The Point: Employees use AI tools without IT approval, which GRC systems cannot detect and which creates new security and data protection risks.
Security provider Optro warns in its report “Human Behavior: The AI Risk Surface GRC Can’t Ignore” of growing security threats from uncontrolled AI use in enterprises. Shadow AI systems evade established governance, risk, and compliance processes.
Shadow AI refers to the use of generative AI systems and AI-based applications by employees that are neither approved nor monitored by the organization’s IT governance or security policies. In its current report, Optro identifies a blind spot in the risk landscape of established enterprises: while GRC tools (Governance, Risk, Compliance) map traditional IT systems, cloud services, and access points, they do not capture this uncontrolled AI use.
The risk potential exists on multiple levels. Users upload business-relevant data—customer information, internal processes, financial metrics—to public AI platforms to gain faster access to analyses or text generation. This leads to potential data leaks, inadvertent disclosure of trade secrets, and violations of data protection regulations such as the GDPR. At the same time, compliance risks arise when AI models make decisions or generate recommendations in regulated industries (such as financial services, healthcare) without their functioning being documented or verified.
For CISOs and security teams, the challenge lies in making these shadow activities visible in the first place. Optro recommends a multi-layered approach: network monitoring to detect AI API calls, training programs to raise awareness of risks associated with AI use, and clearer policies with approved and secure AI tools for common use cases. Integration of this risk surface into existing GRC processes is considered necessary.
Source: itwelt.at · Published 12 June 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.