No AI visibility, no confidence

Shadow AI refers to AI tools or features used inside a company without formal approval or oversight. Shadow AI is a risk because these unapproved uses create blind spots – you can’t manage or secure what you don’t know about. In Protiviti’s survey, roughly two-thirds of companies said employees have used AI without proper oversight, leading to gaps in controls. Such hidden AI can bypass standard security measures and compliance rules, leaving leadership with an incomplete picture of the organization’s risk exposure.

Many companies lack visibility because AI adoption often outpaces governance. New AI tools are deployed across different teams faster than they can be tracked centrally. The survey shows that AI’s federated adoption – where business units adopt AI independently – and decentralized IT environments contribute to this blind spot. Complex organizations (multiple divisions, M&A, etc.) often end up with siloed systems that make it hard to monitor all AI usage. In fact, almost half of large enterprises surveyed admitted they don’t have full insight into what AI tools employees are using.

AI is escalating cyber threats by making attacks more frequent and sophisticated. Malicious actors use AI to automate phishing, craft ultra-realistic deepfakes, and scan for vulnerabilities faster – essentially supercharging attacks beyond human scale. Protiviti’s research highlights that nation-state groups and cybercriminals are aggressively employing AI to exploit weaknesses in corporate systems and supply chains. One example: deepfake-based scams have surged by an estimated 3000% in a single year in North America. In short, AI lets attackers increase both the speed and realism of threats, challenging organizations to bolster their defenses accordingly.

Organizations can improve visibility by establishing enterprise-wide AI governance and tracking. In practice, that means creating a formal AI governance framework that inventories all AI applications, defines approval processes, and implements technical monitoring for AI activities. Protiviti’s survey calls a formal governance framework the most effective solution to the visibility problem. Only about 4 in 10 companies have one in place today, but those that do report much better insight into where AI is being used and greater confidence that their controls are keeping up with AI-driven threats. In essence, to avoid “flying blind” with AI, organizations need to track it like any other critical asset – with clear policies, ownership, and technical oversight covering every corner of the enterprise.

AI built into vendor software can become a hidden blind spot because it often operates outside a company’s direct oversight. When third-party platforms embed AI features (for data analysis, automation, etc.), the client organization might not fully see or control how those AI components work. The survey indicates that many companies struggle with this: vendors are adding AI faster than customers can track it. To address the risk, 32% of organizations said their top priority is tightening vendor security standards around AI, and another 31% are focusing on AI-specific training for their teams to better manage vendor AI impacts. These steps show recognition that unmonitored AI in vendor tools can undermine security and compliance if left unchecked.

Formal AI governance frameworks are important because they provide the structure and accountability needed to manage AI risks consistently. A formal AI governance framework defines how AI is approved, monitored, and controlled – ensuring every project follows policy and that security, privacy, and compliance risks are addressed proactively. This matters because companies with a framework report significantly higher visibility into AI usage and greater confidence in their controls. In contrast, without a framework, AI initiatives can become chaotic or create unseen vulnerabilities. With only 41% of companies having a formal framework today, establishing one is increasingly seen as essential to keep AI deployment transparent and safe.

Even the best AI tools won’t secure themselves – people need to be prepared. Training employees and leaders on AI risks and proper use is critical so they can spot AI-driven threats (like deepfake phishing or data misuse) and follow governance policies. The survey found that about one-third of companies are prioritizing AI-specific education for their staff and executives as a key risk management measure. Organizations that pair advanced security tools with robust training see better insight into AI usage and higher confidence in their defenses. In short, well-trained people are an essential line of defense – they ensure that as AI is adopted, it’s used responsibly and with eyes open.