What is "shadow AI" and why is it a risk to organizations?

Shadow AI refers to AI tools or features used inside a company without formal approval or oversight. Shadow AI is a risk because these unapproved uses create blind spots – you can’t manage or secure what you don’t know about. In Protiviti’s survey, roughly two-thirds of companies said employees have used AI without proper oversight, leading to gaps in controls. Such hidden AI can bypass standard security measures and compliance rules, leaving leadership with an incomplete picture of the organization’s risk exposure.

Why do organizations lack visibility into AI usage?

Many companies lack visibility because AI adoption often outpaces governance. New AI tools are deployed across different teams faster than they can be tracked centrally. The survey shows that AI’s federated adoption – where business units adopt AI independently – and decentralized IT environments contribute to this blind spot. Complex organizations (multiple divisions, M&A, etc.) often end up with siloed systems that make it hard to monitor all AI usage. In fact, almost half of large enterprises surveyed admitted they don’t have full insight into what AI tools employees are using.

How is AI increasing cybersecurity threats?

AI is escalating cyber threats by making attacks more frequent and sophisticated. Malicious actors use AI to automate phishing, craft ultra-realistic deepfakes, and scan for vulnerabilities faster – essentially supercharging attacks beyond human scale. Protiviti’s research highlights that nation-state groups and cybercriminals are aggressively employing AI to exploit weaknesses in corporate systems and supply chains. One example: deepfake-based scams have surged by an estimated 3000% in a single year in North America. In short, AI lets attackers increase both the speed and realism of threats, challenging organizations to bolster their defenses accordingly.

How can organizations improve visibility into AI usage across the enterprise?

Organizations can improve visibility by establishing enterprise-wide AI governance and tracking. In practice, that means creating a formal AI governance framework that inventories all AI applications, defines approval processes, and implements technical monitoring for AI activities. Protiviti’s survey calls a formal governance framework the most effective solution to the visibility problem. Only about 4 in 10 companies have one in place today, but those that do report much better insight into where AI is being used and greater confidence that their controls are keeping up with AI-driven threats. In essence, to avoid “flying blind” with AI, organizations need to track it like any other critical asset – with clear policies, ownership, and technical oversight covering every corner of the enterprise.

How does AI in vendor tools create blind spots?

AI built into vendor software can become a hidden blind spot because it often operates outside a company’s direct oversight. When third-party platforms embed AI features (for data analysis, automation, etc.), the client organization might not fully see or control how those AI components work. The survey indicates that many companies struggle with this: vendors are adding AI faster than customers can track it. To address the risk, 32% of organizations said their top priority is tightening vendor security standards around AI, and another 31% are focusing on AI-specific training for their teams to better manage vendor AI impacts. These steps show recognition that unmonitored AI in vendor tools can undermine security and compliance if left unchecked.

Why are formal AI governance frameworks important?

Formal AI governance frameworks are important because they provide the structure and accountability needed to manage AI risks consistently. A formal AI governance framework defines how AI is approved, monitored, and controlled – ensuring every project follows policy and that security, privacy, and compliance risks are addressed proactively. This matters because companies with a framework report significantly higher visibility into AI usage and greater confidence in their controls. In contrast, without a framework, AI initiatives can become chaotic or create unseen vulnerabilities. With only 41% of companies having a formal framework today, establishing one is increasingly seen as essential to keep AI deployment transparent and safe.

Why is employee training critical for AI risk management?

Even the best AI tools won’t secure themselves – people need to be prepared. Training employees and leaders on AI risks and proper use is critical so they can spot AI-driven threats (like deepfake phishing or data misuse) and follow governance policies. The survey found that about one-third of companies are prioritizing AI-specific education for their staff and executives as a key risk management measure. Organizations that pair advanced security tools with robust training see better insight into AI usage and higher confidence in their defenses. In short, well-trained people are an essential line of defense – they ensure that as AI is adopted, it’s used responsibly and with eyes open.

⏸

From Automation to Autonomy

Download report

AI PULSE SURVEY | VOL 4

10 min read

IT leaders are sounding the alarm on AI threats, but the C-suite isn’t aligned. Meanwhile, shadow AI is prevalent in many companies, leaving leadership to make critical decisions with only part of the picture.

What the AI pulse survey found about AI cyber risk:

AI is increasing cyber risk faster than leadership decision-making is adapting.
IT leaders perceive significantly higher AI-driven threat escalation than C‑suite and boards.
Implementing more stringent security standards is a key priority to better manage third‑party embedded AI risk.
Organisations with formal AI governance frameworks report greater visibility and control.
Misaligned risk perception creates blind spots that delay action.

企業が語るAIエージェント

Vol. 4 key findings

Future Vision: AI Agents and Their Autonomy

The survey reveals a consistent pattern: leaders are making AI decisions with incomplete visibility. These insights trace where risk is misunderstood, where confidence breaks down, and where leaders regain control.

Leadership sees less than IT

Perception gaps have real consequences

To what degree, if at all, has AI affected the sophistication and frequency of cyberattacks (e.g., deepfakes, automated phishing) targeting your organization?

Click the image to view in full size.

45% of IT leaders believe AI has increased cyber risk significantly, versus 30% of C-suite executives and board members. This perception gap can delay critical decisions, lead to under-testing of AI controls, and leave organizations exposed to threats that leadership may underestimate. When risk perceptions aren’t aligned, blind spots persist.

Scale doesn’t mean visibility

Size doesn’t beat blind spots

How would you describe your organization’s visibility into the specific AI tools (both authorized and unauthorized) currently being used by employees?

Click the image to view in full size.

Unmanaged AI is a widespread issue across organizations of all sizes.

When leaders don’t see their own blind spots, they miss the shared urgency for detecting threats. The lack of transparency allows for the unchecked use of unapproved AI tools and extensions, the normalization of varied consent policies, and potentially a decline in data protection standards.

In this survey, small organizations are defined as those with less than $100 million in revenue
Medium-sized organizations are those with revenues between $100 million and $5 billion
Large organizations are defined as those with more than $5 billion in revenue

When AI runs ahead of rules

Why formal frameworks matter

Frameworks align with higher assurance in controls

Organizations with formal AI governance frameworks report stronger visibility and greater confidence in their security controls. Governance provides structure, accountability, and clarity—making it a critical foundation for managing AI risk effectively.

Click the image to view in full size.

Invisible AI inside vendors

Third-party embedded AI: where visibility is won or lost

What is your organization’s top priority in managing risks posed by embedded AI in third-party vendor software?

Click the image to view in full size.

As vendors embed AI into everyday tools, organizations are losing visibility into where and how AI operates. Strengthening vendor governance—through tighter security standards, training, and contractual controls—is now essential to managing external AI risk.

You can’t defend what you can’t see; invest in enablers

Organisations that feel most confident in managing AI security risks are those that invest most in concrete capabilities that convert intent (we take AI risk seriously) into evidence (we can see, govern and defend it). Here’s a recap of the capabilities or enablers:

Formal AI governance framework: It enables clear acceptable-use rules, ownership, accountability, and enforceable guardrails across the enterprise — so AI doesn’t sprawl faster than controls.

AI tool monitoring: You can’t manage what you can’t see. Investing in monitoring capabilities will allow your organisation to detect threats early, specifically shadow AI, while enhancing compliance, including data protection, and proving controls are working.
Organisational readiness and resilience: This reduces human-driven failures and builds consistency in “how we work” with AI.
Using AI to fight AI: Employing AI in the security stack means faster detection of cyberattacks, better pattern recognition and improved response against AI-accelerated threats.
Vendor controls for embedded AI: This closes a growing blind spot as AI features proliferate inside SaaS and third‑party platforms. Where AI is “hidden in the stack,” more stringent vendor security standards and AI specific training are crucial.

FAQs

+ EXPAND ALL

What is the biggest barrier preventing organisations from achieving AI ROI?

Organisations struggle most with systems integration, data connectivity, unclear use cases, talent shortages, and compliance hurdles—factors that prevent AI from moving beyond pilot projects and delivering measurable return.

Why do so many companies remain in "pilot mode"?

Many organisations explore AI capabilities without integrating them into core business processes. This limits automation, data feedback loops, and cross functional impact—key drivers of ROI.

What are the five stages of AI maturity and which stage delivers the most ROI?

The five stages are Initial, Experimentation, Defined, Optimisation, and Transformation. The greatest ROI occurs in Stages 4–5, where AI is scaled across the enterprise.

How does agentic AI improve business performance?

Agentic AI automates multistep workflows, augments human decision-making, and orchestrates end to end processes. Mature organisations use multiagent frameworks to improve efficiency, quality, and speed.

Why is AI governance important for scaling AI safely?

Strong governance—including AI Agent Governance Boards—ensures transparency, compliance, risk controls, and oversight. It prevents fragmented AI deployments and supports responsible scaling.

Which KPIs should organisations use to measure AI ROI?

Organisations should measure AI ROI using a broader set of outcome‑based KPIs—such as productivity, revenue growth, customer or employee satisfaction, time‑to‑market, and decision quality—rather than relying on cost savings alone and explicitly link these metrics to business outcomes like growth and agility.

How do AI ROI challenges differ across industries?

AI ROI challenges vary by industry. Financial services face regulatory hurdles, healthcare struggles with fragmented data, manufacturing battles legacy systems, tech requires scalable architectures, and the public sector contends with silos and security demands. These factors make strong data foundations and governance-by-design essential for success.