ClareNow
Search
ClareNow
Toggle sidebar
AI → Neutral

The Worker Creating Your Biggest AI Risk Doesn't Know They're Doing It

As AI compresses the technical attack surface, the layer that can’t be patched becomes the highest-leverage target.

Forbes 3 min read 7/10
The Worker Creating Your Biggest AI Risk Doesn't Know They're Doing It
Key Takeaways
  • 68% of AI-related data breaches in 2025 involved inadvertent employee actions, per IBM Security's 2026 Data Breach Report.
  • Gartner reports 54% of enterprises allow generative AI tool use without formal training, up from 29% in 2024.
  • The AltPay fintech breach in late 2025 leaked proprietary algorithms after an engineer used a public chatbot disguised as a legitimate AI assistant.
  • 82% of employees using generative AI at work have never received formal data-classification training, according to a 2026 study by the Center for Cybersecurity Research.
  • NIST plans to release AI-specific insider threat guidelines by Q4 2026, but enforcement will be voluntary for most private-sector firms.
Most companies obsess over AI security from external hackers—but the biggest threat is already inside the building. A worker who doesn't understand how generative AI works can unwittingly expose their employer to data leaks, model poisoning, or regulatory catastrophe. The irony is brutal: the same AI tools designed to streamline operations can become the soft underbelly of cybersecurity when mishandled by unsuspecting employees.

A March 2026 survey by IBM Security found that 68% of AI-related data breaches involved inadvertent employee actions—from pasting internal data into public chatbots to connecting unauthorized third-party AI plugins. The problem is compounded by the speed of AI adoption. According to Gartner, 54% of enterprises now allow employees to use generative AI tools without formal training. That ignorance creates a layer that cannot be patched: the human layer.

The rise of large language models (LLMs) has compressed what cybersecurity experts call the "technical attack surface." Traditional vulnerabilities—buggy code, misconfigured servers—are increasingly automated away. But the layer that can't be patched—employee judgment—becomes the highest-leverage target. Attackers know this. They craft phishing emails that ask workers to upload sensitive customer data to a fake "AI analytics dashboard." Or they embed hidden prompt injections in documents that, when fed into a corporate LLM, cause it to leak trade secrets.

A notable case emerged in late 2025 when a mid-sized fintech, AltPay, lost proprietary algorithms after an engineer asked a public AI chatbot to "summarize this code, please." The chatbot was a front for a state-sponsored group. The engineer never knew they were the vector. The company, which had no AI-use policy, only discovered the breach months later during a routine audit.

"The conventional wisdom that human error is just a training problem is outdated," says Dr. James Tran, director of AI safety at the Center for Cybersecurity Research. "We're training people to use tools that change every week. The playbook for AI safety needs to start with the assumption that the worker will not know they are creating risk." His research shows that 82% of employees who use generative AI at work have never received formal instruction on data classification—which data is safe to share with an AI tool and which is not.

The outlook is stark. The U.S. National Institute of Standards and Technology (NIST) is expected to release AI-specific insider threat guidelines in late 2026, but enforcement remains voluntary. Meanwhile, attackers are already commoditizing attack kits that exploit employee ignorance. Companies that fail to inventory all AI tools in use—officially sanctioned or otherwise—and implement real-time monitoring of inputs into third-party models will face a wave of preventable breaches. The worker creating your biggest AI risk doesn't know they're doing it—and that's exactly why they're the most dangerous.

"The conventional wisdom that human error is just a training problem is outdated. We're training people to use tools that change every week."

"The playbook for AI safety needs to start with the assumption that the worker will not know they are creating risk."

Frequently Asked Questions

The biggest risk is employees unknowingly exposing sensitive data to public AI tools, using shadow AI without oversight, or falling for prompt injection attacks. Many workers don't realize that pasting customer data into a chatbot can constitute a breach.

Common actions include sharing proprietary code with public LLMs, connecting unauthorized AI plugins to corporate systems, and failing to follow data classification policies. Attackers exploit this lack of awareness through phishing and malicious documents.

Shadow AI refers to the use of artificial intelligence tools—such as ChatGPT or Copilot—by employees without official IT approval or awareness. It bypasses corporate security and compliance controls, creating blind spots for data leakage.

Companies should inventory all AI tools in use, enforce data classification policies, provide regular security training specific to generative AI, monitor inputs to third-party models, and implement technical controls like data loss prevention (DLP) for AI endpoints.

As of mid-2026, no binding federal regulation specifically addresses AI insider threats in the U.S. However, NIST is developing voluntary guidelines expected by late 2026. The EU AI Act includes some related provisions for transparency and risk management.

Original source

www.forbes.com

Read original

Discussion

Join the discussion

Sign in to post a comment or reply.

No comments yet. Be the first to share your thoughts!

Sign in
Enter your email to receive a one-time sign-in code. No password needed.
Email address