According to a 2025 Menlo Security report, 68% of corporate employees use free generative AI tools through private accounts, and 57% of them enter sensitive company data there. Microsoft research shows that 78% of employees bring their own AI tools to work – outside the control of IT departments. This is not a vision of the future. It is everyday reality.
Shadow AI: an invisible threat born of good intentions
Shadow AI is the counterpart of the well-known shadow IT, but with more serious consequences. A marketing employee pastes client briefs into ChatGPT. A developer debugs production code in a public assistant. An analyst asks a model to summarise a confidential report. Each of these people is acting in good faith – they want to be productive and meet deadlines.
The problem is that public models may store data and use it for training. Information that seems harmless today may appear tomorrow in a response given to a competitor. According to IBM, the average cost of an AI-related data breach exceeds $650,000 per incident.
“Shadow AI is one of the biggest challenges for CISOs” – notes Jaroslaw Kamil Zdanowski, Partner at SNOK. “Employees are not acting maliciously – they want to work more effectively. The organisation’s role is to give them safe tools before they reach for risky alternatives.”
Anatomy of the risk: what can go wrong
Generative AI creates risks on several levels. The first is the uncontrolled flow of data to external providers – every prompt containing source code, client data or intellectual property potentially leaves the organisation and ends up on servers the company does not control.
The second is a lack of information classification. Many companies do not know which data is sensitive or where it is located. Without this knowledge, it is impossible to enforce security policies with respect to AI. The third is the absence of clear rules – according to Gartner, only 23% of organisations require training in the safe use of AI. The rest operate in a regulatory vacuum.
The fourth level is a lack of monitoring – traditional security tools do not detect an employee pasting confidential data into a browser window. According to Palo Alto Networks, AI-related DLP incidents increased 2.5-fold in early 2025 and now account for 14% of all data-leakage incidents in SaaS traffic.
A framework for CISOs: six pillars of safe AI
Organisations need a systematic approach to managing generative AI. First: clear policies defining approved tools, acceptable use cases and prohibited data categories. The policy must be communicated before tools are deployed, not after the fact.
Second: information classification covering not only documents but also data in ERP systems, CRM systems and code repositories. Third: next-generation DLP tools capable of analysing prompts in real time and blocking attempts to feed sensitive data into public models.
Fourth: monitoring that shows who is using which tools and what data they are entering – without visibility there is no control. Fifth: user education based on practical scenarios, not abstract warnings. Sixth: choosing secure enterprise-grade platforms instead of fighting shadow AI – if you give employees good tools, they will stop looking for workarounds.
“The key is balancing control with usability” – emphasises Dariusz Kurkiewicz, Team Leader Cybersec & SAP BASIS at SNOK. “Too restrictive an approach leads to workarounds. Too liberal an approach leads to leaks. An effective strategy gives people safe alternatives that they genuinely want to use.”
Innovation under control, not under lock
The goal is not to block generative AI – that would be about as effective as trying to stop the internet. Organisations that ban AI do not eliminate the risk – they merely lose visibility over it. Employees will use the tools anyway, through private devices and networks.
The right approach is to consciously harness innovation. Generative AI can be a competitive advantage: it speeds up content creation, automates routine tasks, and supports data analysis and decision-making. The condition is that the organisation knows how it is used, what data it processes, and whether it meets regulatory requirements such as GDPR or industry security standards.
“Companies that implemented AI governance early are now reaping the benefits without worrying about leaks” – points out Paweł Machowiec, SNOK Expert. “Those that ignored the issue are dealing with tool chaos, a lack of control, and a growing risk of incidents.”
The SNOK perspective
SNOK combines competences in cybersecurity, data management and process automation. We help clients build environments in which generative AI operates safely: from auditing the current state and identifying shadow AI, through developing policies and deploying monitoring tools, to integration with existing SAP infrastructure and security systems.
We work with partners such as SecurityBridge, providing visibility across the entire IT landscape. We know that AI security is a continuous process requiring adaptation to changing technologies and regulations.
Time for a coherent strategy
Generative AI is already present in your organisation – the only question is whether you know it and whether you have control over it. A coherent strategy for safe AI covers policies, technology, education and continuous monitoring. It is not a one-off project, but a process requiring ongoing attention.
Organisations that build the foundations of responsible AI use today will reap its benefits tomorrow without fear of data leaks, regulatory breaches or reputational loss. Those that ignore the issue may discover that their most valuable information left the company walls long ago.
Would you like to assess your organisation’s readiness for a safe generative AI deployment? Contact the SNOK team.
#GenerativeAI #Cybersecurity #ShadowAI #DLP #CISO #SNOK #SafeTuesdayWithSNOK
Would you like to see this in practice or discuss an implementation for your organisation? Contact us – we will respond within 48 hours.