The 2026 figures put numbers on what every business already suspects. More than 80% of workers report using unapproved AI tools, and regular AI use on corporate devices jumped to 45% from 15% the year before. The leakage data is the part that should stop you: 38% of employees admit sharing sensitive company information with AI tools without approval, and around a third have uploaded customer data.
It’s not free, either. IBM’s analysis found shadow-AI-related breaches cost an average of US$670,000 more per incident, that 20% of breached organisations were compromised through shadow AI, and — the telling stat — 63% had no AI governance policy in place at all. Among SMBs specifically, roughly 27% report shadow-AI use and most reach for free public tools over governed enterprise ones.
Banning it doesn’t work; people route around the ban. The workable answer is to give staff a sanctioned, governed tool (Copilot inside your tenant), set a short written AI policy, and use Purview DLP to control what content can be pasted into prompts. Make the safe path the easy path.
