Artificial Intelligence has rapidly evolved from a niche research field into an everyday workplace tool. In many cases, this adoption has outpaced previous technology waves, with employees across industries embracing AI to boost productivity in almost every aspect of their work and life.

However, this bottom-up adoption introduces new risks. Unlike traditional software, generative AI relies on data input. Every prompt may contain confidential information, personal data, or even source code. Without visibility into how employees are using these tools (or even which tools they are using at all), organisations face a growing blind spot. Data leakage, shadow AI adoption, compromised accounts, and compliance exposures are already making headlines.

This article explores the double-edged sword that is enterprise AI, the huge benefits it offers and the significant risks it poses when left unmanaged. It also highlights why effective AI governance and usage controls are now critical to ensuring security whilst facilitating innovation.

Over the past few years, AI has shifted from the fringes of experimentation to the core of workplace productivity. Employees now use AI assistants to brainstorm ideas, accelerate coding, summarise documents, draft emails, and automate entire workflows. The gains have been immediate, and a 

 estimated that generative AI could add up to $4.4 trillion in global productivity annually (and everyone is eager to capture their share).

This enthusiasm has driven AI adoption at lightning speed. Even in 2024, more than 

 reported using generative AI in some capacity, with a lot of this being employee-driven. This is no surprise, as the appeal is obvious: the tools are intuitive, powerful, and, in many cases, free. Unlike previous waves of enterprise software evolution, employees no longer rely on IT to procure or configure tools; they can simply sign up and start using them.

For CIOs, CTOs, and security teams, this presents both a great opportunity and a complex new set of security challenges.

AI services differ fundamentally from previous technologies because, by design, they encourage users to input large volumes of data to maximise their performance, and at first glance, this seems fairly similar to search engines. However, the difference is that search engines typically only require short, structured queries, where AI tools encourage users to type, paste and upload extensive amounts of data, often including confidential or sensitive material into their external systems.

Without proper safeguards, these interactions can expose users and organisations to a growing list of risks, including data loss, breaches, compliance failures, and usage control / data residency complications.

Employees routinely paste sensitive information into AI tools, often unaware of the risks. Reports show that around 

 like ChatGPT is sensitive, including customer information, internal strategy, source code, and credentials.

These risks are not theoretical. Even back in 2023, Samsung engineers inadvertently exposed proprietary code and meeting notes by submitting them to ChatGPT. Once entered, the information became part of the AI provider’s systems, beyond Samsung’s control. Similar incidents have occurred across industries, raising serious questions about how much sensitive data is silently flowing into third-party AI tools.

Large-scale breaches have also revealed what this looks like. In early 2025, 

 DeepSeek messages were left publicly exposed online, and 

 OmniGPT prompts were later sold on underground forums. These leaked datasets contained credentials, financial records, personal information, proprietary source code, and personal mannerisms and details that could be used for blackmail, highlighting the scale of potential exposures.

There we were, out hands already full dealing with shadow IT and shadow SaaS, and now a new “shadow” challenge emerges, shadow AI. Employees are now frequently leveraging every and any new and unapproved AI tools, often because they are free, faster, or simply more convenient than approved alternatives.

A National Cybersecurity Alliance survey found that 

 admit to feeding sensitive data into AI tools without organisational approval. This results in a fragmented landscape where intellectual property, regulated information, and personal data are processed by unknown third parties.

For IT and security teams, the problem is compounded by invisibility, as traditional monitoring tools don’t or can’t detect prompt submissions or the proliferation of undocumented and unapproved AI apps.

AI service accounts have rapidly become prime targets for cybercriminals. In 2024, reports surfaced that tens of thousands of stolen ChatGPT credentials were being traded on underground markets. This was no surprise as AI chat histories now often contain credentials, customer details, product plans, code snippets, and other highly sensitive details.

For organisations, this presents a new attack surface where a single compromised AI account could result in immediate compromise or expose weeks or even months of corporate intelligence, with little to no visibility for security teams into what has been lost or when.

With the huge uptake in AI technologies, regulators have also turned their attention to AI usage, especially where AI intersects with data protection. Submitting Personally Identifiable Information (PII) to uncontrolled or unknown external services can breach GDPR, HIPAA, or other privacy regulations.

For heavily regulated sectors such as finance, defence, and healthcare, even a single unsanctioned use of an external AI tool could trigger legal and compliance complications, driving a growing demand for AI governance frameworks and usage control mechanisms that ensure responsible innovation while maintaining compliance.

Despite the widespread adoption of AI, most organisations still lack the visibility and control mechanisms required to manage its risks effectively, with common challenges including:

This lack of tooling means leaders are effectively flying blind. They see the productivity gains, but not the hidden data movements, exposures, or security implications driving them.

To balance AI’s benefits with its equally significant risks, organisations need to adopt and embed AI governance and usage control at the core of their operations.

AI usage control solutions, like those offered by CultureAI, operate in the sweet spot that can provide the visibility and guardrails required for safe AI adoption whilst still facilitating productivity gains:

This isn’t about banning or blocking AI use, it’s about enabling its safe, scalable adoption. By embedding the right controls in the right place, organisations can empower employees to innovate confidently, while retaining full control over their data, compliance, and risk posture.

The enterprise adoption of AI mirrors the adoption of email, cloud, and SaaS before it, driven from the bottom up by employees seeking faster and smarter ways to work. The difference this time is that AI consumes corporate data at a huge scale in every interaction, magnifying the risks of leaks, breaches, and compliance issues.

Organisations and security teams can either ignore the risks and rely on employee restraint or act decisively and embed controls that safeguard data while preserving and encouraging the productivity gains AI has made possible.

The way forward is clear. AI usage control, shadow AI discovery, and comprehensive usage analytics must become core components of every enterprise security and IT strategy. These are not optional extras, but essential enablers of responsible innovation.

It’s not going anywhere. AI will continue to redefine how work gets done and the organisations that succeed will not be those that restrict its use, but those that enable its adoption securely, building visibility, enforcing policies, and establishing governance frameworks that keep pace with the AI era.

Ultimately, it’s not about blocking AI or limiting innovation; it’s about controlling how we use it and enabling secure adoption to maximise its potential and our success.

Join us for our upcoming virtual tech talk with Oliver Simonnet, Lead Cyber Security Researcher, CultureAI. 30 minutes that will change the way you think about AI risk. 

Recommended for you

The Back Room Problem: Why Most Organisations Lack AI Data Visibility

Pixels, Polygons, and Payloads:Malware delivery in 3D software pipelines

AI Adoption Is Outpacing Governance: Conversations on Managing AI Risk