Verizon DBIR finds shadow AI use by employees tripled to 45 percent in 2025 and is becoming a major data leakage vector - opinions

[QubitZero]

Buried in the 2026 DBIR's human element section is a finding that deserves its own headline. Employee use of unapproved AI tools tripled to 45 percent in 2025. The data leakage risk is the specific concern: workers uploading sensitive documents, internal data, and customer information to consumer AI services outside any corporate data governance framework.

This sits alongside a 40 percent increase in mobile social engineering success rates, suggesting that the human element of security is being attacked more successfully at the same time organisations are losing visibility into what data their employees are handling.

2026 Data Breach Investigations Report (DBIR)

https://www.verizon.com/business/resources/reports/dbir/

[IronFist21]

45 percent shadow AI use means nearly half of all employees are using AI tools their employer has not approved and is not monitoring. That is not a fringe behaviour. That is majority behaviour in the making

[Rough Reece]

The data leakage vector is the one security teams are most worried about and least equipped to address. Traditional DLP tools were not designed to detect someone pasting a sensitive document into a chat interface

[SharpLantern]

Banning shadow AI does not work. People use the tools because they are genuinely useful and the productivity pressure is real. The correct response is approved tools with proper governance, not prohibition

[ElPresidente]

The irony is that companies blocking approved AI tools to control risk are pushing employees to use unapproved alternatives that carry far more risk. Security through restriction backfires in both directions

[Warden]

What counts as shadow AI in this report. Is using the free Claude or ChatGPT tier on a personal device shadow AI if the employer has not issued a policy. Because that is a very large population

[Badger27]

40 percent increase in mobile social engineering alongside 45 percent shadow AI use is a combination. People who are comfortable sharing information with AI interfaces are also more comfortable with text and voice interactions that might be social engineering

[PlanetOftheApes]

The employee who uploads a customer database to an AI to generate a summary has not done anything they would describe as a security incident. The absence of malicious intent is irrelevant to the data exposure risk

[Ruby92]

Enterprise AI governance programmes that started in 2024 are clearly not keeping pace with actual employee behaviour. The gap between policy and practice in this area is enormous

[GlassKnight89]

The correct framing is that shadow AI is a symptom of legitimate productivity need not being met by approved tools. Fix the approved tool problem and the shadow tool problem shrinks