Employees use AI tools without IT approval, which GRC systems cannot detect and which creates new security and data protection risks.