Insights

AI Risk & Security: What No One Wants to Review in the Board

Written by Andrés Lozada | Jul 9, 2026 6:21:24 PM

There is a conversation that is still not happening with enough seriousness in most companies across the region: what exactly happens to data when someone on the team pastes it into an AI tool that no one formally approved.

This is not a technical question. It is a corporate governance question. And the answer, in most cases, is that no one knows for certain.

Shadow AI: the problem that already exists

The term Shadow AI refers to the use of artificial intelligence tools inside a company without the approval or knowledge of IT or security. As a concept it is not new — Shadow IT has been in the CISO vocabulary for years — but AI gives it a different dimension.

With earlier cloud applications, the problem was that data entered external, uncontrolled storage. With AI tools, data can be used to train models, be stored on third-party servers in other jurisdictions, and eventually surface in the responses that tool generates for other users.

The scale of the phenomenon is already documented:

  • 71% of workers use AI tools not formally approved by their company. (Microsoft Work Trend Index 2025)
  • 43% of employees have shared sensitive information with AI tools without their organization's permission. (NCA / CybSafe 2025)
  • 33% have shared corporate research or datasets; 27% have entered employee data; 23% have input confidential financial information. (IBM 2025)
  • More than 58% do so through free versions, where data is frequently used to train the model. The cost is not the subscription. The cost is the information.

What this means in terms of risk

According to the IBM Cost of a Data Breach Report 2025, breaches linked to Shadow AI carry an average cost $650,000 higher than standard breaches. And 1 in 5 organizations has already experienced a security incident related to uncontrolled AI use.

Regulatory risk is also relevant for Latin America. Brazil's LGPD, Mexico's Federal Data Protection Law, and other national frameworks have specific requirements that Shadow AI violates systematically and silently. The regulatory exposure can be as damaging as the technical breach itself.

There is another data point worth attention: 69% of C-level executives prioritize speed over data privacy when adopting new AI tools (Microsoft Data Security Index 2026). A culture of risk frequently starts at the top.

Why it happens and why it is hard to solve

The most common reason is simple: employees want to do their jobs better and faster, and the available tools work. There is no malicious intent. There is a gap between what the organization offers and what people need.

The problem is compounded because 63% of organizations have no formal AI governance framework (IBM / Gallup, 2025), and only 22% have communicated a clear AI integration plan to their employees. When there is no policy, people define their own. That is entirely predictable.

Banning AI tools does not solve the problem. It only makes it invisible. The most effective solution combines enablement with control: provide approved, secure tools, establish clear policies on what data can be processed, and implement technical controls that are practical.

The controls that actually work

1. Visibility: If you do not know which AI tools your teams are using, you cannot manage the risk. SaaS discovery tools, network traffic monitoring, and Data Loss Prevention (DLP) solutions provide that visibility. 86% of organizations currently lack it (Reco, 2025).

2. An approved-tools list: With clear criteria — where data is processed, whether it is used to train models, what privacy guarantees the vendor offers. That list must be updated regularly because the AI tool market changes very fast.

3. Data classification: Define what can be processed with external tools, what requires specific guarantees, and what must remain exclusively in internal systems. It is an exercise many organizations have not done systematically.

4. Targeted training: Many employees are not aware of the risks they take. Practical training, with concrete examples of what is at stake, changes behavior more effectively than any written policy no one reads.

The framework that makes all of this sustainable

Managing AI risk is not an IT project. It is a responsibility of the entire organization, one that begins at the leadership level. AI will keep expanding across organizations, with or without a policy. The question is whether that expansion happens in a controlled way, or continues to be the kind of silent adoption already producing real incidents in companies that do not yet know they had them.

It is worth choosing the first option before the second becomes urgent.

Sources: Microsoft Work Trend Index 2025, NCA / CybSafe 2025, IBM Cost of a Data Breach Report 2025, Reco State of Shadow AI 2025, Gartner, Gallup 2025, ISACA 2025, Microsoft Data Security Index 2026.


Andrés Lozada
Executive Director, SUMāTO Group · Cloud · Infrastructure · Cybersecurity · Digital Transformation
linkedin.com/in/andreslozada/

Keep exploring