AI Boss Tools | Diagnostic 09 • Back to the Hub
Your staff are already using AI tools you have not approved. IBM's 2025 breach study found shadow AI in one in five data breaches, adding US$670,000 to the average cost, and 97 percent of AI-related breaches happened where access controls were missing. Twelve questions score how exposed your organisation is.
Shadow AI is what happens when the tools are useful, free, and one browser tab away, while the official alternative is missing or slow. Staff paste customer records into public chatbots because it works. The data may be stored, reviewed, or used for training, and nobody in your security team ever sees it happen.
The numbers are stark. In IBM's 2025 study, 63 percent of breached organisations had no AI governance policy at all. Where shadow AI was involved, 65 percent of breaches exposed customer personal information. Bans do not fix this: they push usage further underground. Sanctioned alternatives, clear rules, and visibility do.
This diagnostic scores four things: whether rules exist, whether controls exist, what your staff actually do, and whether you would even know. Answer honestly; "we have never checked" is an answer, and it scores like one.
Shadow AI featured in 20 percent of breaches, added up to US$670,000 to average breach cost, and 97 percent of AI-related breaches lacked proper access controls.
63 percent of organisations studied had no AI governance policy to manage AI or prevent shadow AI use.