Shadow AI Adoption Grows – 31% of Employees Receive No Employer Training, Elevating Data‑Leak and Compliance Risks
What Happened – A Lenovo‑commissioned survey of 6,000 enterprise workers shows that between 20‑33 % of employees regularly use consumer‑grade AI tools without any IT‑managed oversight or training. The gap between sanctioned AI use and “shadow AI” is widening, with 70 % of respondents using AI at least a few times per week and 80 % expecting usage to increase.
Why It Matters for TPRM –
- Uncontrolled AI can process sensitive corporate data outside governed environments, creating third‑party data‑exposure risk.
- Lack of training leads to inconsistent security practices, raising the likelihood of accidental data leakage or AI‑driven phishing.
- Vendors that supply AI‑enabled services may inherit these gaps, amplifying supply‑chain risk for their customers.
Who Is Affected – All enterprise sectors that permit employee‑driven AI use, especially technology‑focused firms, professional services, and any organization that handles intellectual property or regulated data.
Recommended Actions –
- Conduct a rapid inventory of all AI tools (sanctioned and unsanctioned) used across the organization.
- Mandate baseline AI‑security training for 100 % of staff; track completion and effectiveness.
- Deploy DLP and data‑classification controls that extend to consumer AI platforms (e.g., ChatGPT, Claude).
- Update third‑party risk questionnaires to include AI‑governance maturity metrics.
Technical Notes – The risk vector is “shadow AI” – employees leveraging external AI services (large language models, generative image tools) without IT oversight. This creates a third‑party dependency on public AI providers, bypasses existing compliance controls, and can expose confidential data via API calls or copy‑paste actions. No specific CVE or malware is cited; the threat is procedural and human‑factor driven. Source: Help Net Security