shadow AI control approaches compare.

Competitive Comparison: How the Big Platforms Approach Shadow AI

The platform vendors are converging on shadow AI from the assets they already own. Microsoft leans on its data governance stack, extending Purview-style data security and DLP to flag and restrict sensitive content heading into generative AI tools. Google Cloud frames the problem through its security forecast and its model and data-security tooling, pushing governance into the cloud workloads where AI runs. Network and zero-trust vendors such as Zscaler and Palo Alto Networks attack it at the traffic layer, using AI access and data-protection features to discover unsanctioned tools and block risky uploads inline.

The competitive split mirrors each vendor’s center of gravity. Data-platform players want to control the content. Network players want to control the path. Identity players want to control the access. None of the three fully solves shadow AI alone, which is why buyers in 2026 are stitching together discovery, DLP, and runtime controls rather than betting on a single suite. The lesson from the agentic AI security market applies here too: autonomous and unsanctioned AI both demand layered defenses, not a single product.

The Upside: AI Defenders Cut Breach Costs by $1.9M

Shadow AI is the liability side of the ledger, but the same technology is also the most effective defense being deployed. The WEF’s 2026 analysis found that organizations using AI extensively in their security operations cut average breach costs by up to $1.9 million and shortened breach lifecycles by roughly 80 days. That is a larger swing than almost any other single control measured.

The takeaway for security leaders is not “AI bad, ban it.” It is that ungoverned AI is expensive and governed AI is protective. The organizations winning this trade are the ones that move fastest from informal use to sanctioned, monitored deployment, capturing the $1.9 million defensive upside while closing the $670,000 shadow AI downside. Done right, the net swing between a governed and ungoverned AI posture exceeds $2.5 million per major incident.

Regulatory Pressure: NIST, the EU AI Act, and Disclosure Rules

Regulation is hardening the business case for governance. The NIST AI Risk Management Framework gives US organizations a voluntary but increasingly expected standard for mapping, measuring, and managing AI risk, including the shadow use case. In the EU, the phased AI Act obligations push organizations toward documented oversight of how AI systems handle data, which is difficult to demonstrate when a third of employees use tools nobody approved.

Disclosure pressure compounds the cost. When shadow AI causes a breach involving personal data, organizations still face the same notification, regulatory, and reputational consequences as any other incident, with the added complication of explaining why ungoverned tools had access to sensitive records. Boards that once treated AI policy as optional are now treating it as a defensible-position requirement, in the same way they eventually treated cryptographic readiness as non-optional.

5 Predictions for Shadow AI Through 2027

  1. The shadow AI breach share climbs past 25%. With 63% of organizations still lacking a policy, the 20% figure from 2025 has more room to grow before enforcement catches up.
  2. AI gateways become standard. Runtime controls, used by only 23% of organizations today, follow the same adoption curve CASBs did and become a default control by 2027.
  3. Agentic shadow AI overtakes chatbot leakage. Autonomous agents acting outside sanctioned workflows become the harder-to-detect successor to copy-paste data leaks.
  4. Insurers price shadow AI directly. Cyber insurers begin asking for AI governance evidence and AI discovery coverage as a condition of favorable premiums.
  5. AI TRiSM spending outpaces its $5.7B forecast. The combination of breach costs and regulatory pressure pulls budget forward faster than current projections assume.

How to Reduce Shadow AI Risk Now

The organizations closing the gap follow a consistent sequence. The goal is to make the sanctioned path easier than the shadow one, because bans alone failed in the shadow IT era and fail again now.

  1. Discover first. Inventory which AI tools and extensions employees actually use before writing any rule.
  2. Classify the data. Identify which categories of data, such as code, customer records, and financials, must never reach external models.
  3. Offer a sanctioned alternative. Provide an approved, enterprise-grade AI tool so employees have no reason to reach for consumer apps.
  4. Enforce at the exit. Use browser and endpoint DLP plus an AI gateway to inspect and block sensitive data leaving for unapproved tools.
  5. Monitor and adjust. Track prompts and usage for exfiltration patterns, and treat AI governance as a living policy, not a one-time memo.

The same hygiene that defends against phishing and social engineering, reducing the human attack surface through both tooling and training, applies almost directly to shadow AI.

Frequently Asked Questions About Shadow AI

What is shadow AI in cybersecurity?

Shadow AI is the use of generative AI tools, chatbots, and AI browser extensions that an organization’s security and IT teams have not approved or secured. It is the AI-era successor to shadow IT, and it creates risk because corporate data flows to third-party models outside company control.

How much does shadow AI add to a data breach?

According to IBM’s Cost of a Data Breach Report 2025, breaches involving a high level of shadow AI cost an extra $670,000 on average, on top of the global average breach cost of $4.44 million.

What percentage of breaches involve shadow AI?

IBM reported that 20% of breached organizations in its 2025 study were compromised through shadow AI, and that 97% of organizations with AI-related incidents lacked proper access controls.

Why is shadow AI worse than shadow IT?

Shadow IT mostly stored data in unsanctioned apps. Shadow AI sends data, including code, customer records, and strategy documents, to external models that may retain or process it beyond the organization’s control, raising the stakes of every leak.

How do companies detect shadow AI?

Detection combines AI discovery and CASB tools that inventory which AI services employees use, browser and endpoint DLP that inspects data before it leaves a device, and AI gateways that route approved use through a monitored proxy. Only about 23% of organizations have runtime controls so far.

Can AI also reduce breach costs?

Yes. The World Economic Forum’s 2026 analysis found that organizations using AI extensively in security operations cut average breach costs by up to $1.9 million and shortened breach lifecycles by about 80 days. The risk comes from ungoverned AI, not AI itself.

What standards address shadow AI risk?

The NIST AI Risk Management Framework offers a voluntary US standard for managing AI risk, and the EU AI Act imposes phased obligations on how AI systems handle data. Both push organizations toward documented governance that shadow AI directly undermines.

Sources: IBM Cost of a Data Breach Report 2025, IBM 2026 cybersecurity predictions, Cybersecurity Dive, Google Cloud Cybersecurity Forecast 2026, and the World Economic Forum Global Cybersecurity Outlook 2026.