 |
The study also shows 8 out of 10 employees use unauthorized AI, eroding corporate trust
MOUNTAIN VIEW, Calif., Nov. 10, 2025 /PRNewswire/ — UpGuard, a leader in cybersecurity and risk management, today released its new “State of Shadow AI” report. The report details the widespread use of unapproved generative AI tools, or “Shadow AI,” by employees in the workplace. Data shows that employees worldwide are actively bypassing corporate governance at all levels, with a staggering 8 out of 10 employees using unauthorized AI tools. This widespread non-compliance extends all the way to the top—68% of security leaders, including CISOs, admit to incorporating unauthorized AI into their daily workflows. This is of increasing concern for organizations as employees expose their companies to greater security risks.
The report also highlights a critical AI security paradox. Despite 40% of employees reporting that they received AI safety training and have a better understanding of the risks, they are also the ones who use unapproved tools most frequently. This correlation suggests that compliance and security awareness campaigns need to evolve to accommodate employees’ increasing drive for productivity and confidence in new technology.
“Shadow AI has triggered a challenge in maintaining trust between employer and employee,” said Greg Pollock, head of Research and Insights at UpGuard. “Our data shows that increased security training and literacy does not curtail increased shadow AI usage; in fact, it increases it. Organizations need to better engage with their employees about AI to channel that curiosity appropriately.”
Who Is Bypassing Controls and at What Level?
UpGuard’s research indicates that traditional security awareness methods are not effective against curtailing unapproved AI usage, and instead, are enabling “AI power users.” The paradox is further aggravated by seniority, with Shadow AI usage increasing alongside managerial authority; senior leadership across the organization is 50% more likely to use shadow AI.
The report finds that:
- A surprising 90% of security leaders themselves report using unapproved AI tools at work, with 69% of CISOs incorporating them into their daily workflows.
- 27% of workers trust AI more than their managers or colleagues for reliable information, further highlighting the growing divide of non-compliance between employees and corporate authority.
- 23% of CISOs know that passwords and other credentials are being shared with AI tools within their company, indicating that organizations are becoming increasingly exposed by the minute.
- Furthermore, while 52% of employees are familiar with their company’s AI usage policy, 70% know of sensitive data shared with AI tools at their workplace
Guiding Enablement into the Future
Unauthorized AI usage in the workplace will continue to rise unless reinforced governance is implemented. It is clear that the problem cannot be solved by blocking applications, as 41% of employees find a way around it.
For companies keen on creating a transparent environment, a strategic necessity is a shift from a fear-based approach of restriction to one of guided enablement. This new pivot must address the next steps: providing visibility, implementing intelligent guardrails, and offering vetted tools to make the secure path the path of least resistance.
Read the full report, including additional stats and insights on Shadow AI prevalence in the workplace at https://www.upguard.com/resources/the-state-of-shadow-ai
Methodology
- Data for this report were sourced from two separate methods. The survey of security leaders was conducted by Dynata between August 18-31, 2025. The 542 respondents were security professionals in leadership positions at companies with more than 200 employees located in the US, Canada, the APAC region (comprising Australia, New Zealand, Singapore, and Malaysia), and India.
- The survey of employees was conducted using the Prolific platform between July 30 – August 11, 2025. The respondents were comprised of 1020 people in the US and UK who reported being currently employed and could provide the employee count and industry classification of their employer.
About UpGuard
Founded in 2012, UpGuard is a leader in cybersecurity and risk management. The company’s AI-powered platform for cyber risk posture management (CRPM), provides a centralized, actionable view of cyber risk across an organization’s vendors, attack surface, and workforce. Trusted by thousands of companies, UpGuard’s platform is designed to help security teams manage cyber risk with confidence and efficiency. To learn more, visit www.upguard.com.
