Your Employees Are Pasting Your Business Into ChatGPT. Your IT Team Doesn’t Know.

The biggest AI security risk at your company isn’t a hacker from outside. It’s your own staff — and most of them are just trying to do their jobs faster.

Verizon published its 2026 Data Breach Investigations Report on May 19. Among the findings: shadow AI — employees using unauthorized AI tools without IT approval — is now the third most common non-malicious insider action in data-loss incidents. The pattern is specific: employees are pasting source code, structured data, customer records, and financial documents into external AI tools through personal accounts, bypassing every corporate control in place.

The scale is not small. Approximately 47% of generative AI users access tools through personal accounts. Only 37% of organizations have any AI governance policy. Average breach cost linked to shadow AI: USD $4.63 million.

Who this really matters to:

→ Malaysian financial services companies — employees in operations and customer service are the most common shadow AI users; pasting client data into ChatGPT to draft a letter means that data has left the organization, regardless of intent → Malaysian legal and accounting firms — client confidentiality obligations make unauthorized AI use a professional liability issue, not just an IT policy matter; it can constitute a breach of professional duty under existing standards → Malaysian manufacturing and engineering companies — source code and design specifications pasted into external tools is exactly the data-loss vector the Verizon report flagged most specifically → Malaysian businesses where IT has no approved AI tool — if the company provides nothing, any productive AI use is by definition shadow AI; banning behavior you haven’t replaced doesn’t stop it

MULTIPLE PERSPECTIVES

The Verizon finding that matters most: shadow AI is primarily driven by well-meaning employees, not malicious ones. The worker pasting client data into ChatGPT is usually trying to get the job done faster, not trying to leak information. That distinction changes how companies should respond. Punitive policies push the behavior underground and onto personal devices. The behavior doesn’t stop — the visibility stops.

Many Malaysian SMEs have no approved AI tool at all. When an employee starts using AI to do their work faster, they are by definition using shadow AI, because there is no official channel. The practical choice becomes: unmanaged shadow AI, or no AI productivity gain at all. That framing explains why shadow AI is widespread even in companies with explicit policies against it.

The Malaysia AI Governance Bill heading to Cabinet in June adds a compliance dimension. When the bill introduces incident reporting requirements for AI-generated harm, shadow AI becomes a direct exposure. A company that doesn’t know which AI tools its employees are using cannot report AI incidents it doesn’t know happened. That gap — between what leadership assumes and what employees are actually doing — is what the Verizon report is documenting across 10,000 incidents globally.

If you asked your IT team today to list every AI tool your employees are actively using — would that list match what is actually on their laptops?

If your company has approved AI tools, clear policies, and employees use them — you have reduced the gap that shadow AI fills. Most shadow AI exists because employees got to the tools before the organisation did.

If employees are using AI productively but without approved channels — replacing the tools, not just banning them, is what closes the data exposure.

The safest AI in your company is the one your IT team can see.