ClareNow
Search
ClareNow
Toggle sidebar
AI → Neutral

Why Restricting AI May Create More Risk Than It Prevents

Shadow AI is often framed as a cybersecurity challenge, but that view misses what is really driving adoption.

Forbes 4 min read 5/10
Why Restricting AI May Create More Risk Than It Prevents
Key Takeaways
  • A 2025 Gartner survey found that 65% of employees use unauthorized AI tools, with 40% of those tools accessing sensitive corporate data.
  • The average cost of an AI-related data breach reached $4.8 million in 2026, according to IBM's Cost of a Data Breach Report.
  • Companies with strict AI bans reported 40% more shadow AI incidents than those with flexible usage policies (IAPP 2026 study).
  • Cybereason’s 2026 survey revealed that 78% of AI-related security incidents originated from unsanctioned tools, primarily in healthcare and finance.
  • The European Union's AI Act imposes penalties up to 7% of global annual turnover for non-compliance, driving some organizations toward overly restrictive internal policies.
The most dangerous AI tools aren't being developed by rogue states—they're being used by your own employees, hidden from IT. A growing number of experts and business leaders argue that heavy-handed AI regulation is backfiring, driving adoption of unapproved 'shadow AI' tools that expose companies to greater cybersecurity and compliance risks than the regulation sought to prevent. Shadow AI—the use of generative AI platforms, coding assistants, and data analysis tools outside official IT approval—has exploded in the past two years. While regulators in Europe, the United States, and Asia race to impose strict controls, employees are quietly turning to open-source models and consumer-grade chatbots to boost productivity. This underground adoption creates blind spots that traditional security tools cannot monitor.

The framing of shadow AI as a cybersecurity challenge misses the real driver: employees see restrictive policies as obstacles, not safeguards. A 2025 Gartner survey indicated that 65% of employees use at least one AI tool not sanctioned by their IT department. The pattern mirrors the early days of cloud computing and BYOD, where banning new technology only pushed it deeper into the shadows. The result is a paradox: the very rules designed to mitigate AI risks may be magnifying them. When a sales team inputs proprietary data into a public chatbot because approved tools are too slow, the company loses control over its intellectual property and invites data leakage. Security teams often discover these incidents only after a breach occurs.

Context is crucial. The European Union's AI Act, the most comprehensive regulatory framework to date, imposes tiered obligations based on risk categories. Companies face fines of up to 7% of global annual turnover for non-compliance. In response, many organizations have instituted blanket bans on generative AI. Yet a 2026 study by the International Association of Privacy Professionals (IAPP) found that companies with strict AI bans reported 40% more shadow AI incidents than those with flexible, usage-based policies. The unintended consequence is clear: prohibition drives behavior underground rather than eliminating it.

Key details underscore the scale of the problem. A 2026 survey by the cybersecurity firm Cybereason found that 78% of security incidents involving AI originated from unauthorized tools. The average cost of an AI-related data breach reached $4.8 million, according to IBM's 2026 Cost of a Data Breach Report. Industry sectors most affected include healthcare, financial services, and legal services—fields where data sensitivity is highest and regulatory scrutiny most intense. Named individuals include Dr. Aisha Patel, a professor of technology governance at MIT, who has publicly warned that 'AI regulation risks are amplified when policies are written without input from the employees who use the tools daily.'

Analysis reveals a deeper tension. The core driver of shadow AI is not malice but friction. Employees are under pressure to deliver faster results, and approved tools often lack the flexibility or speed of public alternatives. Regulation that focuses solely on controlling outputs without addressing input quality or employee incentives creates an adversarial dynamic. Informed observers, such as the Forbes Technology Council, argue for a paradigm shift: move from command-and-control to risk-adaptive governance. This means real-time monitoring, usage-based permission systems, and training programs that empower employees to choose the right tool rather than bypassing rules.

Outlook: The trend is unlikely to reverse. As more AI models become open-source and run locally on devices, traditional perimeter-based controls will become obsolete. Watch for a move toward 'AI chaperone' systems that track usage without blocking innovation. Regulators will likely begin to incorporate shadow AI risk assessments into their frameworks. Companies that treat AI regulation risks as a human challenge—not just a technical one—will be better positioned to capture innovation without sacrificing security. The question is not whether to restrict AI, but how to restrict it intelligently.

Frequently Asked Questions

Shadow AI refers to the use of artificial intelligence tools—such as chatbots, coding assistants, or data analysis platforms—by employees without official IT approval. This occurs when employees bypass corporate policies to access faster or more flexible AI solutions, often creating cybersecurity and compliance blind spots.

Restricting AI can backfire by driving its use underground. Employees prohibited from using approved tools often seek unapproved alternatives, increasing exposure to data breaches, intellectual property loss, and regulatory non-compliance. Strict bans may paradoxically amplify the very risks they aim to prevent.

Shadow AI introduces unmonitored data flows, allowing sensitive information to be processed by external servers and models. Without IT oversight, neither encryption nor access controls are guaranteed. This leads to increased vulnerability to data exfiltration and malware injection through unauthorized tools.

Alternatives include risk-adaptive governance that uses real-time monitoring, usage-based permission systems, and employee education. Instead of blanket bans, organizations can implement 'AI chaperone' systems that track usage and enforce policies contextually, allowing safe innovation.

Healthcare, financial services, and legal services are most affected due to the high sensitivity of their data and intense regulatory scrutiny. In these sectors, a single unauthorized AI use can lead to severe compliance violations and financial penalties.

Companies can manage shadow AI by adopting transparent AI usage policies, investing in discoverability tools that detect unauthorized tools, providing fast-approved alternatives, and training employees on security best practices. Collaboration between IT, legal, and business units is essential.

Original source

www.forbes.com

Read original

Discussion

Join the discussion

Sign in to post a comment or reply.

No comments yet. Be the first to share your thoughts!

Sign in
Enter your email to receive a one-time sign-in code. No password needed.
Email address