When conversations around AI and data protection come up, the spotlight tends to fall on regulations, security protocols, and technical controls. But there's another challenge that deserves our attention: the human factor. In the tech world, this is known as PEBCAK: Problem Exists Between the Keyboard and the Chair.

Many employees simply don’t realize how their everyday tech decisions affect the company’s security and compliance status. With the rise of generative AI tools, that knowledge gap is becoming an even more serious risk. Here’s a closer look at why this happens and what companies should do to address the issue. 

‍

Understanding the challenge

Long before generative AI became mainstream, technical teams like R&d and Data often used third-party platforms that exposed the company to compliance issues. Security teams struggled to keep up with the vulnerabilities created by shadow IT. While these teams had a background in cybersecurity principles, they didn’t always follow policy, and shortcuts were taken.

Now that generative AI is available to everyone, the problem has grown significantly. Tools that process or generate data are no longer being used strictly by technical teams: 88% of marketers report using AI in their day-to-day tasks, as do 80% of HR professionals, over 80% of creatives, and so on. 

Many of these non-techie employees are unaware that pasting internal documents into an AI interface could potentially expose private information. These teams are often overlooked when organizations consider compliance training, leaving the departments without the necessary knowledge. 

Since some employees use AI to perform tasks they are meant to do themselves, it’s no wonder that over half use AI without telling their employers. When an employee uses a tool that hasn’t been approved or reviewed, there’s no way to know how that tool stores, shares, or processes the data. 

This results in a major blind spot for CISOs and IT teams. Shadow AI, by definition, flies under the radar. Research by the US National Cybersecurity Alliance found that nearly 40% of employees share sensitive information with AI tools without the organization’s knowledge. 

Security leaders are faced with a growing number of unknowns, and the more tools employees use without training or awareness, the more vulnerable the company becomes. The metaphor of emptying the ocean with a spoon has never been more accurate. 

‍

What can be done?

Let’s start with what shouldn’t be done. Trying to restrict or block access to AI tools might seem like the simplest solution, but it rarely works. Employees are resourceful, and if they believe a tool helps them do their job better or faster, they will find a way to use it. Strict limitations often lead to workarounds that create even bigger problems. 

And even if it were possible, from a business perspective, cutting off access to innovative tools can hold the company back in a competitive market. After all, companies embracing AI see a 20% to 30% boost in productivity, time-to-market, and overall revenue. 

Instead, companies need to focus on enabling responsible use. Employees should be trained to understand how data flows through AI platforms, identify the risks associated with each step, and learn to consult and evaluate tools before using them.

But awareness alone is not enough, and it must be paired with automated visibility. Security teams need systems in place that can map which tools are in use, even the unapproved ones. 

Mine’s platform identifies AI tools being used across the organization, even those that haven’t gone through official onboarding or approval. It helps CISOs and compliance teams close the visibility gap, providing them with the information they need to make more informed decisions and enforce safer policies. When paired with security and privacy training, this creates a more resilient system, one where employees are empowered to use AI responsibly and risks are identified and mitigated before they escalate.

Generative AI opens the door to faster, smarter work across every team, but it also introduces new risks and responsibilities. If organizations want to adopt this technology without increasing their exposure, they need to adjust their approach and utilize tools that shed light on the tools operating in the shadows. 

‍