May 16, 2026 - eBuilder signs an agreement for SOC/MDR with a TechHub. May 11, 2026 - eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business. May 8, 2026 - eBuilder signs a pentest agreement with a leading petrochemical producer. April 8, 2026 - eBuilder signs an agreement for MDR/SOC with a hotel business. March 13, 2026 - eBuilder signs an agreement for SOC-operations with a Swedish municipality. March 2, 2026 - Large international steel company chooses eBuilders Complorer for cybersecurity training. March 2, 2026 - Large international steel company chooses eBuilder as supplier for Penetration testing. March 2, 2026 - A communications/branding agency chooses eBuilders Complorer for cybersecurity training. May 16, 2026 - eBuilder signs an agreement for SOC/MDR with a TechHub. May 11, 2026 - eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business. May 8, 2026 - eBuilder signs a pentest agreement with a leading petrochemical producer. April 8, 2026 - eBuilder signs an agreement for MDR/SOC with a hotel business. March 13, 2026 - eBuilder signs an agreement for SOC-operations with a Swedish municipality. March 2, 2026 - Large international steel company chooses eBuilders Complorer for cybersecurity training. March 2, 2026 - Large international steel company chooses eBuilder as supplier for Penetration testing. March 2, 2026 - A communications/branding agency chooses eBuilders Complorer for cybersecurity training.
Company News
AI & Emerging Tech

Shadow AI Now Factors in One in Five Data Breaches

June 2, 2026 5 min read

One in five data breaches last year involved AI tools that companies did not know their own staff were using. That figure comes from IBM’s 2025 Cost of a Data Breach Report, produced with the Ponemon Institute, which found shadow AI, the unsanctioned use of AI at work was a factor in 20% of breaches and added an average of $670,000 to the cost of each one.

Shadow AI has now overtaken the security skills shortage to become one of the three most expensive factors in a breach. The same report found that breaches involving shadow AI were more likely to expose personal data, in 65% of cases and intellectual property, in 40%. The reason is rarely malice. An employee pastes a contract, a patient record or a block of source code into a public chatbot to save an hour and the data leaves the building for good.

What makes the number worse is how few companies can see it happening. IBM put the share of organizations with no AI governance policy at 63%. Among those that did suffer an AI-related breach, 97% had no proper access controls on the AI systems involved. IBM’s own summary is blunt, AI adoption is outpacing security and governance in favor of do-it-now deployment.

Twenty Days, Three Leaks at Samsung

The clearest illustration of the problem is three years old and still the one security teams cite. Samsung’s semiconductor division allowed staff to use ChatGPT on 11 March 2023. Within twenty days, engineers had leaked confidential data three separate times. One pasted proprietary database source code into the chatbot to debug it. A second uploaded code for detecting defects in semiconductor equipment, looking for optimization tips. A third recorded an internal meeting, converted it to text and fed the transcript to ChatGPT to write the minutes.

Bloomberg reported on 2 May 2023 that Samsung had banned generative AI tools on company devices and networks, warning that breaching the policy could mean dismissal. The concern, set out in the staff memo, was simple, data sent to these services sits on external servers, cannot reliably be deleted and might surface in another user’s results. None of the engineers acted maliciously. The information was gone regardless.

Banning the tools outright, the Samsung reflex, treats the symptom. It also pushes usage onto personal phones and home laptops where the security team has no visibility at all. The lesson of the IBM data is not that people use AI, it is that they use it where nobody can see. IBM also sells AI security tooling which is reason to treat one figure with care. The claim that heavy users of those tools save $1.9 million per breach reads partly as marketing. The numbers on how often breaches happen are harder to wave away.

The Rollout Came First, the Rules Came Later

The shadow AI problem is downstream of how companies rolled AI out in the first place. Staff were pushed to be more productive with new tools, often before anyone had written a policy on what could be typed into them. The BBC has reported on the confusion this creates inside firms where rushed adoption leaves employees unsure what is sanctioned and what is not. IBM’s figures are the security bill for that approach: the tools arrived faster than the controls around them.

Sweden’s Regulator Has Already Named Workplace AI a Priority

In Sweden, the data protection authority has moved ahead of most companies. In summer 2024 the government tasked IMY, the Integritetsskyddsmyndigheten together with Digg, the Agency for Digital Government, to produce guidance on using generative AI across public administration. IMY published its data protection section in 2025 and its position is unambiguous. GDPR applies to generative AI in full with no carve-out for convenience. For 2025 the authority named how employers handle employees’ personal data, and how healthcare bodies feed personal data into AI systems among its five supervisory priorities.

For a Swedish company, that combination matters. A regulator that has both published AI guidance and flagged workplace data handling for scrutiny is a regulator preparing to ask questions. An employee pasting customer records into a consumer chatbot is a GDPR problem before it is anything else and the company, not the employee, answers for it.

Make the Safe Tool the Easy Tool

The fix is not a memo telling people to stop. It is giving them a sanctioned alternative that does the same job without sending data to a third party then putting controls behind it. That means an approved enterprise AI tool covered by a data processing agreement with your inputs excluded from training. It means access controls and data loss prevention that block the risky upload before it happens. And it means one short, specific briefing on what never goes into a public model including source code, personal data, anything under an NDA.

The companies that handled this well did not ban AI. They made the secure tool the easy one. IBM’s finding points the same way, warning emails and written policies changed little while the technical control that blocks the upload was what actually reduced the damage.

References

  1. Cost of a Data Breach 2025
  2. Samsung Bans Generative AI Use by Staff After ChatGPT Data Leak
  3. How ‘confused’ AI rollout hurts firms and baffles staff
  4. GDPR och AI
  5. Arbetsliv, AI och barn i fokus för IMY

This post is also available in: Svenska

Related News

All Cyber News