The 2026 figures put numbers on what every business already suspects. More than 80% of workers report using unapproved AI tools, and regular AI use on corporate devices jumped to 45% from 15% the year before. The leakage data is the part that should stop you: 38% of employees admit sharing sensitive company information with AI tools without approval, and around a third have uploaded customer data.

It’s not free, either. IBM’s analysis found shadow-AI-related breaches cost an average of US$670,000 more per incident, that 20% of breached organisations were compromised through shadow AI, and — the telling stat — 63% had no AI governance policy in place at all. Among SMBs specifically, roughly 27% report shadow-AI use and most reach for free public tools over governed enterprise ones.

Banning it doesn’t work; people route around the ban. The workable answer is to give staff a sanctioned, governed tool (Copilot inside your tenant), set a short written AI policy, and use Purview DLP to control what content can be pasted into prompts. Make the safe path the easy path.

What it means for your businessYour staff are already using AI; the only question is whether it’s governed. Provide a sanctioned tool, write a one-page AI policy, and use Purview DLP to keep sensitive and customer data out of public prompts.
Source & referenceKiteworks — Shadow AI data leakage and governance (IBM / DBIR data) ↑Unseen Security — The State of Shadow AI 2026 ↑