top of page
Search

Shadow AI: Silence Is the Finding

Your firewall did not stop the leak. Your DLP did not stop the leak. Your acceptable use policy did not stop the leak. An employee opened a browser tab, pasted a client list into a chatbot, and the data was gone before the SOC saw anyone log in.


Three Samsung engineers pushed proprietary code, internal meeting transcripts, and chip yield test sequences into ChatGPT inside a single month. Samsung banned the tool. Then Samsung reversed the ban and started building its own. That is the cycle every firm is now caught in, surprise, panic, prohibition, then quiet capitulation when employees keep using personal accounts on their phones anyway. 


A 2026 survey found 57% of healthcare professionals have used unauthorized AI tools to draft clinical notes, generate diagnostic hypotheses, and synthesize treatment plans, pasting protected health information into chat windows with no Business Associate Agreement and no retention guarantee. An IBM study found only 37% of organizations have an AI governance policy at all.


Boards are still asking the wrong question. They ask whether the firm “uses AI.” The honest answer is that every employee with a browser does, every day, and you do not know what they are pasting. Free and consumer tiers of these tools train on user inputs by default. A federal court has ordered OpenAI to retain ChatGPT conversation logs indefinitely as part of the New York Times litigation, overriding the company’s 30-day deletion policy. Your employee’s prompt from last March is sitting in a dataset somewhere, waiting on a discovery motion in a lawsuit you are not a party to.


The defense is not a firewall. Most AI platforms operate over HTTPS, and standard firewall rules and network monitoring cannot inspect the content of those interactions without SSL inspection, a control many organizations have not deployed. Conversational AI does not behave like a traditional application. It does not trigger DLP because it looks like ordinary web traffic. The defense is unglamorous, an enterprise-tier AI tool people actually want to use, a written data classification rule for AI prompts, and quarterly training on what does not go in the box. When approved tools are provided, unauthorized use drops by roughly 89%.


When I run an IT risk assessment in 2026, the first three questions are simple. What AI tools are sanctioned. What AI tools are in use. Show me the inventory. Most of the time the third answer is silence, and silence is the finding.


Bottom line, I know everyone wants to be using AI, you all have to start using basic safety and data hygiene for AI. 


 
 

Recent Posts

See All
Scamming - Public Service Announcement

A text arrived on my phone this morning. Final Warning. Today’s date. Massachusetts Department of Transportation. License suspension if I don’t pay by end of day. A code citation. Five escalating cons

 
 

Timcke Risk Management, LLC

660 Massachusetts Ave

6th Floor, Boston, MA 02118

 

© 2025 by Timcke Risk Management, LLC

 

bottom of page