We repeatedly hear stories around personal and corporate data being leaked on the web through the un-sanctioned use of consumer grade AI tools like Grok, ChatGPT and others. A report last week revealed how data from a popular AI App “Ask AI” leaked huge amounts of personal data from people’s phones.
last year, another incident involving X’s Grok – with Hundreds of thousands of Grok chats exposed in Google results.
These were not the result of sophisticated cyberattacks or hacks either – instead it highlights a risk that most organisations face. It’s a real‑world example of what happens when your organisation allows employees to use free consumer AI tools (and some paid ones too) that sit completely outside your organisations’ governance and control – it shows the real threat of “Shadow AI”.
Just think about the types of data we work with every day at work that AI is often used to review, summarise, create etc. Depending on the person, task and your business, this could be:
- Patient or clinical information
- Personal data on children at school
- Client records and contracts
- Financial statements
- Internal strategy and board material
- Product IP and R&D
- HR and staff data
- Source code and architecture diagrams
If any of this is used or uploaded into an ungoverned or consumer AI tool, your business loses visibility, control, and legal defensibility and what is worse, that data may be used to train their AI models (as stated in their T&Cs – which we of course do not read!). Once it’s shared:
- You can’t enforce retention.
- You can’t enforce deletion.
- You can’t enforce access boundaries.
- And you certainly can’t stop it being indexed, leaked, or scraped.
It happened because the “free” consumer AI tools are not designed for commercial or enterprise‑grade security, governance, or compliance. These tools make their money (just like Google advertising) through how you use the tools and the data you share with them. When consumer product is free – YOU (your users) are the product. These free consumer AI tools, digest, harvest and leverage the data shared with them to learn, train their models and sell to data brokers.
If you allow the use of consumer AI tools at work or for work, without Data Procurement Management in place – you are likely letting employees leak sensitive information to the masses
How we stop Data Leakage from AI Tools
According to data from leading security vendors including Microsoft and Cisco. 75% of employees are already using AI at work, often without approval, training, or understanding the risks. Shadow AI is both a security, trust and people behaviour problem, but fortunately the fix is much simpler than most organisations believe:
1. Give people safe tools so they don’t reach for unsafe ones: If you don’t provide governed AI (like Copilot Chat), your employees will find their own.
2. Govern the use of Shadow AI tools – Because you cannot secure what you can’t see. Discovery, monitoring, and policy enforcement are essential. Tools like Cisco AI Defense, Microsoft Purview etc can help with this.
3. Define and enforce a central AI Usage Policy which ensures clear rules. Clear boundaries. Clear accountability.
For Microsoft 365 customers, enabling Microsoft Copilot Chat for everyone is a logical and sensible starting point:
- Secure by design
- Integrated into the flow of work
- Covered by your existing compliance and identity model
- Zero data retention outside your tenant with Enterprise Data Protection
- Included within your Microsoft 365 Subscription
Then look to layer tools like DSPM for AI in Microsoft Purview, apply sensitivity labels, and enforce AI‑aware DLP policies to ensure:
- Data stays where it should
- AI interactions respect classification
- Sensitive content is protected automatically
- You maintain full auditability and control
If you are not a Microsoft shop or don’t have the advanced E5 security licenses, then look at third party vendor tools, such as Cisco AI Defense which can help detect, control and govern the use of AI across your organisation – both for SaaS AI tools as well as ones built internally.
In short, part of deploying and enabling AI in yoru business is also about mitigateing the use of Shadow-AI. It’s also about putting the right conrols in place to prptect sensive data being shared with othr tools.
This is what “enterprise AI” actually means: Governed. Integrated. Secure. Accountable.
Leave a Reply