The Bottom Line: Nine out of ten office workers use unauthorized public AI tools for work-related information, bypassing established security policies.
88 percent of office employees input work-related information into public AI systems such as ChatGPT, Claude, or Gemini, according to an international survey by PagerDuty. This presents significant governance challenges for cybersecurity and data protection officers.
The current PagerDuty survey documents a massive discrepancy between security policy and actual employee behavior. 88 percent of surveyed office employees enter work-related data into public AI platforms without authorization or oversight from the IT security department.
For CISOs, this represents a significant risk: business information, customer data, code snippets, or internal documentation can end up on public AI systems, where they may be used for model training or be visible to other users. This not only violates internal security policies, but can also breach regulatory requirements (GDPR, NIS2 Directive, industry standards).
The high penetration rate indicates insufficient awareness and enforceable controls. Technical measures such as DLP (Data Loss Prevention), application whitelisting, or network filtering are apparently being circumvented or are not implemented. At the same time, there is a lack of a security culture that prevents shadow IT to this extent.
CISOs must adopt a multi-pronged approach: document the risk profile, introduce controlled AI platforms for legitimate use cases, implement technical measures against unauthorized cloud tool usage, and provide comprehensive training on data sensitivity and regulatory requirements.
Source: itwelt.at · Published June 12, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.