Dive Brief:
- Nearly all executives are confident their employees are using AI responsibly, but shadow AI is creeping its way into organizations, an Okta survey released Wednesday found. More than half of employees reported they’re using personal AI tools without approval, the security platform provider learned in surveying nearly 300 tech executives and 500 knowledge workers along with market research firm Apprize360.
- Workers reported using unapproved AI tools for productivity reasons, saying they allow the tools access to internal messages, HR-related information and confidential company documents. The practice is heightening security risks, as 58% of executives said their organization had an AI-related security incident or a close call last year, according to the report.
- Lack of clarity in AI usage policies or banning personal AI tools can actually increase shadow AI use, said Harish Peri, Okta’s SVP and GM for AI security, in an email. “By taking a more collaborative approach with employees, leaders can offer sanctioned, enterprise-grade alternatives to the unapproved tools that teams are using.”
Dive Insight:
Executives feel strongly that the AI usage policies they’ve set are clear and consistent. But the sentiment doesn’t resonate with employees, according to the Okta report. More than half of employees say their organization’s policies are unclear, difficult to find or non-existent.
American employees especially are turning to unsanctioned tools to fill in productivity gaps. Two-thirds of U.S.-based employees use unsanctioned AI, and nearly a quarter do so regularly, the report found.
Shadow AI use usually isn’t done maliciously, Peri said, but is a result of employees wanting to experiment with new tools and agents to meet deadlines or solve specific problems. Employees aren’t usually aware of what data an AI tool might access or for how long.
“The risk isn’t necessarily because of intent, but because employees are experimenting without thinking through visibility, governance, or consistent security controls,” he said.
Organizations should be working with employees in a collaborative approach to understand what they need for productivity gains and what they feel is lacking in their company AI offerings. From there, they can establish a governance framework that provides secure sandboxes to test drive AI tools safely.
“The old adage in cybersecurity is that you can’t protect what you can’t see,” Peri said. “If you don’t know what agents exist or where they are in your environments, there’s no way to reliably enforce access policies.”
Peri said many tech leaders feel an illusion of control over their AI governance, but most policies could use frequent refreshes and security checks. He encourages enterprise leaders to regularly ask themselves what agents have access to and what they’ve been given permission to do.
“If you can’t answer those questions, you’re flying blind,” Peri said. “That is the baseline for operating a secure agentic enterprise today.”
