“The risk isn’t AI. It’s ungoverned AI.
This article is about closing the gap not closing the door.”
Here’s a scene playing out in offices across Thailand every day. A marketing manager pastes a client brief into ChatGPT to generate copy ideas. A finance analyst uploads a spreadsheet to an AI summarizer to save an hour of work. A developer asks Copilot to review a block of code that happens to contain database credentials.
None of them are doing anything wrong – not by their own judgement. They’ve found tools that work, and they’re using them. That’s not a behavior problem. That’s a governance gap.
The message here isn’t ‘stop using AI.’ AI is genuinely transformative, and organizations that govern it well will outperform those that don’t. The message is: uncontrolled AI adoption creates real risks that a few straightforward steps can eliminate. Shadow AI is the problem we name. Intentional, governed AI adoption is the solution we deliver.
What Is Shadow AI and Why Is It Different from Shadow IT?
Shadow AI is the use of AI tools – ChatGPT, Google Gemini, Grammarly, AI-powered browser extensions, and dozens of niche tools – by employees without IT approval, policy, or oversight. It’s the faster-moving, higher-risk cousin of shadow IT.
The key difference: with shadow IT, employees might store files externally. With shadow AI, they actively submit sensitive data to third-party models for processing. The data doesn’t just sit somewhere – it gets ingested, potentially retained, and in some configurations, used to improve the model.
According to Gartner, 69% of organizations suspect or have evidence that employees are using prohibited public GenAI tools. Research by CybSafe and the National Cybersecurity Alliance found 38% of employees admit sharing confidential data with AI platforms without employer approval – across a survey of 7,000 workers. Shadow AI is not a niche risk. It is the norm.
A Nuanced Point: Microsoft Copilot Is Not the Same as Consumer ChatGPT
This is worth saying clearly, because a lot of Shadow AI commentary lumps all AI tools together. They are not the same.
Microsoft 365 Copilot operates within your Microsoft tenant. Data stays inside your organisational boundary. Microsoft commits to not using your data to train its models. There are audit logs, admin controls, and Data Loss Prevention integrations. If your organisation is already on M365 and Copilot is enabled, the risk profile is fundamentally different from an employee using a free-tier ChatGPT account with no data governance at all.
The honest framing: if your team is already on M365, the risk delta of them using consumer ChatGPT versus enterprise Copilot is significant – and the right response isn’t to ban AI, it’s to steer usage toward governed tools. That’s exactly the conversation SafeComs is set up to have with your leadership team.
The Real Risks: Where Ungoverned AI Creates Genuine Exposure
That said, the risks from ungoverned AI are real and well-documented. IBM’s 2025 Cost of Data Breach Report found that shadow AI incidents now account for 20% of all breaches, carrying an average cost of USD 4.63 million – USD 670,000 more than standard breaches. Netskope found the average company experiences 223 incidents per month of users sending sensitive data to AI applications, double the rate from the prior year.
The categories of data being submitted include client contracts, HR records, financial forecasts, source code, and board-level communications. Consumer AI tools – free-tier accounts especially – often lack enterprise data handling commitments, audit trails, or the ability to request deletion.
CrowdStrike’s 2026 Global Threat Report adds another dimension: adversaries are now actively exploiting AI systems themselves, injecting malicious prompts into GenAI tools across 90+ organizations to steal credentials and data. An ungoverned AI tool isn’t just a data leakage risk – it can be a threat vector.
Why Traditional Controls Don’t Catch It
Your firewall doesn’t block ChatGPT. Your DLP wasn’t designed to inspect browser-based AI prompts. Your SIEM has no rule for ’employee submitted sensitive text to an AI chatbot.’ Shadow AI is low-friction, well-intentioned, and invisible to most existing security tooling.
Netskope’s research found that 47% of people using generative AI platforms do so through personal accounts their company isn’t overseeing. There’s no alert, no ticket, no incident log. The data simply leaves – quietly, at scale, every day.
This is not a failure of your employees. It’s a signal that your AI governance framework hasn’t kept pace with how fast your people are adopting these tools. That gap is closable and closing it doesn’t mean restricting productivity. It means redirecting it.
The PDPA Dimension: Why This Matters More in Thailand and ASEAN
For organisations operating in Thailand, Shadow AI creates a specific PDPA exposure that goes beyond general data security risk. Thailand’s Personal Data Protection Act requires organizations to control how personal data is processed and transferred including to third parties and across borders.
When an employee submits customer records, employee data, or any personal information to a US-based AI provider without a data processing agreement, that is a cross-border transfer under PDPA Sections 28–29 and potentially a violation. Thailand’s PDPC has moved decisively into active enforcement: in August 2025, it issued THB 21.5 million in administrative fines across five cases, and has adopted an explicit ‘zero data breach’ enforcement posture.
PDPA compliance is no longer optional or theoretical. Shadow AI sits squarely in the PDPC’s enforcement crosshairs particularly around third-party processor obligations and cross-border transfer controls. Governed AI adoption, with proper DPAs and data classification, is the compliance-ready path forward.
The Answer: Intentional, Governed AI Adoption
The organizations that will win with AI aren’t the ones that ban it – those bans never hold. They’re the ones that move fastest from accidental exposure to intentional governance. That means knowing what tools your teams use, providing better sanctioned alternatives, setting clear policy, and building the visibility to enforce it.
One healthcare system studied by Vectra AI provided approved AI tools to clinical staff and saw an 89% reduction in unauthorized usage alongside 32 minutes of daily time savings per person. Governance didn’t kill productivity. It protected it while improving it.
This is exactly where SafeComs adds value. Our AI services practice helps organizations assess their current AI exposure, design a governed AI adoption framework, implement enterprise-grade tools (including M365 Copilot and agentic AI workflows), and ensure PDPA-compliant data handling throughout. Shadow AI is the problem we name. Governed AI is the solution we deliver.
5 Steps to Move from Shadow AI to Governed AI Adoption
- Map your current AI usage – survey teams, review network logs, and identify every AI tool in use. Most organizations discover 15–30 unapproved tools. You can’t govern what you can’t see.
- Provide better sanctioned alternatives – if people use consumer ChatGPT, give them Microsoft 365 Copilot or an enterprise AI gateway with data protection built in. Meet the productivity need safely.
- Publish a clear AI acceptable use policy – define approved tools, prohibited data types, and reporting expectations. Even a one-page policy changes behavior more than most technical controls.
- Deploy visibility and DLP for AI channels – browser-level security extensions and next-gen DLP tools can detect AI tool usage and flag sensitive submissions in real time, giving IT the oversight that firewalls miss.
- Build PDPA-compliant AI workflows – ensure any AI tool processing personal data has a data processing agreement, a lawful basis, and proper cross-border transfer safeguards under PDPA Sections 28–29.
If your organization is using AI – and it almost certainly is, whether IT knows about it or not – the question isn’t whether to govern it. It’s how fast you can get there. SafeComs offers a free AI Governance Assessment: a structured review of your current AI tool exposure, data classification gaps, and PDPA risk posture, with a clear roadmap to governed adoption. No scare tactics. No blanket AI bans. Just a practical path to using AI well. Contact us at safecoms.com to get started.
Read More Articles: http://safecoms.com/blog/
Sources & References
All statistics, threat intelligence findings, and regulatory data cited in this article are sourced from the primary references below.
[1] CrowdStrike 2026 Global Threat Report 89% increase in AI-enabled adversary activity YoY; GenAI tools exploited at 90+ organisations via prompt injection; breakout time 29 min avg. https://www.crowdstrike.com/en-us/global-threat-report/
[2] CrowdStrike: Endpoint as AI Security Epicenter (RSA 2026) Shadow AI discovery and governance as a formal security capability; agentic AI risk from endpoints. https://www.crowdstrike.com/en-us/press-releases/crowdstrike-establishes-the-endpoint-as-the-epicenter-for-ai-security/
[3] CybSafe / National Cybersecurity Alliance (NCA) Survey 2024 — via Cloud Security Alliance 38% of employees (n=7,000) share confidential data with AI platforms without employer approval. https://cloudsecurityalliance.org/blog/2025/03/04/ai-gone-wild-why-shadow-ai-is-your-it-team-s-worst-nightmare
[4] IBM Security: Cost of a Data Breach Report 2025 — cited via OakAI Shadow AI incidents: 20% of all breaches; avg cost USD 4.63M vs USD 3.96M standard — USD 670K premium per incident. https://olakai.ai/blog/shadow-ai-risk/
[5] Netskope Cloud Security Report (Oct 2024–Oct 2025) — Cybersecurity Dive 47% of GenAI users access via personal/unmanaged accounts; 223 sensitive-data incidents/month on average — double YoY. https://www.cybersecuritydive.com/news/shadow-ai-security-risks-netskope/808860/
[6] Gartner Survey of Cybersecurity Leaders 2025 — cited via OakAI 69% of organisations suspect or have evidence employees are using prohibited public GenAI tools. https://olakai.ai/blog/shadow-ai-risk/
[7] Vectra AI: Shadow AI Explained 98% of organisations report unsanctioned AI use; healthcare case study: 89% reduction in unauthorised AI use after approved tools provided. https://www.vectra.ai/topics/shadow-ai
[8] Concentric AI: 2026 Guide to ChatGPT Risks Consumer ChatGPT vs enterprise Copilot risk comparison; prompt-based data leakage mechanics. https://concentric.ai/chatgpt-security-risks-in-2026-a-guide-to-risks-your-team-might-be-missing/
[9] Thailand PDPC: Eight Administrative Fines, August 2025 — Tilleke & Gibbins THB 21.5 million in fines across 5 cases; enforcement signals shift from awareness to active PDPC scrutiny. https://www.tilleke.com/insights/more-than-a-warning-eight-serious-fines-imposed-in-thai-data-protection-cases/
[10] Thailand PDPA Crackdown 2025 — DLA Piper Privacy Matters PDPC ‘zero data breach’ enforcement posture; cross-border data transfers require DPA or adequate safeguards. https://privacymatters.dlapiper.com/2025/09/thailand-pdpa-crackdown-2025-are-you-next-major-fines-and-lessons-from-thailands-latest-enforcement/
[11] Thailand PDPA Cross-Border Transfer Rules — Cookieinformation.com Sections 28–29 govern cross-border AI data transfers; no adequacy list published as of 2025; August 2025 fines totalled THB 21.5M. https://cookieinformation.com/blog/what-is-the-thailand-pdpa/
[12] Chambers Data Protection & Privacy 2026: Thailand 2025 enforcement converts PDPA compliance into enterprise risk-management; PDPC penalises missing DPOs and vendor oversight failures. https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2026/thailand/trends-and-developments
SafeComs Network Security Consulting Co., Ltd.
