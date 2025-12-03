Most organizations lack the monitoring capabilities and governance policies needed to mitigate risks posed by shadow AI according to a new report.

The survey, of 600 IT leaders across North America, EMEA, and APJ, from Cato Networks finds that while 61 percent of respondents found unauthorized AI tools in their environments, only 26 percent have solutions in place to monitor AI usage. Nearly half (49 percent) of the respondents either don’t track AI usage at all or address AI on a reactive basis.

“In many enterprises, AI adoption is happening from the bottom up,” says Etay Maor, chief security strategist at Cato Networks. “Employees are always going to gravitate towards using the AI tools they feel comfortable with. They feel it will give them a productivity edge. However, without proper visibility and governance, enterprises are expanding their attack surface-in many cases without realizing it.”

The primary use case for AI adoption according to 71 percent of respondents is to increase productivity and efficiency. However, 69 percent of respondents report that they lack a monitoring system for AI adoption.

Only 13 percent of respondents consider their organization’s management of shadow AI risks as ‘highly effective.’ Fewer than one in ten respondents (nine percent) think the organization has a ‘highly effective’ defense against AI-generated cyber threats such as deepfakes, hallucinations, and prompt injection attacks.

Shadow AI operates much like shadow IT. Unauthorized technology is being adopted to solve an immediate problem, but the risks tied to data processing, model training, and the lack of clear AI decision-making present security concerns. IT leaders clearly recognize the stakes at play. Most respondents (53 percent) are highly or extremely concerned about AI security risks.

“It is not a question of whether there is shadow AI usage within an enterprise, but whether you have the ability to detect it, govern it, and secure it before an issue arises,” adds Maor. “Our research shows that most enterprises need to take rapid action to gain visibility and control of their AI usage.”

You can see the full results on the Cato blog.

