Shadow AI Adds $670K to the Average Data Breach

Unauthorized AI tools used by employees added $670,000 to the average cost of a data breach in 2025, according to IBM’s Cost of a Data Breach Report. Those breaches also took 10 additional days to identify and contain. For a 100-person company, those numbers can mean the difference between a recoverable incident and one that threatens the business.

The governance gap is wide. According to UnderDefense’s AI risk research, 77% of small businesses have no formal AI policy.

Employees aren’t acting maliciously when they use unapproved tools. They’re trying to work faster with software that’s freely available and genuinely useful. The problem is that nobody has told them which tools are approved, what data is off-limits, or what happens when something goes wrong.

What Shadow AI Looks Like at a Mid-Sized Company

Shadow AI is employees using AI tools that your IT team doesn’t know about, hasn’t vetted, and can’t monitor. At companies with 50 to 200 employees, the pattern is consistent.

The examples are predictable once you start looking:

• Sales pastes customer lists and deal details into free ChatGPT accounts to draft outreach emails. That CRM data now sits on OpenAI’s servers under consumer terms of service.
• Finance uploads spreadsheets with revenue figures into AI summarization tools to speed up quarterly reporting.
• HR runs candidate resumes through AI screening services that were never reviewed for bias or data handling.
• Executives use AI transcription tools during confidential meetings without confirming whether recordings are stored or used for model training.

Each of these is a data exposure event that your existing security tools probably won’t flag. According to Mimecast’s shadow AI research, the average enterprise experiences 223 AI-related data policy violations per month. Among organizations surveyed, 88% reported confirmed or suspected AI security incidents in the past year.

The scale differs for SMBs, but the behavior is the same. Your employees are sharing business data with AI tools you don’t control, and most companies only discover the problem after a breach or a compliance audit.

Why Traditional Security Tools Miss It

Firewalls, endpoint detection, and network monitoring weren’t designed for this threat. Shadow AI doesn’t trigger alerts because the employee is willingly uploading data to a legitimate web service. No malware is involved, no exploit is running, and no policy violation is obvious to a tool watching for known attack patterns.

Browser-based AI tools leave no footprint on the workstation. There’s no executable for your EDR to flag and no unusual process running in the background. HTTPS encryption means your network monitoring can see that someone visited an AI service, but not what data they typed into the prompt. Even if your company has Microsoft Copilot licenses with proper data loss prevention policies configured, an employee using a personal Google account to access Gemini bypasses all of those controls entirely.

The average mid-sized company uses over 100 SaaS applications. AI tools are just more browser tabs in that sprawl, indistinguishable from the other 99 unless you’re specifically looking for them. This is why AI governance requires more than a policy document posted on the intranet. You need technical visibility into what’s actually in use before you can enforce rules about how it’s used.

A 90-Day Governance Plan

You don’t need a six-month initiative to get shadow AI under control. A phased approach moves you from zero visibility to active management in 90 days.

Days 1 to 30: Find What’s Already in Use

Start with discovery. Pull Microsoft 365 audit logs, DNS query records, and network traffic data to identify which AI tools employees are accessing. Enterprise browsers like Microsoft Edge for Business can enforce data loss prevention policies that detect and block sensitive information from being shared with unapproved AI tools.

Rank what you find by data risk:

• High risk: Tools where employees enter client data, financial records, or regulated information (HIPAA, PCI, CMMC)
• Medium risk: Tools used for internal-only data like meeting summaries or project planning notes
• Low risk: Tools used for publicly available information or general productivity questions

Focus your first governance actions on the top three to five highest-risk tools. Addressing everything at once stalls the project before it produces results.

Days 31 to 60: Set Policy and Deploy Approved Alternatives

Write the policy. We’ve published a detailed AI acceptable use policy framework that covers approved tool tiers, data classification rules, output review requirements, compliance obligations, and incident reporting procedures.

The policy alone won’t change behavior. Telling employees to stop using a free AI chatbot without offering an approved alternative guarantees workarounds. Pair every restriction with a replacement. If Microsoft Copilot is your enterprise AI platform, make sure licenses are deployed, users know how to use them effectively, and the tool genuinely covers the use cases that drove employees to shadow AI in the first place.

Days 61 to 90: Add Technical Controls

With policy and approved tools in place, add the enforcement layer:

• Data loss prevention (DLP): Configure Microsoft 365 DLP policies to block sensitive data from being uploaded to unapproved AI services.
• Web filtering: Block access to prohibited AI tools or require authentication through your enterprise identity provider before access is granted.
• Agent governance: Enable Microsoft Copilot Studio admin controls to manage AI agent creation, data access permissions, and approval workflows within your tenant.
• Ongoing monitoring: Work with your managed IT provider to track new AI tool adoption and policy violations on a recurring basis.

Review the program quarterly. The AI tools your employees rely on in six months will be different from what they use today, and your governance program needs to keep pace.

The Cost of Doing Nothing

The $670,000 figure from IBM represents the average additional cost when shadow AI is involved in a breach. For an SMB with 50 to 300 employees, that sum can consume an entire year’s IT budget, trigger regulatory penalties under HIPAA or the TDPSA, and erode client trust that took years to build.

Businesses that avoid this outcome aren’t banning AI. They’re getting ahead of shadow AI with governance programs that provide visibility into what’s in use and approved tools that make the right choice the easy choice for every employee.