Press Release

Shadow AI Could Expose Sensitive Data Before Companies Know It

As employees adopt public AI tools faster than companies can govern them, Magna5 says mid-market organizations need secure, sanctioned AI pathways before sensitive data leaves controlled environments.

PITTSBURGH, July 6, 2026 /PRNewswire/ — Employees are adopting artificial intelligence into the workplace faster than many companies can govern it, creating a new data-security blind spot for mid-market organizations. A recent survey found that nearly half of workers (49%) admitted using AI tools at work without approval, often sharing sensitive data with free versions of popular tools such as ChatGPT. Magna5, a national managed IT, cybersecurity, cloud and compliance services provider, warns that shadow AI is becoming the next version of shadow IT, but with higher stakes. Across mid-market organizations, employees may unintentionally expose contracts, client records, financial data, employee information, proprietary data, and other sensitive business information through AI tools that were never approved.

“AI can feel like a private conversation, but the more comfortable employees get using it every day, the easier it is to forget that public tools are storing their inputs, may be training on them, and could potentially reuse that data for other users.” - Justin Cameron, Chief Technology Officer of Magna5

“Employees have learned that they should not store company files in their personal email or cloud storage, but many do not think twice about uploading a contract or customer information into a personal AI tool,” said Justin Cameron, Chief Technology Officer of Magna5. “AI can feel like a private conversation, but the more comfortable employees get using it every day, the easier it is to forget that public tools are storing their inputs, may be training on them, and could potentially reuse that data for other users.”

The Adoption Gap Is Becoming the Security Gap 

Employees use tools such as ChatGPT, Microsoft Copilot, and Claude to save time, improve writing, summarize information, and answer questions. In many organizations, usage has outpaced policy, training, and security controls.

That gap creates a new challenge for executives: AI adoption cannot be managed only as an innovation initiative. It must also be treated as a governance, cybersecurity, and compliance issue.

That is where AI governance must become operational, not theoretical. The National Institute of Standards and Technology’s AI Risk Management Framework urges organizations to govern, map, measure, and manage AI risk. Many mid-market companies, however, still lack the fundamentals required to do that: visibility into where AI is being used, rules for what data can be shared, controls to limit unauthorized tools, and monitoring to ensure employees follow policy.

“A policy without enforcement is simply an expectation,” Cameron said. “Organizations need to take a two-pronged approach by giving employees access to a secure, approved AI platform and maintaining visibility into whether unsanctioned tools are being used outside of it. Without both in place, companies are ultimately relying on trust rather than control.”

Blocking Alone is Not a Complete Strategy 

Some companies may respond to AI by trying to ban public tools. Magna5 cautions this approach can backfire if employees still need to use AI but are not given an easy, sanctioned alternative to adopt. Instead, Cameron recommends giving employees a “walled garden” for AI: an approved environment where workers can experiment, learn, and become more productive without relying on unmanaged models.

“Step one is offering employees a secure system and educating them on how to use it, so they adopt company-approved tools instead of personal ones,” Cameron said. “Then companies need security controls that provide visibility into AI usage, monitor what data is being submitted, and enforce clear policy.”

For healthcare organizations, the concern may involve administrative workers uploading patient records or other protected information to help with billing, documentation, or reporting. That risk comes as the industry is under pressure from rising cybersecurity incidents: HHS says reports of large breaches increased 102% from 2018 to 2023, while the number of individuals affected increased 1,002%. More than 167 million people were affected by large healthcare breaches in 2023 alone.

For Defense Industrial Base companies, the concern is that controlled unclassified information could move into unapproved AI platforms, browser-based agents, or other tools without proper access control. “Any data entered into a free or personal AI model that has not been secured and managed by the company creates exposure,” Cameron said.

Crawl Before You Run 

Magna5 recommends that companies adopt AI through a staged approach, like a “crawl, walk, run, sprint” model, to help organizations move from basic awareness to secure, business-aligned AI adoption:

  • Crawl: Understand the company’s current AI footprint by identifying official and unofficial usage, surveying employees, setting acceptable-use guidelines, selecting low-risk use cases, and creating a safe environment for experimentation. This stage should also include a review of data hygiene, because AI outputs are only as reliable as the information behind them. Before enriching AI with internal knowledge, organizations need to ensure their data is current, accurate, trustworthy, and not trapped in outdated records, inconsistent documentation, or siloed systems.
  • Walk: Expand into measurable, value-driving use cases such as customer support, sales, marketing, engineering, reporting, or internal knowledge management.
  • Run and Sprint: Move toward deeper AI integration only after governance, training, security controls, and approved use cases are in place, allowing AI to become embedded into workflows, decision support, automation, and purpose-built agents.

“AI is already inside the business, whether leadership has formally approved it or not,” Cameron said. “The question is whether companies will govern it intentionally or discover the risk after sensitive data has already left their control.”

About Magna5

Magna5 is a national managed IT, cybersecurity, cloud and compliance services provider serving small and mid-sized businesses, mid-market organizations and regulated industries across the United States. The company helps organizations manage critical IT infrastructure, protect networks and data, support users, and strengthen operational resilience through 24/7/365 monitoring, managed security, cloud, backup, disaster recovery and compliance support. Magna5 works with security- and uptime-conscious sectors including the Defense Industrial Base, healthcare, financial services, legal, manufacturing, education, construction, government and professional services. For more information, visit www.magna5.com.

Sources:

  • National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0). U.S. Department of Commerce. nist.gov/itl/ai-risk-management-framework
  • National Institute of Standards and Technology. (n.d.). AI RMF playbook. U.S. Department of Commerce. nist.gov/itl/ai-risk-management-framework/ai-rmf-playbook
  • National Institute of Standards and Technology. (2024). Artificial intelligence risk management framework: Generative artificial intelligence profile. U.S. Department of Commerce. nist.gov/itl/ai-risk-management-framework
  • U.S. Department of Health and Human Services. (n.d.). HIPAA Security Rule NPRM to strengthen the cybersecurity of electronic protected health information. hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
  • ITPro. (2025). CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT — security experts explain why you should never do that. itpro.com/security/data-protection/cisas-interim-chief-uploaded-sensitive-documents-to-a-public-version-of-chatgpt-security-experts-explain-why-you-should-never-do-that

Media Inquiries:
Karla Jo Helms
JOTO PR™
727-777-4629
Jotopr.com

Cision View original content to download multimedia:https://www.prnewswire.com/news-releases/shadow-ai-could-expose-sensitive-data-before-companies-know-it-302817828.html

SOURCE Magna5

Author

Leave a Reply

Related Articles

Back to top button