Overview

• New research finds roughly 89% to 91% of workplace AI activity is outside IT visibility, often via silently enabled features inside approved apps such as Microsoft 365, Salesforce, Zoom, and Slack.
• The EU AI Act has advanced enforcement that requires documentation of general‑purpose AI use, yet many companies still struggle to inventory which AI capabilities are active across their SaaS stack.
• Security impact is already evident, with an IBM‑cited survey reporting about 20% of organizations experienced a shadow‑AI‑related incident involving exposure of personal data or intellectual property.
• Law firms illustrate the governance gap, as only 30% have a specific AI policy despite high lawyer adoption and limited firm‑provided AI tools, heightening data‑protection and compliance risk.
• Vendors are rolling out visibility controls such as edge‑based observability agents that detect risky prompt‑and‑data patterns, with one reporting up to an 80% drop in data‑exposure incidents after deployment.